Expert Q&A: Tips for Navigating the SharePoint Vulnerability “ToolShell”
The recent critical vulnerability in Microsoft SharePoint Server (CVE-2025-53770), actively exploited in a large-scale campaign, has sent ripples through the cybersecurity community. A variant of a previously patched flaw, this zero-day vulnerability allows unauthenticated remote code execution, enabling it to be easily leveraged by sophisticated threat actors, including state-sponsored groups.
Reports indicate that numerous SharePoint servers globally have been compromised, affecting multinational firms and government entities. Notably, the U.S. Department of Homeland Security, the Department of Energy, Department of Health and Human Services, and multiple government agencies in Quebec have been affected, leading to potential preventive website shutdowns and raising concerns about public safety and trust in digital services.
To unpack the implications of this attack and provide actionable insights for security leaders, we sat down with Erik Montcalm , Senior VP of Security Services and Technology at SecureOps, a Canadian boutique MSSP based with follow-the-sun operations in Montreal, Prague and Manila. With decades of experience at the forefront of cybersecurity, Erik offers a unique perspective on managing such critical threats and building resilient security postures.
Interview with SecureOps' Senior VP of Security Services and Technology
This SharePoint vulnerability seems to have everyone on edge. From your perspective, just how severe is this?
Erik: It’s nasty. We're learning this isn't a brand-new attack but a variation of a vulnerability Microsoft inadequately patched back in 2020. It seems they fixed the specific reported exploit but not the root cause. Now, Microsoft has their own scoring for vulnerabilities as well, but the CVSS score is 9.8.
I can’t fathom why it’s not a 10. To me, this is as terrible as it gets. It’s remotely executable, it's automatable, and there's evidence of active exploitation.
It means there's toolkits out there and adversaries are actively campaigning on this. Right now there's probably dozens of thousands of bots scanning for exposed SharePoint systems, exploiting them, or just putting them on a list to come back later. They may not even know what they're going to do with these SharePoint servers, but they're building a roster. If your SharePoint server is online, it's going to be exposed unless you've taken it offline or patched immediately.
What's worse is that attackers are bundling it with other SharePoint exploits into a toolkit they’re calling "ToolShell." So if you patched this latest flaw but missed an older one, you're still exposed. SharePoint has become a super juicy target.
And it’s a Microsoft product, so many organizations must use it. That must be a huge part of the risk here.
Erik: Sharepoint is everywhere, and the use cases vary widely. For some organizations, it’s just used for internal documentation. But others integrate it into products, automation, or use it as a central hub for data. So for some, this vulnerability is no big deal. They can shut down the application, and the impact may be losing access to their call center documentation for the next 24 hours. They can use hard copies out of a binder in the meantime, even if they’re a bit out dated.
Other organizations have it integrated with critical data and critical applications. We saw government pension fund websites go down in Quebec. That means people's retirement data is hosted on SharePoint and potentially stolen by cybercriminals. This is when CISOs need to make difficult, terrible decisions, because the potential impact is so massive. But, the impact of doing nothing is also very high.
Given that risk, what circumstances would lead you to recommend a CISO take the drastic step of deactivating SharePoint until this is resolved, as some government websites have done?
Erik: That's a tough call, and it really depends on your entire defense strategy. We wouldn't make a blanket recommendation. The advice hinges on your unique situation. If you have a strong defense-in-depth posture and you're confident that you can mitigate this until you patch or that you could easily detect if something happened, then you can likely keep it online. However, if you don't have that level of maturity, or that architectural and cyber defense depth, then that’s a scenario where we might recommend taking everything offline to have a look.
So the risk is greater than just the data on the SharePoint server itself?
Erik: Exactly. The problem isn't just about information leakage from SharePoint. Attackers are very good at "living off the land" and lateral movement. They'll use that server as an entry point to do something else on your network. So you’re faced with a very hard decision: how quickly can you guarantee containment versus how much investigation do you need to do to make sure you don't have a much larger problem?
