Microsoft SharePoint Zero-Day Vulnerabilities Exploited Across Sectors in July 2025
Two newly discovered severe zero-day vulnerabilities in Microsoft SharePoint have been actively exploited throughout July 2025, impacting hundreds of organizations globally. These vulnerabilities, labeled as critical by security agencies, have resulted in confirmed compromises across sectors, including financial institutions, universities, healthcare providers, and government agencies. Patches have been released, but the wide-scale exploitation underscores the continued risk from unpatched environments.
Technical Details of the Vulnerabilities
The first vulnerability, carrying a CVSS score of 9.8, enables unauthenticated remote code execution (RCE), while the second, rated at 7.1, grants attackers the ability to achieve administrative access to SharePoint Server environments. Both vulnerabilities can be triggered remotely by an attacker without requiring valid credentials. The flaws arise from inadequate input validation within SharePoint’s web service endpoints, permitting threats such as arbitrary file uploads and command injection against the SharePoint infrastructure.
Scope and Impact of Exploitation
More than 75 confirmed compromises were reported in the early weeks of July, with investigation revealing significant incidents in banks, hospitals, universities, enterprise companies, and public agencies across North America and Europe. The vulnerabilities gained further notoriety when investigations tracked clusters of attacks to state-sponsored groups and organized ransomware operators. SharePoint’s central role in file and resource management means attackers with administrative access could manipulate or exfiltrate sensitive corporate and government data, disrupt business-critical workflows, and pivot within enterprise networks.
Proof-of-Concept Attacks and Lateral Movement
Technical analyses of the attacks disclosed the use of proof-of-concept code specifically created to evade SharePoint’s native security measures, including token validation bypass and exploit chaining with existing known vulnerabilities in the Microsoft 365 ecosystem. Frequently, attackers leveraged the initial SharePoint compromise to deploy persistent payloads, establish command-and-control channels, and expand laterally across enterprise endpoints, targeting identity and access management platforms as subsequent objectives.
Mitigation and Official Response
Microsoft responded by releasing urgent security updates during its July “Patch Tuesday,” with advisories distributed through CISA and partner agencies worldwide. Cybersecurity authorities classified the vulnerabilities as a top priority for immediate patching. Despite fast response, security analysts noted lagging patch adoption among large organizations and supply chain partners, a factor that contributed to the breadth of the attacks.
Long-Term Defensive Recommendations
Security experts recommend immediate patching of all affected SharePoint instances, accompanied by comprehensive system reviews for indicators of compromise and lateral movement. Defenders should audit file integrity and system logs from early July onwards, enhance network segmentation, and restrict external access to vital collaboration servers. Zero-trust models, just-in-time administration, and advanced threat detection are advocated to mitigate future risks, especially as attackers increasingly target collaboration platforms as early points of enterprise compromise.
ToolShell Zero-Day Exploits Targeting Critical Infrastructure
In late July 2025, a zero-day campaign identified as “ToolShell” was deployed by Chinese state-backed actors against over 400 organizations, including entities in U.S. nuclear infrastructure. The attacks utilized new variants of the ToolShell malware suite, leveraging the SharePoint vulnerabilities for initial access before establishing high-persistence backdoors and launching subsequent attacks on internal enterprise assets.
Advanced Persistent Threat Tactics and Payloads
ToolShell attacks combined multiple exploitation vectors, chaining SharePoint RCE to privilege escalation on Windows hosts. The malware enabled remote command execution, reconnaissance, credential theft, and facilitated data egress. Analysts identified custom modules for evasion of common endpoint protection, counter-forensic functionality, and highly-selective lateral movement, targeting domain controllers, network management software, and industrial control assets.
Targeting of Critical Sectors and Threat Attribution
Forensic review linked the majority of sophisticated attack attempts to Chinese APTs whose focus was on information exfiltration and reconnaissance from defense, energy, and telecommunications organizations. Attacks were tailored, sometimes leveraging organization-specific details gleaned from third-party compromises, increasing attack efficacy as spear-phishing and OAuth abuse campaigns complemented on-premises exploitation.
Sector-Specific Risks and New Ransomware Families
Concurrent with ToolShell, the emergence of ransomware variants BQTLOCK and Interlock were observed. These operations abused Windows BitLocker for file encryption and combined double-extortion tactics—threatening to leak exfiltrated data. Healthcare, manufacturing, and education saw heightened ransomware incidents, with attackers often leveraging credentials or Office 365 tokens initially harvested via the SharePoint exploits.
Defensive Measures and Ecosystem Response
Security guidance includes isolating and monitoring systems running SharePoint, updating Group Policy to restrict PowerShell and remote management, and reviewing OAuth application permissions enterprise-wide. Organizations are advised to identify cloud tokens at risk, deploy network segmentation around SCADA and ICS devices, and use behavioral analytics to detect misuse of administrative privileges.
VMware Infrastructure Attacks and Ransomware Shifts
July 2025 also saw a ransomware pivot from classical Active Directory targeting to widespread exploitation of VMware vSphere environments. Threat actors exploited configuration weaknesses and outdated vCenter instances, deploying ransomware directly from hypervisors to maximize impact on enterprise virtualization.
Attack Techniques and Hypervisor Targeting
Attackers gained access to vCenter servers through exposed administrative interfaces or recycled service credentials. Once inside, they pushed malicious code and ransomware payloads to entire virtualization clusters. Tactics included manipulating snapshot management features, creating hypervisor-level persistence using unauthorized VM images, and leveraging vSphere’s automation APIs to craft polymorphic threats unseen by endpoint security solutions operating only at the guest OS level.
Mitigation Recommendations
Experts underline the importance of applying VMware security updates, using strong unique credentials, and implementing MFA for all management interfaces. Additional controls include strict network segmentation of virtualization management networks, routine review for anomalous VM creation or deletion, and regular offline backups immune to VM-level compromise.
Exploitation of Apple Intelligence TCC Bypass for Sensitive Data
New research in July 2025 revealed that a TCC (Transparency, Consent, and Control) bypass in Apple systems could expose data cached by recent Apple Intelligence features. This vulnerability enabled rogue applications or processes to access sensitive information—including user geolocation and biometric data—without explicit consent, undermining existing privacy guarantees.
Mechanism of the TCC Bypass
Investigators explained that the flaw resided in the “caching” mechanism for privacy-sensitive responses generated by Apple’s AI routines. If an attacker was able to execute code on a user’s device or persuade the user to install a malicious application, they could query this cache through repurposed system calls, retrieving location history, facial recognition data, and other biometric identifiers without tripping system security prompts.
Mitigation and Response
Apple security teams were notified, and a mid-July patch was rolled out for affected devices in the latest iOS and macOS releases. Security teams recommend users update devices promptly and regularly audit installed applications’ permission usage, especially where AI-powered features cache sensitive data.
Authentication Bypass Vulnerability Discovered in Mitel MiVoice MX-ONE
An authentication bypass was identified in the Mitel MiVoice MX-ONE system, which facilitates unified communications for enterprises. Exploitation of this flaw could allow unauthenticated attackers to seize control of user or admin accounts on affected telephony systems.
Technical Description
The vulnerability stems from improper session handling and weak credential management on the affected Mitel endpoints. Attackers able to reach the system’s management interface could construct specially crafted requests bypassing login authentication, gaining access equal to a legitimate user or administrator.
Impact and Recommendations
Successful exploitation would enable eavesdropping, tampering with call routing, and potentially intercepting sensitive voice communications. Immediate patching is urged, alongside reconfiguration of access controls, monitoring of system logs, and resetting of potentially compromised accounts within affected environments.
