Editor’s note: This is a guest analysis from Christopher Budd, who previously spent a decade at the Microsoft Security Response Center (MSRC).
Emergency security teams know summer weekends are made for work.
Last weekend was a reminder of that industry truism with Microsoft’s SharePoint vulnerability (CVE-2025-53770). It’s a classic “remote code execution” vulnerability that only affects on-premises SharePoint servers. It can give an attacker full control over a system without authentication. If you can access the system on the internet, you can attack it and take it over.
We saw attackers around the world using it quickly to establish a foothold on vulnerable networks, frequently using webshells like we saw happen with Microsoft Exchange in 2012 and 2022 with the ProxyShell and ProxyNotShell attacks. The attacks were another classic “zero day” situation, with a new vulnerability under attack and no patch initially available.
This time, Microsoft published information broadly within a day and started releasing patches within two days of the event breaking, a nearly unprecedented speed of response for them. Microsoft execs got the word out with each new development, providing clear, urgent direction.
Certainly, when we look at the response, it was faster and better than we saw with ProxyNotShell. It was another example of Microsoft showing that when it needs to, it can pull out the stops with its security response, much like it did with SolarWinds in December 2020.
Microsoft has also steered clear recently of the kinds of major breaches that plagued the company from March 2022 through January 2024, when corporate and cloud systems were breached by three major threat actor groups (Lapsu$, Storm-0558, Midnight Blizzard).
Taken altogether, we can think of this as a wildfire that was identified and contained relatively quickly. There is damage from it, and teams are coming off (yet another) very long summer weekend. But compared to what this could have been, this situation was merely bad, not awful.
Yet this vulnerability also exposes a fundamental tension: While Microsoft’s response was exemplary, the fact that we’re still seeing critical zero-day flaws in on-premises products raises questions about where these systems fit in Microsoft’s cloud-first, AI-focused future.
Where does securing on-premises software like Exchange, SharePoint, and, yes, Windows (which includes ActiveDirectory) get prioritized in the company’s Secure Future Initiative?
The well-oiled Patch Tuesday machine that I and others helped build in the early 2000s continues to chug along. But the number of patches continues to increase and the level of innovation and development around Patch Tuesday has generally dropped off in recent years.
As a case in point, Microsoft promised “no reboot” patches in the late 2000s. I distinctly recall that we promised this as “coming soon” on the security bulletin webcasts I hosted then. But no-reboot patches never materialized at the time.
While Microsoft is delivering on this promise, finally, it has taken more than 15 years, and the company is implementing it in a way that is clearly focused on the enterprise space — at a cost to users and tied to the company’s cloud offerings.
In today’s cloud-and-AI era, many organizations still rely on on-premises systems like SharePoint for essential operations. Microsoft’s swift response to this latest vulnerability proves it can rise to the occasion. But as the company accelerates its cloud-first agenda, it’s fair to ask: Will on-premises software receive the same level of care and innovation?
The latest fire may be out, but that burning question remains.
