Critical Microsoft SharePoint Vulnerabilities Exploited in July 2025
In July 2025, multiple severe zero-day vulnerabilities in Microsoft SharePoint were exploited actively by various threat actors, resulting in more than 75 confirmed security breaches across banks, universities, hospitals, corporates, and public agencies in North America and Europe. Microsoft swiftly issued urgent patches, but the attacks demonstrated how integral SharePoint is to enterprise collaboration and risk exposure when core platforms are compromised.
Technical Overview of SharePoint Exploits
The exploitation centered around two high-severity CVEs: one network spoofing flaw (CVE-2025-49706) and a remote code execution (RCE) vulnerability (CVE-2025-49704). The CVSS scores were 9.8 and 7.1, denoting critical risks. Attackers leveraged these vulnerabilities in a chained attack (publicly referred to as “ToolShell”) enabling unauthenticated access to on-premises SharePoint servers. This access gave them full control over SharePoint content, including internal configurations and stored business data across Microsoft 365 integrations.
Observations and Threat Actor Tactics
During the intrusions, attackers were seen deploying both traditional and novel webshell payloads (.aspx, .exe, .dll), opening backdoors for persistent unauthorized access. Recent attack patterns involved file encryption and deployment of “Warlock” ransomware on affected systems. The attacks circumvented built-in SharePoint security layers, and detection was challenging until indicators such as new webshells and ransomware activity surfaced.
Mitigation Guidance
Microsoft and security agencies, including CISA, recommended immediate patching of all SharePoint deployments and provided enhanced detection rules for security teams. Users were urged to audit SharePoint access logs, scan for unauthorized changes, and deploy endpoint detection solutions capable of recognizing webshell artifacts and suspicious outbound connections.
Cisco Identity Services Engine (ISE) Vulnerabilities Enable Pre-Auth Remote Code Execution
July 2025 saw urgent warnings around two critical, unauthenticated remote code execution (RCE) flaws in Cisco Identity Services Engine (ISE) and Passive Identity Connector (PIC). These vulnerabilities, with maximum severity ratings, threatened core network access controls across global enterprise environments. Cisco responded with immediate patches and explicit guidance, underscoring there are no effective workarounds and that vulnerable systems should be updated without delay.
Details of ISE Vulnerabilities
The vulnerabilities, typified by CVE-2025-20337, arose from improper input validation in exposed APIs. Attackers able to exploit these flaws could deploy malicious files, execute arbitrary operating system commands, and escalate privileges to full root control—all without needing to authenticate. Such compromise allows adversaries to disable, reprogram, or bypass critical enterprise identity and access management controls.
Risks to Enterprise Environments
Cisco ISE is foundational for enforcing network access policies, segmenting internal networks, and integrating with broader cybersecurity monitoring. The vulnerabilities, if left unaddressed, put at risk sensitive user credentials, device inventories, and enforcement points for multifactor authentication. Attacks could propagate laterally from compromised ISE appliances, undermining segmented defenses and potentially impacting core business operations.
Remediation Actions
Cisco’s mitigation steps include urgent patch application and close monitoring of network traffic for anomalous API requests. Security administrators are advised to review all ISE logs for unauthorized changes or privilege escalations dating prior to the application of security updates. Segmentation of management interfaces and stricter API access controls are also recommended while patches are validated and deployed.
Data Breach Update: Co-op Faces Fallout After Major Cyber-Attack
After the major cyber-attack suffered by Co-op in April 2025, the organization has released new information as investigations progress. The breach resulted in the exposure of personal details of all 6.5 million Co-op members but did not affect financial data. Disruptions were observed in payment and supply chain systems, yet core operations such as stores and funeral services continued uninterrupted.
Incident Response and Investigation Outcomes
Law enforcement arrested four suspects aged 17 to 20 on July 10, charging them with blackmail, money laundering, and various computer offenses. The ongoing investigation links the threat actors to deliberate disruptions of IT infrastructure and subsequent extortion attempts, though all member data exposure has been limited to personal identification information.
Security Enhancements and Sector Response
In the wake of the breach, Co-op’s leadership committed to strengthening its cybersecurity measures. The organization is working with external experts to harden systems and promote cybersecurity jobs among young talent, hoping to channel skills productively away from cybercrime. Operational review of payment and data management systems is underway to reduce future risk.
