If your organisation runs SharePoint On-Premises, this is not a drill.
Over the past several months, a series of critical vulnerabilities have been discovered and actively exploited in on-premises Microsoft SharePoint environments. These are not theoretical risks sitting in a security researcher's lab. They are real attacks against real organisations, happening right now.
And if you haven't acted yet, you may already be exposed.
What's actually happening?
In July 2025, Microsoft disclosed a critical vulnerability known as ToolShell (CVE-2025-53770), rated 9.8 out of 10 on the severity scale (where 10 is the most dangerous possible). This vulnerability affected all supported versions of SharePoint On-Premises: SharePoint Server 2016, 2019, and Subscription Edition.
What made this particularly alarming was that attackers didn't need a password or any prior access to your system. If they could reach your SharePoint server, they could get in.
Before Microsoft could fully patch the issue, more than 400 organisations globally had already been compromised, including US government agencies. Chinese state-sponsored threat actors were among those identified, alongside ransomware groups who exploited the same vulnerability for financial gain.
That was 2025. In 2026, the attacks have continued.
In January 2026, Microsoft disclosed a new critical SharePoint vulnerability (CVE-2026-20963, also rated 9.8) affecting all supported on-premises versions. By March 2026, CISA (the US Cybersecurity and Infrastructure Security Agency) added it to their Known Exploited Vulnerabilities catalogue, confirming it was being actively used in attacks. Federal agencies were ordered to patch immediately.
Then, just this month in April 2026, Microsoft's Patch Tuesday (the largest in Microsoft's history by CVE count) included yet another actively exploited SharePoint zero-day: CVE-2026-32201. This is a spoofing vulnerability that allows an unauthenticated attacker to inject malicious scripts into SharePoint pages, potentially stealing session tokens, redirecting users to malicious content, or enabling broader phishing and ransomware campaigns. It was being exploited in the wild before today's patch was available.
And there is one more date that SharePoint Server 2016 and 2019 customers need to know: 14 July 2026. That is when both versions reach end of support. After that date, Microsoft will no longer release security patches for SharePoint Server 2016 or 2019, meaning any vulnerability discovered after July 2026 will remain permanently unpatched on those versions. SharePoint Server Subscription Edition is not affected by this deadline and remains supported under Microsoft's Modern Lifecycle Policy with no fixed end date.
In less than 12 months, SharePoint On-Premises has been the subject of multiple critical, actively exploited vulnerabilities.
This is not a one-off event. It is a pattern. And for SharePoint Server 2016 and 2019 customers specifically, the safety net
of Microsoft security patches disappears entirely in 90 days.
Why should a business leader care?
SharePoint is not just a file storage system. For many organisations, it is the central nervous system of the business, holding sensitive documents, running workflows, storing employee data, and connecting to other Microsoft services like Teams, Outlook, and OneDrive.
When an attacker gets into SharePoint, they don't just see your files. They can:
• Move laterally across your entire Microsoft environment
• Access sensitive business and personal data
• Install backdoors that persist even after patches are applied
• Deploy ransomware across your network
• Steal credentials and impersonate trusted users
And here is the part that should concern every business leader most: you may not know it has happened. These attacks are designed to be quiet. By the time you notice something is wrong, the attacker may have been inside your systems for weeks or months.
If you answered yes to the first question and no to any of the others, your organisation is carrying unnecessary risk.
Important note: If you run SharePoint Online (part of Microsoft 365), you are not affected. Microsoft patches cloud
environments automatically. This risk applies specifically to organizations hosting their own SharePoint servers.
Why should a business leader care?
This is not a moment for a committee to review and report back in 30 days. The following actions need to be on your IT team's desk this week:
1. Patch immediately
Microsoft has released security updates for all supported SharePoint On-Premises versions. Your IT team needs to apply the latest cumulative security patches. For the Subscription Edition, this means applying January, February, and March 2026 updates in sequence, as well as the April 2026 Patch Tuesday updates released this week.
2. Rotate your cryptographic keys
Patching alone is not enough. Microsoft explicitly advises that organisations rotate their SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers after patching. This closes a backdoor that attackers may have established even before you patched.
3. Assume you may already be compromised
If your SharePoint was accessible from the internet at any point between July 2025 and now and you have not already conducted a compromise assessment, security experts strongly recommend you assume a breach has occurred and investigate accordingly. Patching closes the door, but it does not evict anyone already inside.
4. Enable monitoring
Set up alerts for unusual activity: failed login spikes, unusual outbound traffic, PowerShell executions on SharePoint servers, and large unexpected data downloads. These are the warning signs of an active attack or a persistent threat already inside your environment.
5. Plan for the future
This is not the last SharePoint vulnerability we will see. Organisations that run on-premises SharePoint need a structured, recurring patch management process, not a reactive scramble every time a critical CVE makes the news.
The hard question: is On-Premises still the right choice?
We are not here to tell every organisation to move to the cloud. There are legitimate reasons (regulatory requirements, data sovereignty, legacy integrations) why some organisations must keep SharePoint On-Premises.
But the security overhead is real and growing. Every critical vulnerability that Microsoft patches in the cloud automatically means nothing to an on-premises customer who hasn't applied the update. The responsibility sits squarely with your IT team, and the window between disclosure and exploitation is shrinking.
And then there is the end-of-life reality. SharePoint Server 2016 and SharePoint Server 2019 both reach end of support on 14 July 2026, just 90 days from now. After that date, Microsoft will release no further security patches for either version. Any vulnerability discovered after July 2026 will remain permanently unpatched on those platforms. If you are running SharePoint Server Subscription Edition, you are not affected by this deadline — it remains supported with no fixed end date. But if you are on 2016 or 2019, the options are clear: migrate to SharePoint Online, upgrade to SharePoint Server Subscription Edition, or accept an ever-growing security exposure with no vendor safety net.
If you are running On-Premises purely out of habit, inertia, or because it has always been that way: the clock is no longer just ticking. It has nearly run out.
Where GTconsult can help
We work with organisations on exactly these challenges. Whether you need help patching and hardening your current SharePoint environment, assessing whether you have already been compromised, setting up monitoring and alerting, evaluating a migration to SharePoint Online, or conducting penetration testing and vulnerability assessments: we have the expertise to help.