Storm-2603 Exploits Microsoft SharePoint Flaws, Leading to Global Ransomware Outbreak
In July 2025, a critical Microsoft SharePoint vulnerability was exploited by Storm-2603, a China-affiliated threat group, resulting in remote code execution, network breaches, and the deployment of the Warlock ransomware family across a wide range of industries. Security experts report dozens of confirmed attacks since July 7, most intensely targeting governments, tech firms, hospitals, banks, and universities in North America and Western Europe. This campaign exploits previously unknown vulnerabilities, underscores the need for swift patching, and threatens persistent access or data loss for unpatched organizations.
Technical Background: Zero-Day Vulnerability and Attack Lifecycle
The attack leverages two newly discovered vulnerabilities in SharePoint Server, one scoring a 9.8 CVSS (critical) and another at 7.1 (high), granting unauthenticated attackers remote code execution and administrative rights on affected servers. Once exploited, adversaries deploy backdoors, establish command-and-control communication, and use these footholds to spread Warlock ransomware or exfiltrate sensitive credentials.
Storm-2603’s exploitation efforts surfaced in early July 2025, with Check Point Research and Microsoft detecting coordinated attacks from several malicious IP ranges. Some of these IPs had previously targeted enterprise management platforms. The earliest known successful exploitation targeted a government sector entity and continued to intensify, prompting widespread alerts from CISA and large-scale incident response activity across critical infrastructure sectors.
Ransomware Payload: Warlock Family and Data Theft
Once inside victim networks, Storm-2603 deploys the Warlock ransomware family, which is configured to encrypt file systems, disrupt operations, and trigger extortion by threatening public data leaks. In parallel, the attackers exfiltrate cryptographic keys and administrator credentials—enabling sustained access and facilitating lateral movement for follow-on espionage or further disruptive action.
Mitigation Guidance and Urgent Response Recommendations
Microsoft has issued out-of-band security updates and detailed mitigation recommendations to address the CVEs, and global agencies urge immediate patching of all exposed SharePoint environments. Organizations should review access logs for evidence of unauthorized administrator activities, apply the latest security updates, and enhance monitoring for post-exploitation behaviors including the presence of backdoors and suspicious process creation.
This attack wave highlights the increased focus of state-backed adversaries on collaboration platforms and the rapid “reverse-engineering-to-exploit” cycle once vendor vulnerabilities are disclosed.
SysAid IT Management Platform Vulnerabilities Prompt Active Exploitation and US Federal Warning
Two critical vulnerabilities in SysAid, a widely used IT helpdesk and management solution, were added to the US CISA’s Known Exploited Vulnerabilities catalog after emerging evidence of sustained exploitation. Attackers are actively leveraging these issues—stemming from improper XML input handling—to gain administrator privileges and read arbitrary files on server hosts, putting both private enterprise and government networks at risk.
Root Cause Analysis: CVE-2025-2775 and CVE-2025-2776
The two flaws, tracked as CVE-2025-2775 and CVE-2025-2776, allow malicious actors to submit carefully crafted XML payloads, bypassing input validation and escalating privileges to full server administrator. This, in turn, can be abused for credential theft, configuration modification, or further compromise through chained vulnerabilities leading to remote code execution.
The vulnerabilities were initially patched by the software vendor in March 2025. However, following the publication of technical details, threat actors have swiftly reverse-engineered the fixes to develop working exploits targeting laggard organizations that have not updated.
Impact and Ongoing Attack Campaigns
Reports indicate that attackers, upon gaining administrative access, are exfiltrating sensitive data from internal helpdesk and IT operations and, in some cases, pivoting to additional attacks within affected infrastructure. The US government has mandated all federal agencies to remediate by August 12, signaling the severity and non-hypothetical risk posed by these bugs.
Recommended Defensive Measures
Organizations running SysAid are strongly advised to upgrade to the latest patched version immediately and monitor for irregular XML input activity. Security teams should audit administrator accounts, review access logs for unauthorized actions, and implement layered access controls to restrict application privilege escalation.