Here is the video recording of our session

Slides we used are also attached. 

Please also watch the video by @Peter_Elmer explaining how to set up the IPS protections fro this vulnerability correctly:

Here are some of the Q&A which were not answered live:

Q: We moved to SharePoint Online, but we still have an on-prem legacy SharePoint server for historical data, which cannot be access from external IPs. Will it still be affected and vulnerable?

A: The vulnerable component is the web server. As long as there is no web interface exposed to the internet it is not exploitable from outside the network. However, it is still important to patch it as it can be exploited from the internal network. The risk, however, is indeed smaller.

Q: Is it true that the first vendor that disclosed the vulnerability was TrendMicro?

A: The recent wave of exploitation is related to CVE-53770, which is a patch bypass for CVE-2025-47704\6. The original vulnerabillity was reported as part of TrendMicro's Zeroday initiative in May in a contest called Pwn2Own. The name ToolShell is from them.

Q: Can we check with ERM if our SharePoint is exposed?

A: Yes, absolutely

Q: When did Check Point release the IPS protection signature?

A: It was originally released on July 21 and then updated on July 23.

Q: You mentioned Harmony Endpoint Client as part of protective measures. Which versions of Microsoft Servers are supported with it?

A: CURRENTLY SUPPORTED versions of the client will run on:

•     Windows Server 2012
•     Windows Server 2012 R2
•     Windows Server 2016
•     Windows Server 2019
•     Windows Server 2022