TL;DR: CISA’s alert on CVE-2025-53770, publicly known as ToolShell, says active exploitation is underway in on-premises Microsoft SharePoint deployments and that patching alone will not remove malware or backdoors already placed, according to Illumio. The real control gap is containment: once an attacker lands, lateral movement and exposure management determine whether the incident stays local or spreads.
NHIMG editorial — based on content published by Illumio: ToolShell: CISA’s Warning to Federal Agencies About a New Remote Code Execution Vulnerability
By the numbers:
- CISA has added CVE-2025-53770 to the Known Exploited Vulnerabilities catalog, which makes it a required fix under Binding Operational Directive 22-01.
- The vulnerability impacts SharePoint 2019 and Subscription Edition deployments.
Questions worth separating out
Q: What fails when a patched application can still reach privileged internal systems?
A: Patch success does not equal incident containment.
Q: Why do on-premises application vulnerabilities create identity and access risk?
A: Because the attack often lands on a trusted internal system that already has access to data, services, and sometimes service accounts.
Q: How do security teams know if patching has actually contained an exploit?
A: They do not know from version numbers alone.
Practitioner guidance
- Tighten network reachability from SharePoint servers Restrict inbound and outbound communication so a compromised SharePoint host cannot contact privileged systems, file stores, or administrative endpoints unless explicitly required.
- Correlate patching with forensic log review Review authentication, process, and endpoint telemetry for signs of post-exploitation activity, including unusual child processes, new outbound connections, and unexpected service creation.
- Validate segmentation around mission systems Test whether a compromised collaboration server can reach classified, sensitive, or mission-critical resources and remove unnecessary east-west paths before the next exploit window opens.
What's in the full article
Illumio's full blog post covers the operational detail this post intentionally leaves for the source:
- Illumio Insights examples for identifying abnormal workload-to-workload communication after a SharePoint compromise
- Segmentation policy examples for limiting east-west traffic from vulnerable collaboration servers
- Practical containment guidance for reducing blast radius in hybrid federal-style environments
- Discussion of how their approach fits a Zero Trust operating model without replacing patching
👉 Read Illumio's analysis of the ToolShell SharePoint RCE and containment risk →
SharePoint RCE and lateral movement risk: are your controls ready?
Explore further
Patch velocity is not a containment strategy. The article reinforces a control reality that many programmes still underweight: fixing the vulnerable application does not necessarily neutralise the incident. Once an attacker has executed code on a trusted server, the decisive question becomes what that server can still reach. For identity and access teams, this is a reminder that access scope and network reachability are part of incident resilience, not only operational convenience.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Which frameworks apply when a server compromise can spread across the environment?
A: NIST CSF, Zero Trust guidance, and control frameworks such as NIST SP 800-53 all become relevant when one compromised system can still move through the network. The practical test is whether access paths, privileges, and communication routes are constrained enough to keep the incident local.
👉 Read our full editorial: ToolShell and SharePoint RCE show why patching is not enough