According to Dani, the shift toward collaboration platforms like SharePoint is no coincidence. “SharePoint acts as a one-stop shop for sensitive documents, source code, HR, and legal content,” he said. “Threat groups have shifted from edge appliances to internal collaboration platforms because those systems deliver both sensitive data and privileged network access.”
The exploit, nicknamed ToolShell, enables remote code execution, key theft, and malware installation on on-prem servers. The US CISA has added CVE-2025-53770 to its known exploited vulnerabilities catalog, urging immediate remediation. Barney warned that state-backed actors are now embedding into business workflows. “They want access to the crown jewels. These platforms house far more than PII–strategic plans, source code, and internal communications. It’s not just about exfiltration anymore, but deep persistent access.”
