ToolShell Shows the Risk of Incomplete SharePoint Patching

Enterprise security failures often become visible when a trusted platform stops functioning as a safe system of record. A DrupalFit case study by Palak Agrawal examines the 2025 Microsoft SharePoint ToolShell campaign, which targeted on-premises SharePoint Server through authentication bypass, remote code execution, web shell deployment, and persistent access through stolen ASP.NET machine keys. The case study uses the incident to show how incomplete remediation can turn a patched platform into an ongoing operational risk.

The campaign involved CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. DrupalFit traces the sequence from the exploit demonstration at Pwn2Own Berlin 2025 to Microsoft’s July security updates and emergency fixes. Microsoft says the vulnerabilities affected on-premises SharePoint servers only and did not affect SharePoint Online in Microsoft 365. The timeline is significant because organisations that applied the first patch could remain exposed until later fixes and still needed to rotate ASP.NET machine keys, remove web shells, and verify that persistence was cleared.

For Drupal teams, the relevance is operational rather than platform-specific. Applying updates is not enough when exposed services, weak configurations, vulnerable dependencies, or persistence mechanisms can remain active after remediation. DrupalFit frames the case as an argument for continuous visibility across application, network, and encryption layers so that security findings can reach both technical teams and decision-makers before they become business disruption.