Microsoft SharePoint environments were targeted by multiple zero-day vulnerabilities in July 2025, leading to more than 75 major breaches across a diverse set of organizations in North America and Europe. The exploited flaws enable remote code execution and unauthorized administrative access, underscoring the high risk for Microsoft 365 users who rely on SharePoint for file management and collaboration. Microsoft responded with critical patches, and leading cybersecurity agencies have emphasized the necessity of immediate system updates to mitigate further incidents.
Critical Zero-Day Vulnerabilities in Microsoft SharePoint Under Active Exploitation
Background and Technical Details
Two separate high-severity vulnerabilities were identified in Microsoft SharePoint during July 2025, with Common Vulnerability Scoring System (CVSS) ratings of 9.8 and 7.1, respectively. Both flaws are classified as zero-days—meaning they were exploited before patches became available—highlighting the sophistication of the attackers. The more severe vulnerability allowed unauthenticated remote code execution, giving adversaries full control over targeted SharePoint Servers; the second enabled administrative privileges through improper access controls.
Attack Scale and Confirmed Incidents
Over 75 confirmed breaches have been attributed to active exploitation of these vulnerabilities. Affected entities span financial institutions, educational organizations, healthcare providers, large corporations, and public sector agencies. Technical forensics indicated that attacks frequently bypassed SharePoint’s built-in security features with custom exploits, allowing deep access into file repositories, collaboration histories, and user credentials associated with Microsoft 365 services from Word to Teams.
Response, Remediation, and Ongoing Risks
Microsoft released out-of-band security updates in the July Patch Tuesday cycle to address both vulnerabilities. The United States Cybersecurity and Infrastructure Security Agency (CISA) and several international counterparts issued urgent advisories, strongly encouraging immediate deployment of these patches. The agencies highlighted the risk of lateral movement and persistent backdoor access for organizations that have not remediated the flaws. There remains a risk of continued exploitation, particularly among organizations with delayed update cycles or complex SharePoint customizations.
Cisco issued urgent patches for two critical vulnerabilities in its Identity Services Engine (ISE) and ISE-Passive Identity Connector (PIC) in July 2025. These remote code execution flaws could allow unauthenticated attackers to execute arbitrary commands, deploy malware, or gain root privileges on targeted systems prior to authentication. Security practitioners have been urged to update immediately, as these vulnerabilities compromise network access control fabric.
Severe Remote Code Execution Flaws Found in Cisco Identity Services Engine (ISE)
Nature of the Vulnerabilities
The newly revealed vulnerabilities, including CVE-2025-20337, stem from exposed APIs and improper input validation errors within ISE and ISE-PIC. Attackers leveraging these flaws do not require credentials, creating a pre-authentication risk window that allows them to upload malicious files, execute arbitrary code, and potentially seize root-level control over access policy management systems.
Potential Impact on Network Access Control
Cisco ISE is integral to many organizations’ access-control infrastructure, often serving as the gatekeeper for authentication and authorization across corporate networks. Successful exploitation could jeopardize the entire policy enforcement chain, permitting lateral movement or privilege escalation throughout enterprise environments, and undermining the security of connected endpoints, IoT devices, and user workstations.
Patching Requirements and Security Posture
Cisco immediately released security updates for all supported versions affected by these flaws, emphasizing that no viable workarounds exist. Security teams have been advised to prioritize patch deployment for ISE and related connectors. Further, administrators are advised to review firewall and segmentation rules to reduce exposure of ISE’s management plane where feasible, alongside comprehensive monitoring for anomalous activity.
Google patched a critical, actively exploited zero-day vulnerability (CVE-2025-6554) in Chrome’s V8 JavaScript engine in mid-July 2025. The flaw, related to type confusion, enabled attackers to achieve arbitrary code execution or data theft simply by convincing a user to visit a specially crafted web page. The attack method highlights the persistent threat landscape for browser vulnerabilities and the speed at which threat actors can exploit newly discovered flaws.
Chrome V8 Zero-Day Flaw Exploited in the Wild
Technical Analysis of the Flaw
CVE-2025-6554 is a type confusion vulnerability within the V8 JavaScript engine—Chrome’s core JavaScript processing component. Type confusion bugs occur when a program misinterprets the type of an object at runtime, potentially leading to memory corruption. In this case, attackers could read or write arbitrary memory locations, opening the door for code execution or theft of sensitive data. Exploitation was straightforward: victims only needed to load a malicious or compromised web page.
Patch Distribution and Security Directives
Google rapidly rolled out an emergency update to the Stable channel on all supported platforms. Following disclosure, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog, requiring U.S. Federal Civilian Executive Branch agencies to remediate the issue on a strict deadline. Other organizations have likewise been strongly urged to expedite browser updates as part of standard vulnerability management due to the public availability of proof-of-concept exploit code.
Broader Implications for Web Security
This incident represents the fourth Chrome zero-day fixed in 2025, reinforcing the high value that attackers place on exploited browser platforms and the critical importance of routine security patch cycles. Administrators should expect similar security advisories for other Chromium-based browsers, such as Microsoft Edge and Brave, as the underlying vulnerability exists across the shared codebase.
