Exploitation of Critical Microsoft SharePoint Vulnerabilities Enables Ransomware Deployments and Widespread Compromises
July 2025 saw coordinated attacks targeting previously unknown vulnerabilities in Microsoft SharePoint Server, resulting in more than 75 confirmed intrusions across diverse sectors including finance, healthcare, education, public agencies, and enterprises in North America and Europe. These exploits have allowed attackers to bypass authentication, gain remote code execution, and conduct ransomware campaigns. Victims faced data exposure risks, operational disruption, and the deployment of new webshells designed to evade traditional SharePoint security controls, with authorities urging immediate patching.
Technical Details of the CVEs and Attack Chain
The exploit campaign leverages two critical vulnerabilities, CVE-2025-49706 and CVE-2025-49704. The first, a network spoofing vulnerability (CVE-2025-49706), enables attackers to gain authenticated entry to SharePoint by circumventing network-based access controls and authentication checks. The second, a remote code execution (RCE) flaw (CVE-2025-49704), can be chained to the first, granting a remote attacker the ability to execute arbitrary code on the backend server, thereby gaining system-level privileges.
Attackers have been observed dropping webshells with varied payloads—including traditional .aspx and .exe as well as .dll files—onto affected servers. These webshells remain resident even after initial compromise, supporting persistent remote control and post-exploitation objectives. The tactic termed “ToolShell” in public reporting combines unauthenticated and spoofed authenticated access to maximize impact, enabling adversaries to access SharePoint data, internal configurations, and underlying file systems.
Ransomware Deployment and Evolution of Attack Tactics
Recent activity indicates threat actors escalating from information theft and webshell deployment to the use of ransomware, specifically variants related to the Warlock ransomware family. After establishing access, adversaries are encrypting files and disrupting business operations in victim environments. These capabilities highlight the evolving sophistication of tactics, techniques, and procedures (TTPs) used by the attackers, and indicate a growing focus on leveraging SharePoint as an initial access vector for broader network-wide compromise and extortion.
Authorities including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft stress the urgency in deploying official patches released during July’s Patch Tuesday. The vulnerabilities score highly on the CVSS severity scale (9.8 and 7.1), reflecting their potential to facilitate widespread, high-impact attacks if left unremediated.
Implications and Guidance for Incident Response
Organizations using on-premise SharePoint are at significant risk if they delay applying the latest security updates. Beyond patching, new detection and response measures are recommended, such as enhanced logging of access attempts and file changes, identification of unauthorized webshells (including uncommonly used payload types), and monitoring for unusual encryption and process behavior indicative of ransomware activity.
Ongoing analysis continues as the full scope of the campaign is still being determined. The discovered vulnerabilities and exploit strategies reaffirm the appeal of collaboration platforms like SharePoint as high-value targets for attackers seeking both lateral movement and direct monetization via extortion.
Critical Unauthenticated Remote Code Execution Flaws Patched in Cisco Identity Services Engine (ISE)
Security researchers uncovered two unauthenticated RCE vulnerabilities in Cisco’s Identity Services Engine (ISE) and Passive Identity Connector (PIC), placing enterprise network authentication infrastructure at severe risk. The discovered flaws allow attackers to deploy malicious files, run arbitrary commands, and obtain root privileges without needing credentials, highlighting a crucial threat to access-control and policy enforcement platforms frequently deployed in large organizations. Cisco has urgently released patches, as active in-the-wild exploitation is now suspected.
Technical Breakdown and Exploit Mechanism
The reported vulnerabilities stem from improper input validation and insecure API exposure within the ISE and PIC components. Attackers can send specially crafted requests to these APIs, bypassing authentication checks to interact directly with core processes running with elevated system privileges. Successful exploitation grants adversaries not only remote command execution but potential lateral movement across segmented network environments, undermining the integrity of network access security models.
The vulnerabilities, including CVE‑2025‑20337, have been rated maximum severity due to the complete compromise possible if exploited—an attacker can alter network access rules, create rogue administrators, or force security devices to propagate unauthorized policies across the organization.
Mitigation Actions and Immediate Response Recommendations
Cisco has confirmed no effective workarounds exist and urges all customers to deploy the newly released patches without delay. Security teams are further advised to audit external network exposure of management APIs and enforce strict firewall rules to prevent unauthorized inbound communications to ISE components.
Forensic investigators are directed to review system logs for unexpected commands or file uploads and scrutinize any administrative activity originating from unusual network locations or outside of regular business hours.
Widespread Exploitation and Active Intrusions in Wing FTP Server Highlight Remote Code Execution Risk
Researchers have issued warnings about targeted attacks exploiting a critical vulnerability in the widely used Wing FTP Server, which could enable unauthenticated attackers to execute arbitrary code through crafted inputs, threatening both Windows and Linux deployments of the server. This campaign underscores the risk posed to organizations sharing files with external partners or hosting sensitive internal repositories on misconfigured or unpatched systems.
Details of the Wing FTP Server Vulnerability
The vulnerability, characterized by memory corruption or improper deserialization in the server’s core request handler, permits attackers to send malicious file transfer requests or API calls that are interpreted by the server as executable code. This flaw may be weaponized to gain full control over affected servers, install backdoors, or exfiltrate data in bulk from file archives, often without leaving significant indicators of compromise in conventional logs.
Security analysis has confirmed ongoing campaigns exploiting unpatched servers exposed to the public internet, and incident responders have observed evidence of pivoting from FTP server compromise into wider networks for ransomware and credential theft operations.
Defensive Measures and Patch Status
Administrators are strongly encouraged to apply vendor-supplied patches or updates immediately, especially in enterprise environments where FTP server compromise could cascade into business-critical application stacks. Where patching is not immediately possible, defenders should restrict network access, segment affected servers, and monitor for suspicious file transfers or privilege escalation attempts.
