Microsoft has just disclosed a serious vulnerability in SharePoint (CVE-2025-53770) that allows unauthenticated attackers to remotely execute code in a SharePoint server hosted on-prem – no user interaction required. Exploiting this vulnerability could give an attacker the keys to your internal kingdom, making it a prime target for cyber criminals, ransomware actors, and nation-state threats alike. Microsoft has already seen exploitation attempts and has issued an alert. If your organization hosts its own SharePoint Server and hasn't applied Microsoft's recommended patches or mitigations, now is the time to act.
What to do now:
- Confirm whether your SharePoint instances could be impacted.
- Apply Microsoft's updates or implement the mitigation script immediately.
- Review your logging and monitoring for unusual SharePoint behavior.
- Connect with experienced data incident counsel to discuss any anomalies.
Our team has helped clients across the country in all industries work through patching and hardening of their systems, investigating suspicious activity, and responding when attackers get in. If you need help assessing your exposure or ensuring your defenses are in place, we're here to help.
Don't wait for the breach – stay ahead of it. Contact the authors, Matt White, AIGP, CIPP/US, CIPP/E, CIPT, CIPM, PCIP, Alex Koskey, CIPP/US, CIPP/E, PCIP, or any member of Baker Donelson's Cyber Incident Response Team.