Hackers Actively Exploit SharePoint Zero-Day for Persistent Access and Data Theft
Beginning in early July 2025, attackers have been actively exploiting a newly disclosed critical vulnerability in Microsoft SharePoint to target government, telecommunications, and technology firms globally. The campaign, first observed on July 7, has escalated in intensity, with numerous confirmed compromise attempts affecting organizations in North America and Western Europe. The exploit enables attackers to steal cryptographic keys and maintain long-term unauthorized access through the installation of persistent webshells.
Overview of the Vulnerability and Exploitation Timeline
The SharePoint zero-day, details of which remain partially withheld for security reasons, surfaced in threat intelligence reports after large-scale targeted exploitation was detected across multiple sectors. The initial attacks targeted an unnamed major Western government, with activity surging around July 18–19. Attack traffic has been traced to several IP ranges previously linked to advanced persistent threat actors, including those exploiting other high-profile platform vulnerabilities.
Technical Exploit Details and Attack Methods
Attackers leverage the SharePoint zero-day to bypass authentication and execute arbitrary code remotely, immediately establishing command-and-control channels. Once inside, they use custom or off-the-shelf webshells, facilitating further credential and key theft, lateral movement, and the installation of persistent access mechanisms. Notably, one of the exploit sources was previously associated with weaponizing vulnerabilities in Ivanti Endpoint Manager Mobile, showing cross-platform threat actor proficiency.
Recent updates indicate attackers are deploying new webshell variants which are more resilient against signature-based detection, modifying file system attributes to evade monitoring. Guidance released by Microsoft emphasizes heightened monitoring for signs of anomalous behavior and rapid deployment of relevant security patches.
Sector-Specific Impact and Ongoing Threat Assessment
The campaign has already resulted in dozens of confirmed attempts at compromise, with a focus on government institutions, telecommunications providers, and technology service firms. Security research underscores that the threat actors behind this wave demonstrate advanced capabilities, including rapid adaptation to defensive measures and quick pivoting between targets. The risk is compounded by the potential for stolen keys to be reused in larger, more damaging campaigns, such as ransomware deployment or large-scale espionage.
Urgent Recommendations and Response
Security professionals are urged to apply security patches to all SharePoint deployments without delay and implement enhanced threat detection procedures, such as deep file system auditing and monitoring of outbound connections. Additional mitigations include restricting SharePoint administration interfaces and conducting comprehensive incident response investigations for any suspected compromise to isolate persistent threats before data or operational damage escalates.
Multiple Critical Vulnerabilities Disclosed in Leading Enterprise Products
A surge of critical vulnerabilities has been publicly reported across several enterprise technology solutions in late July 2025, affecting Mitel MiVoice MX-ONE, LG Innotek LNV5110R security cameras, SonicWall SMA 100 appliances, Sophos Firewall, and Cisco Identity Services Engine. Each vulnerability enables a range of high-impact exploits, including remote code execution and authentication bypass without user interaction, threatening enterprise networks worldwide.
Mitel MiVoice MX-ONE Authentication Bypass Flaw
A newly discovered authentication bypass vulnerability in Mitel MiVoice MX-ONE enables attackers to access both user and administrative accounts directly, circumventing established security controls. This flaw presents a substantial risk for organizations relying on these systems for voice communications, as unauthorized access may permit eavesdropping, configuration changes, and system disruption.
Unpatched LG Innotek Security Cameras: Remote Code Execution
LG Innotek LNV5110R security cameras have been confirmed vulnerable to unauthenticated remote code execution. Attackers can exploit this weakness to gain full control over affected devices, potentially repurposing them for surveillance, staging infrastructure for further attacks, or using compromised cameras to pivot deeper into enterprise networks.
SonicWall SMA 100 Appliances: Active Exploitation and Overstep Malware
SonicWall has issued urgent advisories for its SMA 100 appliance line, recommending immediate patching and vigilance for indicators of compromise associated with Overstep malware. Attackers are exploiting multiple vulnerabilities to inject malicious code and persistently modify device boot processes, enabling ongoing access and control over vulnerable appliances, particularly those past end-of-life support.