Microsoft’s interim guidance was to enable tools like AMSI integration and Defender AV. Would you concur with this recommendation?
Erik: It's standard guidance, but what's not clear to me is whether these lower-tiered Microsoft tools would have prevented the attacks or just detected them. I'm not seeing a lot of detail on that. I understand why people might have them turned off; some people feel pretty safe if their SharePoint isn't directly exposed to the internet and they disable them for performance reasons. It’s always good advice to turn on the Microsoft security stack if you don’t have another EDR, but I’m just not sure I would trust these things to solve the problem, especially this soon into the exploit's life cycle.
That doesn't seem like very helpful guidance then. They're telling you to turn on these tools, but that's not really going to solve the issue if you're already impacted. It sounds like you're sick and they're telling you to wash your hands.
Erik: I wouldn't be satisfied just patching, rebooting, and turning these tools on. For all I know, it gets rid of this specific vulnerability, but does it get rid of anything else the attackers could have done? Probably not. If it's just an automated tool that got in, ASMI and Defender AV probably do a good job of cleaning it up. What I'm worried about is the more advanced attackers that use this to get in, manually reconfigure things, and create intricate attacks and leave-behinds. I'm not sure those threats would be detected by AMSI and Defender AV. That said, the higher-tiered tools, like Microsoft Defender XDR edition, would be a better fit for this situation.
What measures should CISOs be looking to implement beyond that basic guidance?
Erik: All the usual things will at least slow an attacker down: least privilege, application whitelisting, and ensuring you're using MFA. For an important server like this, I'd harden it according to CIS guidelines and make sure it goes through some type of hardening scanner.
I know it’s disruptive to follow those hardening guidelines, because it makes you jump through hoops to actually get the server to do anything after that. But it’s worth it, if you’re hosting anything of importance.
Beyond that, it's going to eventually come down to the response, right? How quickly can your team respond to this? How quickly can you detect an attack through threat intelligence?
I'd bet that there was some chatter about this vulnerability on the Dark Web way before Microsoft made a press release. Things like this don't just happen without a surge of activity. A proper threat intelligence program could have given you a few days’ or hours’ notice. That could be very useful in a situation like this.
After that, consider how quickly your team can patch and monitor for this. I don't mean just monitor the server or monitor for this attack. I mean are you really covered for identity detection? What's going on inside your active directory? Or your Entra? These are all things that will help your confidence level in order to recover.
Organizations that are super confident in their ability to respond were either down for a very small amount of time or not down at all. It's the organizations that are stuck trying to figure out what to do that are taking days or weeks to respond.
That's when it gets scary.
######################
Interview Q&R : conseils sur la faille ToolShell de SharePoint
La récente vulnérabilité critique de Microsoft SharePoint Server (CVE-2025-53770), activement exploitée dans le cadre d'une campagne à grande échelle, a fait des vagues dans la communauté de la cybersécurité. Variante d'une faille précédemment corrigée, cette vulnérabilité de type "zero-day" permet l'exécution de code à distance sans authentification, ce qui lui permet d'être facilement exploitée par des acteurs sophistiqués de la menace, y compris des groupes parrainés par des États.
Des rapports indiquent que de nombreux serveurs SharePoint ont été compromis dans le monde, affectant des entreprises multinationales et des entités gouvernementales. En particulier, le ministère américain de la sécurité intérieure, le ministère de l'énergie, le ministère de la santé et des services sociaux, ainsi que de nombreuses agences gouvernementales du Québec ont été touchés, ce qui pourrait entraîner des fermetures préventives de sites web et susciter des inquiétudes quant à la sécurité publique et à la confiance dans les services numériques.
Afin d'analyser les implications de cette attaque et de fournir des informations exploitables aux responsables de la sécurité, nous nous sommes entretenus avec Erik Montcalm, vice-président principal des services de sécurité et de la technologie chez SecureOps, un MSSP canadien basé à Montréal, à Prague et à Manille. Avec des décennies d'expérience à la pointe de la cybersécurité, Erik offre une perspective unique sur la gestion de ces menaces critiques et la mise en place de postures de sécurité résilientes.
