Emerging Threat

How to brief your board effectively on the ToolShell On-Prem SharePoint Vulnerability

The “ToolShell” vulnerabilities (CVE-2025-53770 and CVE-2025-53771) highlight a persistent challenge for boards and executives: the risks posed by prevalent use of file sharing tools and collaboration platforms, and the lack of end-to-end visibility across the supply chain.

How to brief your board effectively on the ToolShell On-Prem SharePoint VulnerabilityHow to brief your board effectively on the ToolShell On-Prem SharePoint Vulnerability

Supply chain attacks are an attractive threat vector for cyber actors, given the great ROI: leveraging a single compromise to potentially gain numerous victims.

The “ToolShell” vulnerabilities (CVE-2025-53770 and CVE-2025-53771) highlight a persistent challenge for boards and executives: the risks posed by prevalent use of file sharing tools and collaboration platforms, and the lack of end-to-end visibility across the supply chain.

While patches and remediations were quickly provided in this case, this incident reinforces why boards must view supply chain risks as business risks that can cause significant impact to their organisations.

Assessing the impact

A question you’ll probably get from your board is: “What is our exposure?”

That answer goes beyond checking if your own Sharepoint servers are vulnerable. You need to know where your sensitive data reside across your suppliers and their suppliers, and how is that data exposed to this threat?

The real risk may lie with a third party, or one of their own subcontractors, who may be exposed to a risk of compromising your data without your knowledge. Because SharePoint often holds sensitive commercial data, a breach at a supplier can quickly impact you — resulting in reputational damage and operational disruption.

However, determining your true exposure is not straightforward. While you may understand your immediate supplier relationships, you might lack visibility into how exactly those suppliers handle your data and whether they have passed it to other suppliers without your knowledge.

Here are some initial steps to take:

  • Determine your internal exposure. If you’re running affected versions, begin remediation efforts. This includes searching for indicators of compromise (IoCs) to determine if a breach has already occurred.
  • Understand the business impact of emergency patching. Hopefully, you’ve already planned  for similar scenarios. Assess whether deploying an out of band patch without significant impact to the business.
  • Parallel to this, assess your supplier exposure. Do you know who has access to your sensitive data? How is it stored, controlled, and accessed? Are they sharing this data further down their supply chain?
  • Understand the downstream business impact. If one (or more) of your suppliers were compromised, what business functions might be could be disrupted? What are the operational and financial consequences to your organisation?

Briefing your board

Boards are increasingly expected by regulators and investors to understand and address cyber risk. In many sectors, this includes regulatory requirements to assess systemic concentration risks stemming from shared reliance on critical suppliers. This means moving beyond purely technical briefings and addressing these risks in business terms.

Here’s what to include in your briefings:

  • Be explicit about supply chain exposure. Even if your systems are secure, a breach at a key supplier can still trigger financial, legal, and reputational fallout.
  • Clarify the mitigation plan. Explain how you are addressing both internal and third-party risks through investigating, patching, and supplier assurance. Keep leadership informed as the situation evolves.

Boards should view the “ToolShell” incident as yet another reminder that you can’t manage what you can’t see, the “unknown unknowns” challenge. Without a proactive strategy to expand visibility across your entire supplier ecosystem, these risks can reduce the effectiveness of any operational resilience strategies if only a small subset of scenarios have been evaluated.

Making the case for better TPRM

As with other cyber incidents, patching and incident response is not enough - you need to address the root cause: lack of visibility into where your data is located and who has access. This reinforces the need to prioritise TPRM to ensure your board is aware of the risks that supply chain attacks pose to the business. Even if your management of cyber risk is mature, the maturity of your suppliers can be your limiting factor.

Boards must treat this as a business continuity and resilience issue, not just a technical one. To make this case, you need to clarify the true extent of your exposure (internally and with suppliers), how you are investigating and responding to this issue, and how your approach is comprehensive (by integrating your efforts and that of your suppliers).

Enhancing supplier visibility is easier said than done. However, as with cyber threat intelligence, a collaborative approach to TPRM enables the sharing of critical supply chain information to  enhance the mapping of your third parties, those of your suppliers and so on.

By treating supply chain cyber risk as a board-level priority and adopting a collaborative approach to TPRM, you will be better prepared for and more resilient against supply chain threats.

Emerging Threat

Download for free

By submitting this form, you agree to Risk Ledger’s Terms of Service, Privacy Policy, and Risk Ledger contacting you.

Thank you!
Download
Oops! Something went wrong while submitting the form.
Emerging Threat

Download for free

Download
Pattern Trapezoid Mesh

Join our growing community

Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.