“Patching alone is not enough. We strongly advise defenders not to wait for a vendor fix before taking action.”
Microsoft partially patched a SharePoint zero-day on July 8 and attackers immediately found a variant to keep exploiting. The targets are US federal agencies, universities, and energy companies. Attackers are deploying a backdoor called ToolShell and stealing ASP.NET machine keys that enable token impersonation and lateral movement long after the initial breach. CISA says disconnect vulnerable systems from the public internet, which is the kind of advice that sounds obvious until you remember how many organizations run SharePoint exposed to the world.