A devastating zero-day vulnerability in Microsoft SharePoint Server has emerged today as one of the most pressing cybersecurity threats for UK organisations. CVE-2025-53770, with a maximum CVSS score of 9.8, is being actively exploited worldwide, affecting more than 85 servers across 54 organisations, including government agencies and multinational corporations. For businesses in the UK, this represents not only a technical challenge but also a serious test of organisational resilience.

Impact on UK Businesses

The impact on UK organisations extends well beyond immediate IT disruption.

Key sectors—from energy and transport to healthcare and finance—depend on SharePoint for collaboration and document management. When these systems are compromised, the result can be widespread operational paralysis, data breaches affecting sensitive customer information, and potential regulatory investigation under laws such as GDPR or the forthcoming Cyber Security and Resilience Bill.

Attackers have been observed stealing cryptographic keys to maintain persistent access, rendering even post-incident patching insufficient without thorough remediation. For many UK businesses already grappling with resilience—the 2024 Cyber Security Breaches Survey revealed that 50% suffered security breaches, rising to 67% for medium-sized firms—this vulnerability comes as a significant concern.

NCSC’s Proactive Guidance

The National Cyber Security Centre (NCSC) has consistently advocated a proactive, layered approach to cyber defence, focusing on resilience as much as prevention.

The NCSC’s Cyber Assessment Framework requires all operators of essential services—including those critical to UK public safety and the economy—to maintain a robust vulnerability management process.

The NCSC’s “10 Steps to Cyber Security” remains highly relevant here, prioritising secure configuration, malware protection, and comprehensive incident response.

The NCSC’s guidance, especially in their Small Business Guide, emphasises the importance of regular security updates, the use of multi-factor authentication, effective backup strategies, and continual monitoring to detect abnormal activity—particularly crucial when facing zero-day exploits. The “assume breach” mindset, long encouraged by the NCSC, is vital: resilience comes from depth and preparation, not simply firewalls.

Immediate Actions for UK Organisations

• Enable AMSI integration immediately on all SharePoint servers, and deploy Microsoft Defender Antivirus. If AMSI cannot be configured, the NCSC’s advice matches Microsoft’s: disconnect vulnerable SharePoint servers from the internet until a patch is released.

• It is essential to enhance logging and monitoring, specifically watching for unusual requests to `/_layouts/15/ToolPane.aspx` and unauthorised file creation like `spinstall0.aspx`. Follow incident response protocols and report any suspected breaches to the NCSC, contributing to the UK’s collective defence.

Business continuity planning is equally important. The NCSC advocates for robust recovery strategies, alternative collaboration methods, and resilient off-site backups independent of SharePoint.

Organisations are also urged to rotate ASP.NET machine keys, as these are often targeted for persistent access, and to maintain comprehensive audit trails and network segmentation for added protection.

This SharePoint crisis underlines a simple truth: true cyber resilience must be built ahead of incidents, through the disciplined, proactive security measures long advocated by advisory bodies, such as the NCSC.