Microsoft SharePoint Zero-Day Vulnerabilities Actively Exploited in Major Cyber Attacks
In July 2025, multiple zero-day vulnerabilities in Microsoft SharePoint were widely exploited, leading to over 75 confirmed instances of compromise across banks, universities, hospitals, and public agencies in North America and Europe. These vulnerabilities, including a remote code execution flaw with a CVSS score of 9.8, have triggered urgent advisories from leading cybersecurity authorities and highlight the persistent threat facing enterprise collaboration platforms.
Technical Overview of the SharePoint Exploit
Microsoft disclosed two critical zero-day vulnerabilities in SharePoint Server environments: one enabling unauthenticated remote code execution (RCE), and the other providing administrative access. Attackers have tailored exploits to bypass existing SharePoint security controls, achieving execution of arbitrary code and deployment of persistent backdoors. Once inside, threat actors can access and exfiltrate data from integrated Microsoft 365 business applications, including Word and Teams. The vulnerabilities’ severity (CVSS 9.8 and 7.1) has led CISA and cybersecurity firms to categorize them as exceptionally urgent, requiring immediate system patching.
Storm-2603: Tactical Use of CVE-2024-38060 for Espionage and Ransomware
China-affiliated threat actor Storm-2603 exploited CVE-2024-38060 in targeted attacks, primarily against U.S. and global organizations with sensitive geopolitical ties. The group leveraged the flaw for remote code execution and subsequent deployment of the Warlock ransomware, establishing command-and-control channels via custom backdoors. Analysis reveals attackers conducted reconnaissance to identify unpatched SharePoint instances, then exploited the zero-day to deploy malware, encrypt data, and demand ransom. These incidents emphasize zero-day resilience as a strategic necessity for organizations operating critical infrastructure.
Patching and Defense Recommendations
Microsoft addressed the zero-days in their latest Patch Tuesday, with immediate patch deployment strongly advised for all SharePoint servers. Detection rules and behavioral analytics should be used to monitor for post-exploitation activity, including irregular administrative account creation and unsanctioned code execution. Organizations are urged to review their monitoring strategies and deploy threat intelligence feeds to enhance detection of exploitation attempts. CISA’s corresponding alerts stress the importance of a layered defense and prompt remediation of high-severity vulnerabilities, especially for entities with valuable intellectual property or sensitive operational data.
Toptal GitHub Account Breached: Malicious NPM Packages Compromise Software Supply Chain
In late July 2025, Toptal suffered a breach of its GitHub account, resulting in threat actors publishing malicious NPM packages disguised as legitimate libraries. The incident has reignited concerns about the security of the software supply chain, highlighting risks inherent in commonly used third-party developer platforms.
Attack Vector and Impact
Threat actors gained unauthorized access to Toptal’s official GitHub repository, subsequently creating and distributing NPM packages carrying malicious payloads. These packages mimicked genuine libraries in both name and functionality, increasing the likelihood that unsuspecting developers would adopt them in production code. Upon installation, the packages established capabilities for data exfiltration, remote command execution, and harvesting of developer credentials, enabling attackers to move laterally within affected organizations.
Technical Deep Dive: Malicious Package Functionality
Post-exploitation analysis of the compromised NPM packages revealed obfuscated scripts embedded within the codebase, which triggered upon package inclusion in a build process. The scripts connected to remote command-and-control servers, uploaded environment variables, authentication tokens, and potentially sensitive application secrets. Some packages featured time-based logic to delay their malicious actions, making detection during typical testing phases more difficult. These persistent threats reinforced concerns over the security assumptions developers often make regarding packages sourced from trusted accounts.
Remediation, Lessons Learned, and Future Risks
Toptal responded promptly by removing the malicious packages, revoking compromised credentials, and initiating a full review of its CI/CD pipelines and internal controls. Industry experts highlighted the need for stronger code provenance checks, enhanced monitoring of repository activities, and widespread implementation of multi-factor authentication (MFA). This breach underscores the necessity for organizations to continually audit dependencies, establish clear policies for third-party code use, and automate detection of supply chain threats at every stage of the software lifecycle.
Google Issues Emergency Chrome Update: Zero-Day in V8 Engine Exploited in the Wild
Google addressed an actively exploited zero-day vulnerability (CVE-2025-6554) in Chrome’s V8 JavaScript engine in July, marking the fourth Chrome zero-day fixed in 2025. The exploit affected all major platforms and prompted urgent patching advisories from CISA and global security experts.
Nature and Severity of the Vulnerability
The vulnerability is a type confusion flaw in the V8 JavaScript engine, allowing remote attackers to perform arbitrary memory read/write operations. An attacker could exploit this flaw through a crafted HTML page, enabling browser sandbox escape, remote code execution, and access to sensitive device memory. The exploit does not require user interaction beyond visiting a malicious website, exposing any user running an outdated Chrome or Chromium-based browser.
Exploit Tactics and Risk Landscape
Attackers actively targeted the vulnerability by enticing users to visit compromised or attacker-controlled sites. Exploitation allowed attackers to bypass browser sandbox protections and pivot to broader device compromise. With details on the attackers withheld for now, cyber defense agencies flagged the vulnerability as a serious risk to federal, enterprise, and consumer systems alike, prompting its immediate addition to CISA’s Known Exploited Vulnerabilities catalog.
Patching Urgency and Broader Implications
Google rolled out a fix to all Chrome Stable channels and urged users to update immediately. Given the shared codebase, browsers such as Edge, Brave, and Opera are also affected and expected to release patches imminently. CISA mandated remediation deadlines for federal agencies and advised private organizations to treat such flaws with the highest urgency, integrating automated patch management and robust vulnerability monitoring into standard cyber hygiene practices.