buckleyPLANET

What Happens When Your Tech Is Not Patched

by · Published · Updated

I’ve worked in tech for more than 30 years. I’m not an engineer, but I’ve been close enough to the work, the people, and the consequences to know this: most technology “disasters” that make the headlines aren’t caused by some magical, unstoppable hacker wizardry. They’re caused by something much more boring and much more preventable, like someone not installing updates.

That’s exactly what we’re looking at with the recent SharePoint breach that hit DHS, HHS, and NIH.

What Happens When Your Tech Is Not PatchedOver the last few days, I’ve read and heard plenty of hot takes about “Microsoft’s security failure” and “how SharePoint is insecure.” The problem? These takes are almost entirely wrong. The breach didn’t happen because Microsoft’s cloud was hacked. It didn’t happen because SharePoint as a platform is inherently unsafe. It happened because some organizations were running on-premises versions of SharePoint and they hadn’t kept them up to date.

In some cases, it looks like they might have been running SharePoint 2013 or older, with Windows Server 2012 — systems that have been out of support for years. If that’s true, it means they’ve had more than a decade to upgrade. That’s not a Microsoft problem. That’s an IT management problem.

What Actually Happened

In mid‑July 2025, Chinese-linked state-sponsored hacking groups — with the codenames Linen Typhoon and Violet Typhoon — exploited a vulnerability in on-premises SharePoint servers. This wasn’t a “zero-day” mystery flaw that nobody knew about. Microsoft had already issued patches for the problem in May.

If your organization applied the patch, you were safe. If you didn’t? You were a sitting duck.

The hackers used the flaw to run remote commands on unpatched servers, plant malicious tools, and in some cases deploy ransomware. DHS, HHS, and NIH were among the affected agencies. At NIH, at least one SharePoint server was confirmed compromised, two others saw attempted intrusions that were blocked, and several were taken offline entirely.

Cloud-hosted SharePoint (Microsoft 365) was completely unaffected — because Microsoft handles patching there automatically. This entire mess was about on-premises servers that rely on the owner to keep them secure.

The Part That Frustrates Me

This breach is a textbook example of why patch management matters. And yet, in the aftermath, I’ve seen the same tired storyline play out:

“Microsoft got hacked!”
“SharePoint isn’t safe!”
“We should move to [insert other vendor here]!”

No. Stop.

This wasn’t about the brand of the software — it was about the discipline of maintaining it. You can swap Microsoft for any vendor you want; if you don’t patch your systems, they’re going to get breached.

It’s easy to throw rocks at a big tech company when something like this happens. But the reality is, in this case, Microsoft did what they were supposed to do. They found the flaw, they fixed it, they released the fix. They can’t physically force every customer with an on-prem system to apply the update — especially if those customers are running software that’s so old it’s not even supported anymore.

Why People Don’t Update, and Why That’s a Problem

I’ve heard all the excuses over the years:

  • “We don’t have time to test the updates.”
  • “We don’t have budget for an upgrade.”
  • “It’s working fine as it is — why change it?”
  • “Microsoft just wants to sell us something new.”

I get it. Updates can be inconvenient. They can break workflows. They can cost money. But so can a breach — and a breach will cost a lot more.

When Microsoft ends support for a product, it’s not a cash grab. It’s because they can’t realistically keep patching every piece of software they’ve ever made forever. At some point, old code becomes too expensive and risky to maintain. Upgrading isn’t about chasing shiny new features — it’s about closing doors that attackers will otherwise walk right through.

And here’s the hard truth for IT Leaders: If you’re running critical systems, you have a responsibility to keep them current.

That means:

  • Staying on supported versions of your software and operating systems.
  • Applying security updates as soon as they’re available.
  • Having a plan — and the budget — for regular upgrades.

If your leadership team won’t prioritize that, it’s not a matter of if you’ll get breached, it’s when.

The breach this month should be a wake-up call. These agencies weren’t taken down by some Hollywood-style cyberattack. They were tripped up by the same thing that takes down small businesses, hospitals, and schools every year: outdated software.

The Gospel According to Me

I’ve been in this industry long enough to know that people will forget this lesson until it happens again. But maybe, just maybe, this time it’ll stick for some.

The next time you hear about a security breach, don’t jump straight to blaming the platform or the vendor. Ask the harder questions:

  • Were the systems patched?
  • Were they even still supported?
  • Was this preventable?

In this case, the answers are clear. Yes, it was preventable. No, it wasn’t patched. And yes, the software was in some cases so old it should have been retired years ago.

We can point fingers all we want, but until organizations take ownership of keeping their systems up to date, we’re going to keep seeing the same headlines.

Tags:

Christian Buckley

Christian is a Microsoft Regional Director and M365 MVP (focused on SharePoint, Teams, and Copilot), and an award-winning product marketer and technology evangelist, based in Dallas, Texas. He is a startup advisor and investor, and an independent consultant providing fractional marketing and channel development services for Microsoft partners. He hosts the #CollabTalk Podcast, #ProjectFailureFiles series, Guardians of M365 Governance (#GoM365gov) series, and the Microsoft 365 Ask-Me-Anything (#M365AMA) series.