.png)
A new exploit chain, dubbed ToolShell, was recently patched by Microsoft after being discovered to have been actively used to attack on-premises SharePoint servers. The exploit chain, linking CVE-2025-49706 (an authentication bypass exploit) with CVE-2025-49704 (a remote code execution exploit), and their bypass variants CVE-2025-53770 and CVE-2025-53771 allows unauthenticated attackers to run arbitrary code on vulnerable SharePoint instances.
Attackers were observed bypassing authentication, extracting sensitive data and deploying persistent backdoors to ensure the breach is resistant to security patches.
Additionally, a number of days after the initial attack was discovered, Microsoft reported that attackers have now started to deploy Warlock ransomware in breached systems.
Palo Alto’s Unit42 warns “If you have a SharePoint on-prem that is exposed to the internet, you should assume that you have been compromised at this point.”
This sophisticated and persistent attack is just the latest in a series of critical cybersecurity incidents in 2025. With state-backed threat-actors working around the clock to exploit vulnerabilities, zero-day exploits are an unavoidable reality of increasingly hostile software environment.
Cybersecurity experts now understand that the question is no longer just “How do we keep attackers out?” – it is also “What can we do when they inevitably get in?” Resilience and damage containment are now central to any modern security strategy.
In this critical customer guidance update, Microsoft has urged users to upgrade SharePoint products to supported versions, install July 2025 Security Updates, and to Rotate ASP.NET machine keys.
Data-Centric Defence: Assume Breach
Relying on a single vendor ecosystem or centralised data storage solution introduces a single point of failure, an unacceptable risk in today’s threat environment. At Binarii Labs we operate on the basis that a breach will happen, and that when this breach inevitably occurs, attackers will only have access to incomplete, meaningless data. In other words: protect the data itself, not just the perimeter around the data.
Our Digital Security Platform, BinariiDSP enables organisations to protect their most valuable assets by duplicating, encrypting, fragmenting and dispersing data across multiple user-owned locations. Ensuring that there is zero risk of meaningful data being extracted in the event of a breach. The BinariiDSP engine, and the BinariiDSM file management system creates numerous attack surfaces across multiple storage locations. In order for attackers to access meaningful data, all storage locations must be breached simultaneously, with fragments then being sorted and decrypted; a practical impossibility.
In simpler terms, no full file ever resides on a single server, or with a single provider. This user-controlled multi-storage approach ensures business continuity and resilience even if one provider is unavailable or breached. Our Zero-knowledge encryption model means that nobody other than the designated end-users can read data. Additionally, BinariiDSP logs every file action on an immutable blockchain as proof-of-record, giving organisations a trusted, verifiable audit trail for compliance.
Conclusion
Security breaches are an unfortunate reality of the modern threat landscape, no solution can prevent every intrusion. In the context of the SharePoint ToolShell incidents, had victims been Binarii Labs clients, attackers would have encountered fragmented, encrypted data, impossible to abuse or sell. Furthermore, the ransomware deployed in the aftermath of the attack would have been rendered ineffective, as data integrity could be restored using redundant encrypted fragments stored across alternative, uncompromised servers.