Hackers Exploiting SharePoint Zero-Day Since July 7 to Steal Keys and Ensure Ongoing Access

July 22, 2025
Vulnerability / Threat Intelligence

A recently revealed critical vulnerability in Microsoft SharePoint has been actively exploited since July 7, 2025, according to Check Point Research. The cybersecurity firm detected initial attacks targeting a major unnamed Western government, with activities escalating on July 18 and 19 across government, telecommunications, and software sectors in North America and Western Europe. Check Point identified the exploitation efforts originating from three separate IP addresses—104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147—one of which was previously associated with the exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) appliances (CVE-2025-4427 and CVE-2025-4428). “We are witnessing an urgent and active threat: a critical zero-day vulnerability in SharePoint on-premises is being exploited globally, endangering thousands of organizations,” stated Lotem Finkelstein, Director of Threat Intelligence at Check Point.

Hackers Exploit SharePoint Zero-Day Vulnerability Since July 7 to Hijack Credentials and Ensure Ongoing Access

July 22, 2025
Vulnerability / Threat Intelligence

A critical vulnerability in Microsoft SharePoint has come to light, and reports indicate that it has been under active exploitation since July 7, 2025. Findings from Check Point Research reveal that the initial exploitation attempts were aimed at a significant government entity in the Western hemisphere. The malicious activities appeared to escalate notably on July 18 and 19, affecting various sectors, including government, telecommunications, and software industries across North America and Western Europe.

Check Point’s investigation has traced the exploit activity back to three specific IP addresses: 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147. Notably, one of these addresses has previously been linked to the exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), specifically referencing CVE-2025-4427 and CVE-2025-4428. The attack poses a severe threat to thousands of organizations globally, as emphasized by Lotem Finkelstein, Director of Threat Intelligence at Check Point.

The implications of this zero-day vulnerability extend far beyond immediate exploitation. Attackers have demonstrated a clear intent to acquire credentials and maintain persistent access to systems, a strategy consistent with various tactics identified in the MITRE ATT&CK Matrix. Techniques such as initial access and persistence have likely been employed, enabling adversaries to infiltrate and remain undetected within targeted environments.

Initial access may have been achieved through phishing or credential dumping methods, commonly used tactics that allow attackers to penetrate defenses. Once inside, the focus likely shifted to establishing persistence, ensuring that the attackers could maintain control over compromised systems even if initial access points were closed. This could involve creating backdoors or leveraging legitimate administrative tools to obscure their activities.

The exploitation of this vulnerability serves as a stark reminder of the continuous cybersecurity challenges facing organizations worldwide. As the threat landscape evolves, business owners must remain vigilant, implementing robust cybersecurity measures to safeguard sensitive data and critical infrastructure against such high-stakes attacks.

In summary, organizations are urged to assess their SharePoint deployments urgently and apply necessary security patches or mitigations. Understanding the tactics and techniques outlined in the MITRE ATT&CK framework can enhance preparedness and response capabilities in the face of dynamic cyber threats. As the situation develops, continued vigilance and proactive measures will be essential in defending against these persistent threats.

Source link

Related Posts

Security Vulnerability: Hard-Coded Credentials in HPE Instant On Devices Enable Unauthorized Admin Access

Date: July 21, 2025
Category: Network Security / Vulnerability

Hewlett-Packard Enterprise (HPE) has issued critical security updates to rectify a significant vulnerability in Instant On Access Points. This flaw, identified as CVE-2025-37103, has a CVSS rating of 9.8 out of 10 and allows attackers to bypass authentication, potentially granting them administrative access to affected systems. According to the advisory, “Hard-coded login credentials were discovered in HPE Networking Instant On Access Points, enabling anyone aware of these credentials to circumvent standard device authentication.” Additionally, HPE has addressed another security issue involving authenticated command injection in the command-line interface (CVE-2025-37102, CVSS score: 7.2), which could allow remote attackers to execute arbitrary commands on the operating system with elevated privileges.

Microsoft Issues Critical Patch for SharePoint RCE Vulnerability Targeted in Ongoing Cyber Attacks

July 21, 2025
Server Security / Vulnerability

On Sunday, Microsoft released vital security updates to address an actively exploited vulnerability in SharePoint and provided details on another flaw that now has “more robust protections.” The company acknowledged it is “aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.” The exploited vulnerability, tracked as CVE-2025-53770 (CVSS score: 9.8), involves remote code execution due to the deserialization of untrusted data in on-premises versions of Microsoft SharePoint Server. The newly identified issue is a spoofing vulnerability (CVE-2025-53771, CVSS score: 7.1), discovered and reported by Viettel Cyber Security and an anonymous researcher. The flaw is linked to inadequate restrictions on pathnames, leading to potential path traversal in Microsoft Office SharePoint…

⚡ Weekly Summary: Critical SharePoint Zero-Day, Chrome Vulnerability, macOS Spyware, NVIDIA Toolkit RCE, and More

Published: July 21, 2025
Category: Enterprise Security / Zero Day

Even the most secure environments are at risk as attackers bypass elaborate defenses—not with elaborate exploits, but by leveraging weak configurations, outdated encryption, and unprotected trusted tools. These stealthy attacks evade detection by blending into normal operations, exploiting gaps in monitoring and assumptions of safety. What once appeared suspicious now seems routine, thanks to modular techniques and automation that mimic legitimate behavior.

The critical issue? Our control is not only being tested; it’s being silently compromised. This week’s updates shed light on how default configurations, blurred trust boundaries, and exposed infrastructures are transforming standard systems into vulnerabilities.

⚡ Threat of the Week: Critical SharePoint Zero-Day Under Active Exploitation (Patch Issued Today)

Microsoft has rolled out patches for two security vulnerabilities in SharePoint Server that have been actively exploited, impacting numerous organizations globally. Details on the exploitation surfaced…

Cisco Confirms Active Exploits Targeting Vulnerabilities in ISE, Leading to Unauthenticated Root Access

On July 22, 2025, Cisco updated its advisory regarding several recently disclosed security vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), confirming that they are being actively exploited. Cisco’s Product Security Incident Response Team (PSIRT) reported awareness of attempts to exploit these vulnerabilities in real-world scenarios. However, the company did not specify which vulnerabilities are being targeted, the identity of the attacking entities, or the scale of these activities. Cisco ISE is crucial for network access control, determining which users and devices can access corporate networks and under what conditions. A breach at this level could allow attackers unrestricted access to internal systems, effectively bypassing authentication and logging controls and transforming a key policy engine into an unguarded entry point. The alert emphasizes that the identified vulnerabilities are classified as critical.