Lessons in Resilience from the Race to Patch SharePoint Vulnerabilities

Key takeaways:

• In the latest session of What's In Your Cup, DataBank CISO Mark Houpt explained how incident response requires continuous monitoring and a long-term view, with organizations encouraged to track vulnerabilities from discovery through to complete remediation.
• Filtering out misinformation and focusing on real-source data was critical for both executive decisions and incident response to accurately understand and address threats like the SharePoint vulnerabilities
• Proactive measures like virtual patching demonstrates the value of layered defense strategies, allowing organizations to avoid potential disruptions and giving them time to properly evaluate and implement vendor updates.

The discovery and rapid exploitation of the CVE-2025-53770 and CVE-2025-53771 vulnerabilities within Microsoft SharePoint on-premises servers is a reminder of the harsh realities facing organizations in today’s threat landscape: skilled adversaries are leveraging newly disclosed attack vectors in record time, shrinking the gap between vulnerability discovery and criminal weaponization. These vulnerabilities allow cybercriminals to upload malicious files and harvest cryptographic secrets, creating an avenue for remote code execution. Notably, they’re evolutions of previously patched flaws, CVE-2025-49704 and CVE-2025-49706, whose incomplete initial mitigations opened the door for attacks that were first observed on July 18.

A mission-critical platform among organizations across many sectors, SharePoint is a high-value target for attackers who know its compromise can mean operational paralysis, data theft, and reputational damage on a wide scale. Many companies use solutions like SharePoint as a means of collaboration and information management, so any breach can have an immediate and far-reaching impact on business continuity and public trust for affected organizations.

Filtering the signal from the noise

That these vulnerabilities have captured mainstream media attention has raised much-needed awareness among decision-makers at the executive level, reinforcing the importance of treating cybersecurity as a core business concern. However, this visibility also means both business leaders and incident response teams have had to cut through the sheer volume of online coverage, speculation, and even misinformation to get to substantiated and relevant data. In our conversation with Mark Houpt, Chief Information Security Officer at DataBank, he shared the importance of insights and independent research from reliable industry sources: “We've been able to sift through that and focus on real-source intelligence from CISA [the Cybersecurity and Infrastructure Security Agency], from Trend [Micro], from other organizations like that, that will tell us what is really happening. That's been first and foremost what has informed our advice,” he said to Myla Pilao, Trend's Director for Technical Marketing.

Trend independently confirmed these attacks, further observing exploitation attempts against organizations in the finance, education, energy, and healthcare industries, among others. These targets were based in various regions, including Asia, Europe, and the United States.

With varied impacts across product lines, establishing clear lines of communication with customers is a top priority for businesses like DataBank, especially in defining what was at risk and what was not. Those on SharePoint Online in Microsoft 365, for instance, were unaffected by these vulnerabilities. For on-premise SharePoint users, however, the message should be focused and actionable. Proven intelligence from trusted industry leaders is the solid footing on which organizations can tailor their messaging around fact-based updates to prevent confusion and build trust among their customers, even as more technical details from the vendor surface.

Closing the exploitation window on adversaries

Microsoft has since rolled out patches for SharePoint Subscription Edition and Server 2019, but proactive measures like virtual patches have served as critical buffer for organizations, considering how quickly bad actors move to take advantage of incomplete fixes or fine-tune their attacks. According to the Trend 2025 Cyber Risk Report, the fastest average mean time to patch (MTTP) by company size takes 22 days; patching vulnerabilities is even more of a challenge for larger enterprises, as these often have more complex tech stacks and networks. Trend's vendor-agnostic approach to vulnerability research -- exemplified in the Trend Zero Day Initiative™ (ZDI), which was behind 1,741 published advisories and 9.7% of 0-day disclosures last year alone -- offers broad visibility into how products from different vendors interact within increasingly interconnected enterprise environments. This breadth of focus ensured that Trend customers using TippingPoint™ solutions, received protection from the SharePoint vulnerabilities in advance via virtual patches and custom security filters.

These were made available as early as May, offering a layer of defense months ahead of Microsoft's official patches for CVE-2025-49704 and CVE-2025-49706 that were released in July. In effect, Trend customers were shielded throughout that high-risk window between the initial disclosure and the final remediation, minimizing their exposure to in-the-wild attacks capitalizing on these vulnerabilities. With these early protections in place, customers could also avoid any business disruptions from running untested updates, should vendors release future patches. “Even though Microsoft has been releasing more patches -- and it's important to apply those patches, because somebody could come in from the back side -- the virtual patching has given us assurance,” says Mr. Houpt, who says this has helped them mitigate the exposure for their customers to unnecessary risk.

Pushing beyond patch-and-pray

The SharePoint vulnerabilities were a pressure test of one’s incident response and resilience plans, showing the perils of managing vulnerabilities as isolated events. For Mr. Houpt, threat intelligence isn’t a one-and-done affair, but a continuous process that calls for vigilance and long-term vision: Tracking a vulnerability’s lifecycle -- from discovery, through initial patches, all the way to full understanding and remediation -- is how organizations can build the readiness required to adapt to emerging threats and transform insights into practical defense strategies. “This particular example is one that shows us the legs, if you will, that a vulnerability has,” he says, advising organizations to “follow it all the way through. The rabbit trail is worth following sometimes.”