For years, the cybersecurity industry operated on a basic assumption: once a software vendor released a patch, defenders had a narrow but real window to apply it before attackers caught up. That assumption is now breaking down. According to warnings from Mandiant, the Google-owned threat intelligence firm, adversaries are exploiting software vulnerabilities an average of seven days before patches even exist, and in some cases handing off stolen access to other attackers in as little as 22 seconds.
The numbers come amid a broader trend Mandiant has tracked through its annual M-Trends research, which draws on thousands of incident response engagements worldwide. In its 2024 report, the firm documented that the median time-to-exploit for newly disclosed vulnerabilities had collapsed to just five days in 2023, down from 32 days in the 2021-2022 period. The latest warnings suggest that trend has not only continued but accelerated, with attackers in some campaigns striking before vendors have finished developing fixes.
SharePoint keeps showing up in breach investigations
The urgency behind Mandiant’s warning is not abstract. Microsoft SharePoint, the collaboration platform used by hundreds of thousands of enterprises and government agencies worldwide, has become a recurring target for exactly the kind of rapid exploitation Mandiant describes.
In late 2024, the Cybersecurity and Infrastructure Security Agency (CISA) added SharePoint vulnerability CVE-2024-38094, a deserialization flaw that allows remote code execution, to its Known Exploited Vulnerabilities catalog after confirming active attacks in the wild. That flaw followed a pattern established by earlier SharePoint deserialization bugs like CVE-2023-29357, which was chained with other vulnerabilities to achieve full server compromise during the 2023 Pwn2Own competition and was later spotted in real-world attacks.
As of mid-2026, security researchers continue to flag SharePoint deserialization vulnerabilities as a top concern. CISA has issued multiple rounds of updated guidance on SharePoint exploitation, sometimes revising its own alerts within days as forensic details shifted. That kind of real-time correction from a federal agency signals that incidents are moving faster than initial assessments can capture.
Why deserialization flaws are so dangerous
A deserialization vulnerability lets an attacker send specially crafted data to a server that processes it without proper validation. When the target is SharePoint, a successful exploit can give the attacker the ability to execute arbitrary code on the server, potentially with the same privileges as the SharePoint service account.
That matters because of where SharePoint sits in most organizations. It is not an isolated application. SharePoint typically connects to Active Directory for authentication, stores sensitive internal documents, and integrates with email, intranet portals, and line-of-business applications. A foothold on one compromised SharePoint server can become a pivot point into the rest of the network.
“Once you own SharePoint, you often own the keys to the kingdom,” said one incident responder who has worked multiple SharePoint breach cases and spoke on condition of anonymity because the investigations are ongoing. “It’s document storage, it’s workflow automation, it’s tied to identity. Attackers know that.”
In practice, that access translates into data theft, lateral movement to domain controllers, or the staging of ransomware. When initial access brokers are involved, the compromised foothold may be sold on criminal marketplaces within hours, meaning the group that breaks in is not necessarily the group that delivers the final payload.
The initial access broker problem
Mandiant’s reference to a 22-second credential handoff points to a specific and growing segment of the cybercrime ecosystem: initial access brokers (IABs). These are specialists who focus exclusively on breaking into networks and then selling that access to ransomware operators, espionage groups, or other buyers.
The speed matters because it compresses the defender’s response window to nearly nothing. Traditional security operations assume that after detecting a compromise, a team has hours or days to contain the damage. If stolen credentials or remote access sessions are being transferred to a second threat actor within seconds through automated systems, that assumption collapses.
Google Cloud’s Threat Horizons reports have documented how IABs increasingly use automation to harvest credentials, validate access, and list compromised environments for sale, all with minimal human intervention. The 22-second figure, while striking, reflects the logical endpoint of that automation trend: machines doing the handoff, not people.
What defenders should do now
For IT administrators and security teams, the practical implications do not require waiting for every detail of Mandiant’s methodology to be published. Several steps are warranted based on what is already confirmed:
Patch SharePoint aggressively. Organizations running SharePoint Server on-premises should treat any deserialization-related security update as an emergency patch, not something to schedule for the next maintenance window. Review the Microsoft Security Response Center for the latest advisories and apply fixes immediately. Organizations using SharePoint Online through Microsoft 365 receive patches automatically, but should still verify that any hybrid components or custom integrations are updated.
Audit for signs of compromise. Patching closes the door going forward, but it does not address attackers who may already be inside. Security teams should review SharePoint server logs for unusual deserialization errors, unexpected outbound connections, or new service accounts that were not created by administrators. Microsoft’s own detection guidance, referenced in CISA alerts, provides specific indicators of compromise to search for.
Rethink patch cycle timing. If the median time-to-exploit is now measured in single-digit days, monthly patch cycles are too slow for internet-facing systems. Organizations should consider adopting a risk-based patching model where vulnerabilities in exposed, high-value systems like SharePoint, Exchange, and VPN appliances are treated on an emergency basis regardless of the regular schedule.
Restrict access to collaboration platforms. Limiting who can reach SharePoint servers from the internet, enforcing multi-factor authentication, and segmenting SharePoint from sensitive internal systems can reduce the blast radius even if an exploit succeeds. Zero-trust principles are not just a buzzword here; they are a concrete way to slow down attackers who are moving at machine speed.
The window is still shrinking
The broader pattern Mandiant has tracked over the past several years points in one direction: attackers are getting faster, and the gap between vulnerability disclosure and mass exploitation is narrowing toward zero. In some cases, it has already crossed that line, with exploitation beginning before a patch exists.
That does not mean defense is hopeless. It means the old model of waiting for Patch Tuesday, testing updates in a lab for two weeks, and rolling them out on a schedule is no longer viable for critical, internet-facing systems. The organizations that will fare best are the ones that treat threat intelligence warnings from firms like Mandiant and emergency alerts from CISA as triggers for immediate action, not as background reading.
The confirmed exploitation of SharePoint deserialization flaws, combined with Mandiant’s data on collapsing exploit timelines, makes the case plainly: the attackers are not waiting, and neither should defenders.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
