Microsoft SharePoint Zero-Day Vulnerabilities Exploited across Hundreds of Organizations
A series of severe zero-day vulnerabilities in Microsoft SharePoint, actively exploited throughout July 2025, have compromised the security of banks, hospitals, universities, and major enterprises across North America and Europe. This incident is one of the largest waves of exploits against on-prem SharePoint systems in recent years and has prompted urgent guidance from cybersecurity authorities worldwide.
Nature and Technical Details of the Vulnerabilities
Two critical vulnerabilities, assigned CVSS scores of 9.8 and 7.1, were exploited to execute unauthenticated remote code on SharePoint Server environments. Successful exploitation allowed attackers to gain administrative access, bypassing standard authentication safeguards. The initial patch released by Microsoft on July 8 was found insufficient, with attackers leveraging advanced methods uncovered during the May 2025 Pwn2Own contest to circumvent mitigations and re-establish footholds even after initial remediation attempts.
Affected Platforms and Attack Attribution
These vulnerabilities primarily hit on-premises SharePoint deployments; tens of thousands of such servers remained exposed as of late July 2025. Microsoft and security analysts attributed the bulk of these attacks to three sophisticated threat groups linked to China, referred to as Linen Typhoon, Violet Typhoon, and Storm-2603. Notably, Storm-2603 was observed deploying Warlock ransomware following initial compromise, elevating risk to critical business data and operations.
Impact and Response
Over 400 organizations, including high-profile U.S. government agencies such as the National Nuclear Security Administration, have been impacted. Attackers have demonstrated the capability to break past SharePoint’s internal security layers, possibly granting access to core organizational data and connected Microsoft 365 environments.
Emergency advisories from both Microsoft and CISA recommended immediate system patching, enforcement of machine key rotations, and urgent disconnection of unsupported or end-of-life systems from the internet. The attack’s sophistication and the risks to sensitive information have led some organizations to isolate compromised servers and commence incident response protocols. Cybersecurity experts emphasized that hosted SharePoint environments remained at elevated risk and required rigorous scrutiny and monitoring until patches have been comprehensively applied.
Lessons and Long-Term Risks
This wave of SharePoint exploits underscores the danger of delayed patching and reliance on legacy, unsupported software infrastructure. Security teams are now re-evaluating their segmentation practices and exploring alternatives to direct on-prem SharePoint exposure. The incident highlights the evolving tactics of state-affiliated threat actors as they increasingly target central business platforms for initial compromise, lateral movement, and eventual ransomware deployment.
Chrome ANGLE and GPU Zero-Day Vulnerability Exploited in Wild
Google has issued an urgent security advisory following the discovery of an actively exploited zero-day vulnerability within Chrome’s ANGLE and GPU components at the end of July 2025. The flaw, tracked as CVE-2025-6558, is the latest in a rising trend of browser component security risks targeted by advanced persistent threat groups.
Technical Summary of CVE-2025-6558
This vulnerability lies in the ANGLE (Almost Native Graphics Layer Engine) component, a crucial abstraction layer translating rendering commands to native hardware APIs, enabling Chrome’s graphics performance across platforms. Attackers leveraged a memory corruption bug to achieve arbitrary code execution within the rendering process. The exploit chain included sandbox escapes allowing for full compromise of victims who merely visited a malicious or compromised website.
Google’s Threat Analysis Group (TAG) observed in-the-wild exploitation attempts and worked quickly to issue patched releases for Windows, Mac, and Linux users. The rapid weaponization of the bug for real-world attacks underscores the necessity for browser users to update Chrome to the latest version immediately.
Implications and Mitigation
Successful exploitation of this flaw can lead to full system compromise, credential theft, and the deployment of further malicious payloads. Organizations using Chrome in sensitive environments are advised to deploy updates at the earliest and enroll critical endpoints in rapid update channels. Analysis suggests that adversaries, including advanced criminal and nation-state groups, are closely monitoring browser vulnerability disclosures for vulnerable window exploitation opportunities.
Security professionals are encouraged to perform browser fleet inventory audits, implement enterprise protections such as strict content filtering and script control, and educate users about the risks posed by malicious web content.
Stealthy Linux Malware ‘Koske’ Uses AI and Polyglot JPEGs for Cryptomining Attacks
A novel strain of Linux malware, dubbed ‘Koske’, has been discovered leveraging AI-assisted self-modifying code and unique polyglot JPEG containers to deliver persistent rootkit-enabled cryptomining operations on enterprise and cloud infrastructure in late July 2025. The campaign represents one of the most technically advanced fileless malware threats of the year.
Methods of Initial Access and Payload Delivery
Koske operators appear to exploit misconfigured JupyterLab environments—potentially utilizing vulnerabilities like CVE-2025-30370—to establish initial remote code execution. The infection vector uses benign-looking JPEG panda images that double as executable containers, a technique known as ‘polyglotting,’ enabling the malware to evade typical endpoint detection and response (EDR) scans and most antivirus software.
AI-Assisted Evasion and Persistence
Once deployed, Koske’s AI-assisted code modulates system calls and rewrites memory-resident routines, deploying a memory-only rootkit that disables monitoring agents and hides mining activity. Its ability to self-mutate in memory frustrates forensics and complicates reverse engineering, making it exceptionally resilient against standard cleanup procedures.
Network defenders have observed that Koske establishes covert command and control channels via HTTP-over-DNS, allowing operators to update configurations and re-deploy the miner without disrupting ongoing activity. The malware is also equipped with fallback persistence, reimaging itself into alternative running processes in response to process kill signals or reboot attempts, making full eradication difficult without offline remediation.
Organizational Impact and Detection Strategies
Koske’s operational stealth has enabled attackers to compromise multiple corporate and academic servers, in some cases remaining undetected for weeks while consuming significant compute resources for illicit Monero mining. Security teams are urged to audit for non-standard image decoding on Linux infrastructure, scrutinize JupyterLab and similar data science tooling configurations, and deploy behavioral anomaly detection tuned for memory-resident evasion techniques.
Large-Scale Data Breach at Allianz Life Insurance Impacts 1.4 Million Individuals
On July 16, 2025, Allianz Life Insurance publicly confirmed a data breach resulting in the compromise of personal information for the majority of its 1.4 million U.S. customers and selected employees. The event is one of the most significant single breaches of the summer, involving advanced social engineering tactics to subvert cloud-based platform defenses.
Attack Vector and Execution
Adversaries launched a targeted social engineering operation against third-party support agents at Cognizant, the insurer’s helpdesk service provider. Agents were manipulated into revealing valid network credentials and resetting multi-factor authentication (MFA) for attacker-controlled accounts without proper identity checks. This allowed attackers to gain administrative access to the company’s CRM cloud environment.
Data Compromised and Incident Response
Exposed data reportedly includes client names, contact details, insurance information, and select employee records. In response, Allianz Life Insurance immediately notified federal authorities, including the FBI, and plans to commence state notification compliance procedures starting August 1. Forensic investigations to date indicate no deeper lateral movement into Allianz’s internal network, though heightened monitoring remains in place.
Broader Security Takeaways
This attack illustrates the ongoing risks posed by human error and social engineering, even in environments relying on strong technical controls such as MFA. Organizations are encouraged to retrain support staff on identity verification policies and assess workflows with external vendors to minimize over-permissive account recovery procedures that can result in high-impact breaches.