Entretien avec le vice-président principal des services de sécurité et de la technologie de SecureOps
La vulnérabilité de SharePoint semble mettre tout le monde sur les dents. D'après vous, quelle est la gravité de la situation ?
Erik : C'est grave. Nous apprenons qu'il ne s'agit pas d'une toute nouvelle attaque, mais d'une variante d'une vulnérabilité que Microsoft a mal corrigée en 2020. Il semble qu'ils aient corrigé l'exploit spécifique signalé, mais pas la cause première. Microsoft a également son propre système de notation des vulnérabilités, mais le score CVSS est de 9,8.
Je ne comprends pas pourquoi il n'est pas de 10. Pour moi, c'est aussi terrible que possible. Il est exécutable à distance, il est automatisable et il existe des preuves d'une exploitation active.
Cela signifie qu'il existe des boîtes à outils et que les adversaires mènent une campagne active dans ce domaine. À l'heure actuelle, il y a probablement des dizaines de milliers de robots qui recherchent des systèmes SharePoint exposés, les exploitent ou les mettent sur une liste pour y revenir plus tard. Ils ne savent peut-être même pas ce qu'ils vont faire de ces serveurs SharePoint, mais ils se constituent un fichier. Si votre serveur SharePoint est en ligne, il sera exposé à moins que vous ne l'ayez mis hors ligne ou que vous l'ayez patché immédiatement.
Pire encore, les attaquants regroupent cette faille avec d'autres exploits SharePoint dans une boîte à outils qu'ils appellent "ToolShell". Ainsi, si vous avez corrigé cette dernière faille, mais que vous avez manqué une plus ancienne, vous êtes toujours exposé. SharePoint est devenu une cible super juteuse.
Et comme il s'agit d'un produit Microsoft, de nombreuses organisations doivent l'utiliser. Cela doit représenter une grande partie du risque.
Erik : SharePoint est partout, et les cas d'utilisation varient considérablement. Pour certaines organisations, il ne sert qu'à la documentation interne, mais d'autres l'intègrent à des produits, à l'automatisation, etc. Mais d'autres l'intègrent à des produits, à l'automatisation, ou l'utilisent comme centre de données. Pour certains, cette vulnérabilité n'est donc pas grave. Ils peuvent fermer l'application, et l'impact peut être la perte d'accès à la documentation de leur centre d'appel pour les prochaines 24 heures. En attendant, ils peuvent utiliser les copies papier d'un classeur, même si elles sont un peu dépassées.
D'autres organisations l'intègrent aux données et applications critiques. Nous avons vu les sites web des fonds de pension gouvernementaux tomber en panne au Québec. Cela signifie que les données relatives à la retraite des citoyens sont hébergées sur SharePoint et peuvent être volées par des cybercriminels. C'est à ce moment-là que les RSSI doivent prendre des décisions difficiles et terribles, car l'impact potentiel est énorme. Mais l'impact de l'inaction est également très élevé.
Compte tenu de ce risque, quelles circonstances vous amèneraient à recommander à un RSSI de prendre la décision radicale de désactiver SharePoint jusqu'à ce que le problème soit résolu, comme l'ont fait certains sites web gouvernementaux ?
Erik : C'est une décision difficile à prendre, et cela dépend vraiment de l'ensemble de votre stratégie de défense. Nous ne ferions pas de recommandation générale. Le conseil dépend de votre situation unique. Si vous disposez d'une solide défense en profondeur et que vous êtes sûr de pouvoir atténuer le problème jusqu'à l'application d'un correctif ou de pouvoir facilement détecter si quelque chose se produisait, alors vous pouvez probablement garder le site en ligne. Cependant, si vous n'avez pas ce niveau de maturité, ou cette profondeur architecturale et de cyberdéfense, c'est un scénario dans lequel nous pourrions recommander de tout mettre hors ligne pour jeter un coup d'œil.