Storm-2603 Exploits SharePoint Flaws to Deploy Warlock Ransomware on Unpatched Systems
A wave of targeted attacks throughout July 2025 has leveraged new, severe Microsoft SharePoint vulnerabilities to compromise enterprise environments and push Warlock ransomware. This development represents a significant escalation in both the technical approach and impact of SharePoint-related attacks, with widespread implications for organizations relying on Microsoft 365 infrastructure.
Zero-Day SharePoint Vulnerabilities: Technical Details
In early July, Microsoft disclosed and patched two critical vulnerabilities within SharePoint Server—one scoring 9.8 and the other 7.1 on the CVSS scale. The first flaw allowed unauthenticated remote code execution, while the second permitted elevation to administrative privileges. The vulnerabilities affected the core data handling and authentication subsystems underpinning SharePoint’s integration with other Microsoft 365 services. Exploitation required specially crafted requests bypassing built-in security controls, enabling an attacker to execute arbitrary code or seize control of sensitive business data repositories.
Storm-2603’s Attack Chain
The threat group Storm-2603, previously associated with sophisticated ransomware and espionage campaigns, rapidly incorporated these SharePoint vulnerabilities into its arsenal. After scanning for unpatched SharePoint instances, Storm-2603 chained the vulnerabilities to first gain code execution and then escalate to full administrative control. The attackers deployed Warlock ransomware payloads, encrypting files within SharePoint storage, and pivoted laterally using stolen tokens to access integrated Exchange, Teams, and OneDrive environments. This allowed for comprehensive data exfiltration and disruption.
Scope and Industry Impact
Well over 75 confirmed direct breaches were identified, impacting a range of targets including banks, universities, hospitals, and government agencies across North America and Europe. Incident responders traced indicators of compromise to exploitation artifacts tailored specifically to circumvention of SharePoint security controls introduced in late 2024. The attacks bypassed common network segmentation and privilege separation strategies, exploiting the central role of SharePoint in managing business processes and sensitive information.
Patching, Mitigation, and Forensics
Microsoft has issued urgent patches through its July 2025 Patch Tuesday release cycle. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and multiple private-sector security firms have issued advisories emphasizing the need for immediate patching. For incidents of potential exposure, forensic guidance includes examination of SharePoint Unified Audit Logs, scrutiny of abnormal service creation, and detection of unauthorized administrative group changes. Security experts recommend reviewing all integrated Microsoft 365 app credentials and session activity for evidence of lateral movement or data staging.
SysAid IT Helpdesk Software Vulnerabilities Facilitate Administrator Compromise
SysAid, a globally deployed IT helpdesk platform, is now at the center of urgent cybersecurity alerts after two critical vulnerabilities were actively exploited in July 2025. Exploitation enables attackers to seize administrator accounts and potentially gain further access to enterprise networks, highlighting persistent risks even for widely patched systems.
Vulnerability Analysis: CVE-2025-2775 and CVE-2025-2776
The two bugs identified in SysAid stem from flawed XML input handling routines within core API components. Specifically, they allow attackers to:
- Upload specially crafted XML files to perform privilege escalation or arbitrary file reads.
- Bypass authentication protections, granting remote attackers administrator-level privileges on systems where those components are exposed.
The vulnerabilities are particularly dangerous when chained—for example, initial account takeover followed by the use of file read capabilities to locate credentials or sensitive configuration files. Security researchers have demonstrated exploit paths leading to full remote code execution in practical scenarios.
Threat Activity and Response Timeline
Although SysAid released fixes for these vulnerabilities in March 2025, threat intelligence revealed that malicious actors were actively exploiting unpatched installations by July. CISA responded by adding both CVEs to its Known Exploited Vulnerabilities (KEV) catalog and mandated that U.S. federal agencies complete remediation by August 12. Security experts observe that once vulnerabilities are publicized and patched, criminal groups routinely reverse-engineer the update code, crafting exploits for any remaining unpatched targets.
Attack Surface Risk and Recommendations
The SysAid platform is ubiquitous in enterprise IT support workflows, making it a coveted target for supply chain or pivot attacks using privileged accounts. Organizations are urged to update to the latest SysAid versions without delay. Additionally, network placement of SysAid instances should be restricted—never directly exposed to the public internet—and monitored for anomalies such as suspicious API traffic or new administrative sessions. Full credential rotation and comprehensive system integrity checks are recommended post-update.