Critical SharePoint Zero-Days Exploited in Large-Scale Attacks
July 2025 has seen significant exploitation of multiple severe zero-day vulnerabilities in Microsoft SharePoint, impacting a broad array of organizations across North America and Europe. The vulnerabilities enable unauthenticated remote code execution and administrative access. Active attacks, including ransomware deployment, are ongoing—with authorities urging immediate system updates.
Technical Details and Attack Vectors
The identified vulnerabilities, now tracked as CVE-2025-49704 (remote code execution) and CVE-2025-49706 (network spoofing), have received critical severity scores of 9.8 and 7.1 on the CVSS scale, respectively. The exploitation chain allows unauthenticated attackers to gain system-level access to SharePoint environments by chaining spoofing and code execution techniques.
Attackers have moved beyond traditional webshell payloads, leveraging .aspx, .exe, and .dll files to establish persistence. Notably, the ongoing campaign—publicly named “ToolShell”—provides both full content exposure and the ability to run arbitrary code on affected servers over the network. Recent investigations have also uncovered deployment of ransomware, specifically the Warlock variant, encrypting sensitive data and disrupting operations.
Scope of Impact and Response Measures
Over 75 organizations, including banks, universities, hospitals, enterprises, and public agencies, have confirmed breaches using these exploits. Given SharePoint’s centrality in Microsoft 365 for document management and collaboration, successful compromise presents a risk of unauthorized access to broad sets of organizational data.
Microsoft has issued emergency patches for all affected SharePoint editions. Security authorities, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), label these vulnerabilities as urgent priorities. System administrators are strongly advised to remediate systems immediately, following Microsoft’s latest Patch Tuesday updates and implementing enhanced detection for anomalous file uploads and unauthorized access attempts.
Ongoing threat intelligence indicates evolving attacker tactics, and further advisories are expected as analysis continues.
Google Chrome V8 Zero-Day Exploited in the Wild
In July 2025, Google addressed a zero-day vulnerability in Chrome’s V8 JavaScript engine, CVE-2025-6554, actively exploited in the wild. The flaw allows for arbitrary memory manipulation through web content, posing severe risks of code execution and data compromise. Users are advised to update Chrome and Chromium-based browsers immediately.
Vulnerability Characteristics and Risks
CVE-2025-6554 is a type confusion vulnerability in V8, Chrome’s JavaScript engine. Attackers exploit this issue by crafting malicious HTML pages. If a victim browses to a compromised page, the attacker can read or write to arbitrary parts of memory, potentially enabling full code execution or data exfiltration from the browser sandbox.
Quick action by Google resulted in a configuration change to neutralize the bug, followed by a push of security updates to the Stable release channel across all supported platforms. Details regarding the attacker activity or the full scope of in-the-wild exploitation remain undisclosed, but the bug’s addition to the Known Exploited Vulnerabilities (KEV) Catalog underscores its seriousness, particularly for federal and enterprise deployments.
Mitigation and Recommendations
Security professionals recommend updating Chrome immediately and monitoring for any suspicious web activity that may signal exploit attempts. Patches for other Chromium-based browsers, such as Microsoft Edge and Brave, are expected to follow rapidly. This incident highlights the ongoing threat posed by complex JavaScript engine vulnerabilities and the necessity of timely browser updates for risk management.
Cisco Identity Services Engine Remotely Exploitable Flaws Threaten Enterprise Networks
Cisco recently patched multiple critical vulnerabilities in its Identity Services Engine (ISE) and ISE-Passive Identity Connector, including a severe flaw that enables unauthenticated attackers to execute arbitrary commands and deploy malware. Remote exploitation could result in full compromise of network access controls, with significant risk to organizations using Cisco infrastructure.
Technical Vulnerabilities and Exploitation Details
The most severe bug, tracked as CVE-2025-20337, affects both ISE and the ISE Passive Identity Connector. Attackers can exploit this vulnerability—via exposed APIs and insufficient input validation—to upload malicious files, execute arbitrary shell commands, or gain root-level control, all without authentication.
These security gaps present a direct path for attackers to subvert enterprise network policy enforcement, potentially bypassing security boundaries and enabling lateral movement within corporate environments. Cisco reported no available workarounds at disclosure; only an immediate patch can remediate the issue.
Patching and Security Guidance
Cisco and accompanying threat advisories urge administrators to prioritize patch deployment across all affected installations. Given ISE’s integral role in identity-aware access management, compromise can have systemic implications—including loss of sensitive credentials, manipulation of security policies, and exposure of network assets.
Enterprises are encouraged to review logs for unusual access attempts and to restrict API and administrative interfaces to trusted networks only, in addition to applying software updates promptly.