Widespread Exploitation of Microsoft SharePoint Zero-Day Vulnerabilities Puts Global Organizations at Risk
July 2025 brought an urgent cybersecurity crisis as two critical zero-day vulnerabilities in Microsoft SharePoint were widely exploited by various threat actors. With hundreds of confirmed compromises spanning financial institutions, government agencies, universities, hospitals, and private corporations, the campaign has immediate global impact. Security firms, Microsoft, and government agencies now urge all organizations using on-premises SharePoint to apply patches and implement mitigation measures immediately, especially as attackers demonstrate advanced capability and speed in their operations.
Nature of the Vulnerabilities
The two principal SharePoint vulnerabilities, assigned CVE numbers and critical CVSS scores (9.8 and 7.1), enable unauthenticated remote code execution and administrative control over SharePoint Server environments. These vulnerabilities allow adversaries, even without valid credentials, to obtain footholds in enterprise environments, bypassing native platform security controls and exposing all stored business data to attackers.
Confirmed Attacks and Targets
Threat actors have leveraged these exploits since at least July 7, targeting a diverse range of victims. By July 23, over 400 independent system compromises were confirmed in what researchers term the “ToolShell” attacks, with victims including several major U.S. government agencies—among them the Department of Energy—and multiple entities across Europe and North America in sectors such as finance, energy, healthcare, and technology.
Threat Actor Attribution and Tactics
Analysis by top security firms and Microsoft’s threat research teams indicates active exploitation by several Chinese nation-state threat groups. Specifically, actors tracked as “Linen Typhoon,” “Violet Typhoon,” and “Storm-2603” have been implicated. The campaign involves highly tailored attack chains, leveraging custom payloads to evade detection and maintain persistence within compromised environments.
Exploitation campaigns intensified significantly in the second half of July, with Check Point Research observing focused targeting of government, telecom, and technology organizations. The attacks have emanated from multiple, previously flagged malicious infrastructure nodes, suggesting coordination and reuse of resources from other high-profile cyber incidents earlier in the year.
Severity and Impact Analysis
Due to SharePoint’s integral role in enterprise document management and workflow processes, the vulnerabilities expose businesses to risks far beyond initial system compromise. Adversaries gaining RCE and admin privileges may exfiltrate sensitive business documents, compromise authentication tokens for lateral movement, or inject malware to affect broader Microsoft 365 ecosystems. As of late July, cyber incident responders have recorded cases of proof-of-execution and unique exploit variants, which circumvent standard SharePoint security auditing, increasing detection difficulty.
Response, Mitigation, and Ongoing Risk
Microsoft released urgent security patches in its July Patch Tuesday update and provided detailed mitigation guidance, calling on all organizations with on-premises deployments to update without delay. Government cybersecurity agencies including CISA have issued parallel alerts, with special focus for critical infrastructure and public services.
Security researchers express high confidence that, due to the rapid operationalization of these exploits, threat actors will continue targeting unpatched systems for the foreseeable future. Enterprises are urged to audit access logs, implement layered defense upgrades, and conduct network forensics to identify possible persistence mechanisms left by intruders.
Ingram Micro Suffers Ransomware Attack, Disrupts Global Operations
In early July 2025, IT distribution giant Ingram Micro fell victim to a well-coordinated ransomware attack, resulting in week-long outages affecting online ordering and supply chain operations globally. The incident, attributed to the SafePay ransomware group, was notable for both its significant business impact and the unique characteristics of the threat actor behind the attack.
Timeline and Incident Progression
On July 4, media reports surfaced regarding major system outages at Ingram Micro, impeding customer access to key services. The company subsequently confirmed a ransomware event and began taking crucial business systems offline to contain the spread. During this period, order processing, partner transactions, and logistics were severely disrupted across multiple regions.
Threat Actor Profile and Tactics
The SafePay ransomware organization, responsible for the attack, distinguishes itself from many cyber extortion groups by avoiding the now-common ransomware-as-a-service (RaaS) model. Instead, SafePay acts as a closely knit group with proprietary tools, making it harder for defenders to predict or attribute TTPs (tactics, techniques, and procedures) based on RaaS intelligence. Security experts note SafePay’s approach allows greater flexibility in negotiation tactics and technical adaptation, heightening the threat level for targeted enterprises.
Recovery and Business Impact
Ingram Micro initiated a global business continuity response, bringing systems back online by July 10. However, the company continues to assess the full scope of the breach, including potential data exfiltration and residual threats. The incident highlights systemic risks to the integrity of technology supply chains, as partners and clients dependent on Ingram Micro’s platform experienced cascading disruptions.
Industry Implications
This ransomware attack underscores the growing threat posed by non-RaaS groups and the evolving sophistication of targeted extortion campaigns. Industry observers point to the necessity of proactive incident response, robust backup strategies, and transparent communication with stakeholders as essential doctrines for resilience in the face of these disruptive threats.