Sophos Firewall: Multiple Remote Code Execution Vulnerabilities Patched
Sophos Firewall products have received patches for five distinct vulnerabilities allowing remote attackers to execute arbitrary code. Unpatched systems are susceptible to takeover, underscoring the need for prompt updates and network segmentation to limit the blast radius of a potential breach.
Cisco Identity Services Engine Maximum Severity Bug
Cisco disclosed two critical, unauthenticated remote code execution flaws in its Identity Services Engine (ISE) and ISE-Passive Identity Connector (PIC), for instance CVE-2025-20337. These vulnerabilities permit attackers to upload malicious files, execute arbitrary commands, and achieve root privileges without needing to authenticate. The attack vector involves exploited APIs and insufficient input validation. Cisco advises immediate patch deployment, as these flaws compromise the integrity of network access control infrastructures at enterprise scale.
Active Cybercrime Operations and Enforcement Actions in July 2025
A series of high-profile enforcement actions and arrests have punctuated the cybercrime landscape in July 2025, disrupting operations of prominent underground forums and ransomware affiliates. Law enforcement agencies targeted key actors across Europe, notably dismantling leadership of a major cybercrime forum and prosecuting suspects involved in large-scale phishing kit distribution and ransomware activities.
Arrest of XSS.is Cybercrime Forum Administrator
French authorities, working in coordination with Ukrainian law enforcement, announced the arrest of an alleged administrator of XSS.is, one of the longest-running and most influential cybercrime forums in operation. The action signals a significant blow to the global cybercrime ecosystem, potentially impacting the trade of stolen data, malware, and hacking services in both English- and Russian-speaking underground markets.
Conviction for Large-Scale Phishing Kit Distribution
Ollie Holman received a prison sentence for orchestrating the sale of more than 1,000 customized phishing kits, contributing to estimated global losses exceeding $134 million. These kits enabled widespread credential theft and targeted various financial institutions. The sentencing marks one of the largest cases of its kind, highlighting the scale of economic damage facilitated by “as-a-service” cybercrime tooling.
Legal Proceedings Against Prominent Ransomware Affiliate
Karen Serobovich Vardanyan, alleged participant in the Ryuk ransomware operation, pled not guilty to multiple charges in July 2025. Ryuk has been one of the most notorious ransomware threats in recent years, linked to high-profile attacks on healthcare, municipal governments, and enterprises. The ongoing legal process is closely watched as it may set precedents for cross-border prosecution of organized cybercriminals.
Global Surge in AI-Powered Attacks and Security Concerns for Enterprise LLMs
The rapid integration of artificial intelligence and language models into enterprise systems has resulted in a new wave of security threats, with attackers leveraging AI agents to automate and scale breaches. Security executives have expressed mounting concern over attack vectors unique to AI-assisted technologies, even as organizations move to automate workflows previously managed by humans.
Rise of AI-Driven Attack Automation
Novel AI-powered methodologies are being used to orchestrate phishing, vulnerability discovery, and lateral movement at unprecedented scales. Threat actors exploit AI agents for rapid reconnaissance, customizing attacks to individual targets through natural-language interaction and obfuscation techniques difficult to detect using traditional security tooling.
Enterprise Adoption Risks: Model Poisoning and Data Leakage
As more organizations implement large language models and generative AI in mission-critical roles, new risks have emerged, including model poisoning—where attackers manipulate the training data or prompt responses of AI models to introduce vulnerabilities or data leaks. Experts stress that traditional input validation, segmentation, and access monitoring must be extended to AI-based platforms.
Mitigations and Research Initiatives
Research groups and vendors are accelerating the development of AI security frameworks, focusing on transparency, explainability, and defense-in-depth architectures. Enterprise security teams are advised to monitor queries and outputs of AI models closely, audit training data, and apply layered controls around both the deployment and operation of these advanced systems.
