Critical Microsoft SharePoint Zero-Day Actively Exploited in Targeted Attacks
A newly disclosed zero-day vulnerability in Microsoft SharePoint has been exploited in the wild since at least July 7, 2025. The vulnerability is being actively leveraged by threat actors to compromise government, telecommunications, and software sector organizations, mainly across North America and Western Europe. Security researchers are warning of urgent and widespread risk as exploitation attempts intensify.
Exploitation Timeline and Tactics
First indications of exploitation emerged on July 7, 2025, with attacks gaining momentum between July 18 and 19. Check Point Research observed the campaigns begin with an unnamed Western government as the initial target, followed by efforts to breach additional organizations in sensitive industries. Attackers have been traced to three distinct IP addresses, at least one of which has history in other high-profile exploits targeting vulnerable enterprise appliances.
Technical Profile of the Vulnerability
The critical nature of the exploited SharePoint flaw enables remote attackers to gain unauthorized access and potentially exfiltrate sensitive information from compromised systems. Details on the specific vulnerability identifier or patch availability have not been provided, reflecting the ongoing nature of investigation and risk assessment.
Notable Attack Vectors and Attribution
Investigators linked one of the operational IP addresses to prior attacks involving Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities (CVE-2025-4427 and CVE-2025-4428), indicating a pattern in adversaries’ tactics of rapidly weaponizing fresh enterprise software zero-days. Exploitation requires little prior access, enabling broad and opportunistic targeting of unpatched SharePoint deployments.
Risks and Urgent Response Recommendations
The active exploitation underscores high risk to any organization maintaining on-premises SharePoint servers. Security experts recommend immediate prioritization of monitoring for abnormal SharePoint activity, applying any available updates, and reviewing network logs for associated malicious IP addresses. Affected industries include government, telecoms, and software vendors, but lateral proliferation beyond these areas is highly plausible as attackers expand their scope.
Assessment of Threat Landscape
The rapid onset and targeted nature of these exploitation efforts contribute to a concerning escalation in attacks on collaboration platforms integral to enterprise workflows. This aligns with a broader trend of threat actors seeking initial footholds through widely installed yet under-monitored business software, increasing urgency for robust patch management and vigilant anomaly detection.
Threat Actor Campaigns Target End-of-Life SonicWall SMA 100 Appliances
A new offensive campaign has been detected targeting end-of-life SonicWall SMA 100 series appliances. Attackers have deployed backdoors and exploited multiple vulnerabilities to compromise these systems. As organizations often delay replacing unsupported hardware, these attacks expose aged infrastructure to heightened risk of persistent compromise and lateral movement.
Exploitation Methods
The campaign leverages known security flaws in unmaintained SonicWall SMA 100 devices to modify boot processes and install custom backdoors. This provides attackers with persistent, stealthy access that survives device reboots and firmware upgrades. Leveraging different vulnerabilities in concert demonstrates a sophisticated and adaptive approach, allowing adversaries to retain control even as defenders attempt remediation.
Target Profile and Impact
While the exact number of impacted organizations remains undisclosed, unpatched SonicWall remote access appliances are often deployed in critical environments, including small to mid-sized enterprises and managed service providers. The attackers’ privilege escalation methods pose risk to network segmentation, potentially exposing sensitive data or lateral pathways into broader organizational systems.
Security Guidance
Experts recommend that all enterprises identify and retire obsolete or unsupported security appliances, particularly those with known unpatched vulnerabilities. Where immediate decommissioning is not feasible, strict network segmentation, continuous behavioral monitoring, and emergency patching (if available) are crucial to minimizing exploitation risk.
Advanced Workflow Automation Engine Enhancements Unveiled by PlexTrac
PlexTrac has released major enhancements to its Workflow Automation Engine. The new features are designed to standardize vulnerability management processes and automate pentest findings delivery, improving response efficiency and reducing remediation time for security teams. This development reflects an industry-wide drive for increased automation in vulnerability lifecycle management.
Key Technical Capabilities
The upgraded engine integrates security data centralized within PlexTrac, enabling consistent, end-to-end workflow orchestration for vulnerability reporting, triage, and remediation tracking. By automating common tasks, the solution aims to streamline cross-team collaboration and minimize the time from threat detection to mitigation.
Operational and Security Benefits
Automated workflow enforcement reduces manual intervention, helping to prevent delays and errors commonly encountered in distributed response scenarios. With customizable triggers and rulesets, users can adapt automation to their organization’s unique processes and compliance requirements. The enhancements should result in higher operational resilience against emerging threats.
Bitdefender Expands Security for Content Creators on Major Social Platforms
Bitdefender has expanded its Security for Creators service to include broader coverage for Facebook and Instagram. The solution provides continuous real-time monitoring of creator accounts for anomalous activities, phishing attempts, malicious URLs, files, and device threats. The move addresses the increasing volume of targeted attacks faced by digital content professionals.
Scope of Protection
The updated product supports seamless linking between users’ social media channels and their devices (computers, tablets, mobile phones). By offering comprehensive scanning of both account and endpoint environments, Bitdefender aims to thwart cross-platform threats where attackers compromise endpoints to pivot into critical social channels.
Threat Detection and Alerting
Through continuous behavioral analysis and integration with Bitdefender’s threat intelligence infrastructure, Security for Creators delivers immediate alerts on suspicious operations, allowing creators and influencers to respond quickly to attempted account takeovers, malware delivery attempts, or phishing campaigns.
Malwarebytes Launches Email Security Module to Counter Email-Borne Threats
Malwarebytes announced a new email security module for its ThreatDown product line, focusing on advanced detection and prevention of email-based threats. The module is fully integrated into Malwarebytes’ Nebula security operations platform and OneView console, aiming to simplify management for both enterprise security teams and managed service providers.
Technical Integration and Features
The new email security module leverages cloud-based intelligence for real-time analysis of inbound and outbound emails, identifying phishing attempts, malicious attachments, and social engineering efforts. By embedding protection directly within existing security operations workflows, it enhances detection rates and minimizes incident response time.
Operational Advantage for MSPs
With its integration into the OneView multi-tenant management console, managed service providers can efficiently monitor and respond to threats across multiple client environments without increasing administrative overhead. The streamlined approach helps improve consistency and scalability for providers operating in diverse, cloud-centric environments.
