Updating on the SharePoint security issue I reported on yesterday. Microsoft has released patches for two vulnerable editions of its SharePoint Server collaboration tool, following the discovery of a critical flaw known as “ToolShell.” Administrators are urged to apply these updates immediately, as threat actors are actively exploiting this vulnerability to carry out remote code execution attacks. The patches address two specific vulnerabilities, CVE-2025-53370 and CVE-2025-53771, which involve deserialization and spoofing.
The Washington Post is reporting that according to Charles Carmakal, chief technology officer of Google’s Mandiant Consulting, early assessments indicate that at least one actor responsible for these attacks is a China-nexus threat actor.
Why do we care?
Not every provider needs to panic. Many SMB clients have already migrated to SharePoint Online or Microsoft 365, which aren’t affected by these specific vulnerabilities. For providers focusing on modern cloud stacks, this serves more as a reinforcement of why leaving legacy on-prem infrastructure behind reduces risk.
But if they haven’t, don’t just fire off a patching alert—start the bigger conversation about lifecycle management. If your clients won’t touch those servers, you need to plan for it—because attackers already are.