“You have to patch what needs to be patched, not just what can be patched,” Moody added. “You don’t have 30 days to do testing, plan down time. You no longer have the luxury of saying, ‘We’re going to push all of this out at once.’ You need to say, ‘I’m going to knock out the ones that are going to kill me first,’ and if you automate this [initial batch], you have more man hours to analyze and scrutinize the rest.”
Take, for example, one of the nastiest holes found this year, ToolShell (CVE-2025-53770), which is actually two chained vulnerabilities in on-premises SharePoint 2016/2019 servers. It allows an unauthenticated attacker the ability to execute remote code. It holds a 9.8 CVSS score, and exploiting it has become a favorite of initial access brokers.
Scott Caveza, senior staff research engineer at Tenable, described its possible exploitation as a “nightmare scenario … that CSOs will want to avoid at all costs.” But, Moody pointed out, today most large organizations access SharePoint from the cloud. So its CVSS score is only important to those with SharePoint servers in-house.
