CISA Issues Immediate Patch Directive After Chinese Hackers Exploit SharePoint Vulnerabilities in Ongoing Attacks

CISA Urges Immediate Patching of Microsoft SharePoint Vulnerabilities Amid Ongoing Attacks by Chinese Hackers

On July 22, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) formally identified two critical Microsoft SharePoint vulnerabilities—CVE-2025-49704 and CVE-2025-49706—as part of its Known Exploited Vulnerabilities (KEV) catalog. This designation follows evidence indicating that these flaws are currently being exploited in live attacks. As a measure of urgency, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies address these vulnerabilities by July 23, 2025.

According to CISA’s advisory, the highlighted vulnerabilities consist of a spoofing vulnerability and a remote code execution (RCE) flaw, collectively labeled as ToolShell. These vulnerabilities have facilitated unauthorized access to on-premises SharePoint servers, significantly impacting their security posture. The timeliness of this advisory is underscored by Microsoft’s disclosure that sophisticated Chinese hacking groups, including Linen Typhoon and Violet Typhoon, have actively exploited these vulnerabilities to breach vulnerable systems since July 7, 2025.

The implications of these security gaps extend beyond immediate technical concerns. Organizations using on-premises SharePoint servers could find themselves significantly at risk due to the nature of the vulnerabilities. The spoofing vulnerability allows an attacker to masquerade as a legitimate user, while the associated RCE flaw can enable an adversary to execute arbitrary code on compromised systems. This combination not only jeopardizes data integrity but also presents a clear pathway for further unauthorized actions within the network environment.

The attacks have prominently involved tactics from the MITRE ATT&CK framework, notably focusing on initial access and privilege escalation. The initial access might have been achieved through phishing or exploit techniques exploiting these vulnerabilities. Following this, the compromised systems could potentially empower the attackers with greater privileges to navigate within the network, establishing persistence and preparing for further exploitation.

Organizations are advised to prioritize immediate patching efforts for these identified vulnerabilities. The urgency of the situation is starkly highlighted by the fact that ongoing exploitation is traced back to state-sponsored actors, emphasizing the need for heightened vigilance and proactive cybersecurity measures. In a landscape where cyber threats are increasingly sophisticated and prevalent, understanding and mitigating risks associated with known vulnerabilities remains critical.

As cyber adversaries continue to refine their tactics, the response from organizations must be equally responsive. Implementing strict cybersecurity protocols, including aggressive patch management strategies and employee training programs, will be essential in safeguarding digital assets. The proactive measures taken now can significantly lower the risk of falling victim to exploits that can lead to devastating breaches and data losses in the future.

In summary, with CISA’s urgent call for remediation of these exploitable SharePoint vulnerabilities, it is imperative for organizations to take immediate action. The potential for significant disruption looms, highlighting the ongoing tug-of-war in cybersecurity between state-sponsored threats and the necessary defenses put in place by corporate entities.

Source link

Related Posts

Ivanti Addresses EPMM Vulnerabilities Leading to Remote Code Execution in Select Attacks

May 14, 2025
Vulnerability / Endpoint Security

Ivanti has issued security updates to remedy two vulnerabilities in its Endpoint Manager Mobile (EPMM) software, which have been exploited in limited attacks for remote code execution. The vulnerabilities include:

  • CVE-2025-4427 (CVSS score: 5.3) – An authentication bypass that enables attackers to access protected resources without valid credentials.
  • CVE-2025-4428 (CVSS score: 7.2) – A remote code execution vulnerability allowing arbitrary code execution on affected systems.

Exploiting these vulnerabilities could allow an attacker to chain them together to execute arbitrary code on a compromised device without authentication. The affected versions of the product are:

  • 11.12.0.4 and earlier (fixed in 11.12.0.5)
  • 12.3.0.1 and earlier (fixed in 12.3.0.2)
  • 12.4.0.1 and earlier (fixed in 12.4.0.2)
  • 12.5.0.0 and earlier (fixed in 12.5.0.1)

Ivanti has credited CERT-EU for reporting these vulnerabilities.

Fortinet Addresses CVE-2025-32756: Critical Zero-Day RCE Vulnerability in FortiVoice Systems

May 14, 2025
Vulnerability / Network Security

Fortinet has issued a fix for a severe security vulnerability exploited as a zero-day in attacks against FortiVoice enterprise phone systems. Identified as CVE-2025-32756, this flaw has a high CVSS score of 9.6 out of 10.0. According to the company’s advisory, “A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may enable a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests.” Fortinet has confirmed that the flaw has been actively exploited in the wild within FortiVoice systems, although details regarding the scope of the attacks and the identities of the attackers remain undisclosed. Notably, the attacker engaged in network scans of devices, deleted system crash logs, and enabled FCGI debugging to capture credentials from the system and SSH login attempts. The vulnerability impacts the following products and versions: FortiCamera 1.1, 2.0 (Update to a secure release recommended).

Microsoft Resolves 78 Vulnerabilities, Including 5 Actively Exploited Zero-Days; CVSS 10 Flaw Affects Azure DevOps Server

May 14, 2025
Endpoint Security / Vulnerability

Microsoft has released updates addressing 78 security vulnerabilities across its software, including five zero-days currently being exploited in the wild. Among these flaws, 11 are classified as Critical, 66 as Important, and one as Low in severity. The patches include 28 vulnerabilities that enable remote code execution, 21 related to privilege escalation, and 16 classified as information disclosure issues. This release also coincides with fixes for eight security flaws found in the Chromium-based Edge browser since last month’s Patch Tuesday. The details of the actively exploited vulnerabilities are as follows:

  • CVE-2025-30397 (CVSS score: 7.5) – Scripting Engine Memory Corruption Vulnerability
  • CVE-2025-30400 (CVSS score: 7.8) – Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability
  • CVE-2025-3270…

Samsung Addresses CVE-2025-4632, Exploited in the Wild for Mirai Botnet Deployment Through MagicINFO 9 Vulnerability

May 14, 2025
Vulnerability / Malware

Samsung has issued software updates to fix a critical security vulnerability in MagicINFO 9 Server that has been actively targeted. Identified as CVE-2025-4632 (CVSS score: 9.8), this path traversal flaw allows attackers to write arbitrary files with system-level permissions. According to the advisory, the vulnerability arises from “improper limitation of a pathname to a restricted directory” in versions before 21.1052 of the MagicINFO 9 Server. Notably, CVE-2025-4632 serves as a patch bypass for a previously addressed vulnerability, CVE-2024-7399, which was mitigated by Samsung in August 2024. Shortly after a proof-of-concept was released by SSD Disclosure on April 30, 2025, CVE-2025-4632 began to be exploited in the wild, with reports of it being used to deploy the Mirai botnet. Initial investigations into these attacks mistakenly pointed to CVE-2024-7399, but cybersecurity firm Huntress later clarified the situation.