The “ToolShell” vulnerabilities (CVE-2025-53770 and CVE-2025-53771) highlight a persistent challenge for boards and executives: the risks posed by prevalent use of file sharing tools and collaboration platforms, and the lack of end-to-end visibility across the supply chain.
Supply chain attacks are an attractive threat vector for cyber actors, given the great ROI: leveraging a single compromise to potentially gain numerous victims.
The “ToolShell” vulnerabilities (CVE-2025-53770 and CVE-2025-53771) highlight a persistent challenge for boards and executives: the risks posed by prevalent use of file sharing tools and collaboration platforms, and the lack of end-to-end visibility across the supply chain.
While patches and remediations were quickly provided in this case, this incident reinforces why boards must view supply chain risks as business risks that can cause significant impact to their organisations.
A question you’ll probably get from your board is: “What is our exposure?”
That answer goes beyond checking if your own Sharepoint servers are vulnerable. You need to know where your sensitive data reside across your suppliers and their suppliers, and how is that data exposed to this threat?
The real risk may lie with a third party, or one of their own subcontractors, who may be exposed to a risk of compromising your data without your knowledge. Because SharePoint often holds sensitive commercial data, a breach at a supplier can quickly impact you — resulting in reputational damage and operational disruption.
However, determining your true exposure is not straightforward. While you may understand your immediate supplier relationships, you might lack visibility into how exactly those suppliers handle your data and whether they have passed it to other suppliers without your knowledge.
Here are some initial steps to take:
Boards are increasingly expected by regulators and investors to understand and address cyber risk. In many sectors, this includes regulatory requirements to assess systemic concentration risks stemming from shared reliance on critical suppliers. This means moving beyond purely technical briefings and addressing these risks in business terms.
Here’s what to include in your briefings:
Boards should view the “ToolShell” incident as yet another reminder that you can’t manage what you can’t see, the “unknown unknowns” challenge. Without a proactive strategy to expand visibility across your entire supplier ecosystem, these risks can reduce the effectiveness of any operational resilience strategies if only a small subset of scenarios have been evaluated.
As with other cyber incidents, patching and incident response is not enough - you need to address the root cause: lack of visibility into where your data is located and who has access. This reinforces the need to prioritise TPRM to ensure your board is aware of the risks that supply chain attacks pose to the business. Even if your management of cyber risk is mature, the maturity of your suppliers can be your limiting factor.
Boards must treat this as a business continuity and resilience issue, not just a technical one. To make this case, you need to clarify the true extent of your exposure (internally and with suppliers), how you are investigating and responding to this issue, and how your approach is comprehensive (by integrating your efforts and that of your suppliers).
Enhancing supplier visibility is easier said than done. However, as with cyber threat intelligence, a collaborative approach to TPRM enables the sharing of critical supply chain information to enhance the mapping of your third parties, those of your suppliers and so on.
By treating supply chain cyber risk as a board-level priority and adopting a collaborative approach to TPRM, you will be better prepared for and more resilient against supply chain threats.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.