Platform Security's Game of Cat and Mouse
Introduction
I am the Cat. You are the Mouse. I am trying to break into your house. You are trying to protect your house. After each of my successful attempts, you find a way to prevent more of them. And yet, I always find alternative methods in excess. So the cycle repeats itself. This is our game of Cat and Mouse.
You do not need to be a platform security professional to understand the nature of platform security. We exist in an endless chase of trying to fix old problems as new ones arise.
This is the case for multiple reasons. Whether it’s ancient architecture, inconsistent updates, or just plain people, the factors that keep the game going have far outshined the basis for its beginning. Their constant contributions to our problems tell us there is no end in sight.
Round 1
In May of 2025, Berlin hosted Pwn2Own, where Khoa Dinh of Viettel Cybersecurity showcased CVE-2025-49704 and CVE-2025-49706. These CVEs are related to authentication bypass and remote code execution (RCE) on certain SharePoint Server versions: 2019, 2016, and earlier. With CVSS scores of 8.8 and 6.3, respectively, Microsoft released patches for them on Patch Tuesday, July 8th, 2025.
These CVEs were used in a combined exploit chain known as “ToolShell.” Please read the original articles listed at the end of this blog for comprehensive details, but to summarize: the exploit culminates in a single HTTP request that leads to RCE.
For companies with vulnerable, on-premises, and most likely public-facing SharePoint Servers, ToolShell is a dangerous threat. In fact, it should have been the responsibility of these enterprises to implement mitigations even before the patch release. Unfortunately, even Viettel Cybersecurity’s own mitigation guide wasn’t released to its customers until July 15th.
Let’s briefly recap Round 1: it started with a researcher finding two exploits (a successful break-in attempt), reporting them, and then, about a month and a half later, a fix was deployed (break-in method prevented). The researcher’s proactive efforts resolved an old problem, but as this game goes, there is no escaping the endless onslaught of break-in attempts.
Round 2
Queue the fast-paced video game music. Round 2 picks up right where Round 1 left off.
On July 18th, Dutch cybersecurity firm Eye Security reported that threat actors were already utilizing new zero-days related to the aforementioned CVEs. Yes! Microsoft’s prior patches were insufficient. Microsoft admitted as much when addressing two new CVEs, stating the updates were now more “robust” than the earlier ones.
These new CVE updates and advisories were released on July 20th, just two days after the initial exposure of known threat actors using the known tactics, techniques, and procedures (TTPs).
So here's the breakdown of Round 2:
- Eye Security identifies active exploitation (successful break-in)
- Microsoft releases out-of-band (OOB) patches, preemptive to the usual Patch Tuesday release
If a company acted swiftly to apply the patches, the problem should be resolved… right?
No. Surely, you know how the game is played by now.
A notable statistic: on July 23rd, The Shadowserver Foundation identified 424 public-facing SharePoint IPs still vulnerable to the CVEs.
Round 3
Round 3! Surely, the end is near.
Not without its boss battles, though.
As early as July 18th, Microsoft observed ransomware deployment by an APT group involved in the campaign, known as Storm-2603. Microsoft released a graphic detailing the TTPs and has been consistent in publishing information on IOCs and mitigation strategies.
However, Microsoft and other advisories on the ransomware miss a larger issue: every organization is different. Whether they've been diligent or negligent in adhering to the given solutions, it’s undeniable this is only the first wave.
Many SharePoint systems remain vulnerable. And even for patched systems, threat actors may have already gained persistence, meaning ransomware or other malicious operations could still be deployed.
Round 3, as we see, is open-ended. The fate of breached organizations depends on their strategy. Even if a company updates everything, eradicates malware, and migrates to cloud solutions as Microsoft recommends, one fact remains:
There is always another method by which the Cat can break in.
The Rest of the Saga
Let’s return to the original researcher, Khoa Dinh, who published a blog on July 24th, 2025, detailing the year-long development of ToolShell. The blog excellently breaks down the entire process: from diving into and analyzing code, to exploiting the authentication bypass and RCE.
Most notably, Dinh writes at the start of the conclusion:
“Although the July 2025 patch mitigated this exploit chain, more could be coming because there are thousands of classes and many pages to check. As researchers, we need to invest more time reading [this] code.”
There is no better point to be made.
Dinh notes that one of the classes used to bypass authentication in the ToolPane’s SafeControl check was just one out of thousands. This implies countless more vulnerabilities may exist, they just haven’t been discovered yet.
Conclusion
My biggest takeaway from this case study: this is just one example.
Only organizations running vulnerable, on-premises versions of SharePoint were affected by this sequence of events. But consider the wider scope:
- How many other vulnerable Microsoft products are out there?
- How many publicly facing servers, not just SharePoint, are still exposed?
- How many organizations have architectures dependent on uncharted, exploitable software?
As the saying goes: “Security is only as strong as the weakest link.”
Fortunately, those responsible for platform security are constantly learning and searching for ways to protect their systems. Why?
Because history has proven that this game of Cat and Mouse never ends - and they are the Mouse.