SharePoint Zero-Day Underscores the Critical Need for Identity Observability

Understanding Exposure, Tracing Movement, and Mapping the Blast Radius

A newly disclosed Microsoft SharePoint vulnerability (CVE-2025-53770) is being actively exploited in the wild. The flaw enables unauthenticated remote code execution on on-premises SharePoint servers. Once inside, attackers are forging trusted payloads using stolen machine keys to persist, move laterally, and blend in with legitimate activity, often without triggering events or alerts.

Patching is essential, but it won’t stop the next exploit. The real risk lies in what attackers saw before they struck: identity blind spots and exposed systems the organization didn’t know were vulnerable. This isn’t just a SharePoint problem. It’s a visibility problem. Most organizations lack the identity-layer awareness needed to understand how attackers get in, where they go, and what controls are silently bypassed.

Identity Is the New Perimeter, and That Perimeter Is Full of Holes

We’ve heard it said: “Hackers don’t hack in, they log in.” But increasingly, they don’t even need compromised credentials. Instead, attackers exploit identity blind spots and control gaps, conditions that quietly exist in most enterprises.

They’re not relying on malware or brute force. They are exploiting the cracks that complexity creates in modern security infrastructure:

• Public-facing infrastructure like SharePoint or RDP servers left exposed
• Local or unmanaged accounts that operate outside centralized identity controls
• Secrets or keys reused across environments, pipelines, or workflows
• Misconfigured or bypassed controls, such as silently failing MFA or skipped PAM enforcement

These risks are dangerous because they occur in blind spots. Attackers don’t need to hide their behavior—there’s simply no signal to detect it.

That’s why detection alone falls short. You can’t detect what you can’t see. Preventing and containing identity-driven threats requires a complete, real-time view of how access actually works, not just how it’s supposed to function on paper.

Why Identity Observability Matters

Most security tools, whether identity systems, SIEMs, EDRs, or XDR platforms, focus on events. They track entitlements, authentication attempts, or endpoint behavior. But they rely on something happening to trigger visibility.

That’s the problem. Many of the most damaging identity-related risks, like public-facing or misconfigured systems (e.g., exposed SharePoint servers), shadow assets, bypassed controls, reused secrets, or access from unmanaged accounts, don’t generate logs or alerts at all. And in this specific case, attackers forged trusted payloads to mimic legitimate behavior, allowing them to move laterally or persist without detection.

Identity observability is able to reveal not just what happened, but also what didn’t. It will allow organizations to detect:

• When a public-facing system is accessed without triggering an MFA challenge 
• Who accessed any public facing and internal assets
• Abnormal user activity and access to assets 
• When a user accesses an unauthorized asset 
• When user bypasses a security control 
• When an unmanaged identity accesses internal resources without triggering an authentication event
• When sensitive systems are accessed without identity verification or policy enforcement  

To reduce risk and respond effectively, organizations need real-time visibility into:

• Which systems are exposed to the internet
• Full visibility and context into how identities access assets across the infrastructure, regardless of authentication
• How secrets propagate across systems, who accessed them, where, and under what context
• Real-time detection of any unusual identity activity 
• Any identity unauthorized activity 
• Whether identity controls (SSO, PAM, MFA) are functioning as intended or silently bypassed
• Any potential lateral movement occurring through the identity infrastructure, not just endpoints

Even in cases where attackers exploit systems without authenticating, such as the SharePoint RCE, organizations can still trace the access path using network-layer and identity-aware telemetry. That correlation is essential to understanding what was compromised, how the attacker moved, and what the blast radius looks like.

From Detection to Understanding

The SharePoint exploit is just one example of a wider trend. Identities, not systems, are now the primary attack surface. The ability to see and understand identity usage—not just identity authentication—is becoming critical to modern incident response and prevention strategies.

This requires moving beyond traditional IAM systems and event-driven detection tools, such as SIEM, EDR, and XDR. Organizations need to adopt continuous identity observability—a discipline that merges real-time access context with infrastructure, policy, and behavioral telemetry.

It’s not enough to know who someone is. We now need to understand what they’re doing, where they’re going, and whether the access makes sense.