Microsoft SharePoint Zero-Day Vulnerabilities Actively Exploited in Coordinated Attacks
Two severe zero-day vulnerabilities in Microsoft SharePoint were exploited throughout July 2025, impacting banks, hospitals, universities, and public agencies in North America and Europe. The vulnerabilities enable remote, unauthenticated code execution and administrative access to SharePoint Server environments, prompting urgent security guidance and emergency patching efforts. New attack techniques and post-exploitation ransomware activity have surfaced, increasing urgency for enterprise defense.
Technical Details and Impact
The vulnerabilities (CVE-2025-49706 and CVE-2025-49704) enable a sophisticated attack chain involving network spoofing and remote code execution. Both unauthenticated and authenticated access vectors are possible, allowing threat actors to access all SharePoint content, internal configurations, and potentially broader Microsoft 365 data. Attackers are bypassing standard security controls using crafted payloads, including webshells (.aspx, .exe) and .dll files.
The exploit, tracked publicly as “ToolShell,” allows attackers to execute arbitrary code over the network. This gives them the ability to create persistent backdoors, exfiltrate sensitive files, or use compromised SharePoint servers as a beachhead into internal networks.
Active Ransomware Deployment and Detection Evolution
Since mid-July, attackers have begun deploying Warlock ransomware on compromised SharePoint servers. Files are encrypted post-exploitation, causing business disruption and prompting ransom demands. The attack evolves as threat actor tactics and tooling adapt, with new detection rules released to account for evolving TTPs, such as the expanded use of custom webshells and nontraditional payload formats.
Industry and Government Response
Both CISA and Microsoft have classified these vulnerabilities as critical and strongly recommend immediate patching of all affected Microsoft SharePoint Server instances. Emergency notifications and technical advisories include signature-based and behavioral indicators, and guidance for hunting for indicators of compromise across enterprise environments. Organizations are urged to audit SharePoint activity logs and prepare for possible lateral movement efforts from infiltrated systems.
Strategic Recommendations
Enterprise security teams should prioritize deployment of the latest patches, strengthen monitoring of SharePoint and Microsoft 365 infrastructure, and isolate affected systems. Incident response plans must include playbooks for ransomware triggered via SharePoint exploitation and post-compromise containment procedures. Continuous refinement of detection signatures is advised, given evolving exploitation TTPs.
Wing FTP Server Vulnerability Enables Remote Code Execution Threats
Researchers disclosed a critical vulnerability in Wing FTP Server in July 2025 that allows attackers to execute code remotely, potentially granting full control over affected file transfer environments. This elevated threat affects enterprises worldwide relying on Wing FTP Server for secure file management and transfer.
Vulnerability Mechanics
The technical vulnerability resides in Wing FTP Server’s input handling, allowing attackers to inject malicious commands with crafted request packets. Successful exploitation gives unauthenticated attackers remote access to the underlying server OS, bypassing traditional authentication routines and enabling further attack staging.
Security researchers highlight that the flaw affects multiple product versions and can be triggered via network-based attack vectors. This increases the risk for internet-facing file transfer deployments.
Exploit Evidence and Guidance
Active scanning attempts and initial exploitation campaigns have been observed, with researchers warning that delayed patching can lead to rapid propagation of compromise. Enterprises have been advised to apply the vendor-provided patch and monitor network traffic to identify suspicious access attempts or unusual file transfer activity.
Business Impact and Risk Management
With critical business data routinely exchanged via Wing FTP Server, the vulnerability poses a risk of sensitive information theft, data tampering, and potential ransomware deployment. Organizations must inventory exposed instances and restrict network access where immediate patching is not feasible.
New Developments in Scattered Spider Cybercrime Activity and Law Enforcement Response
Authorities in the UK have arrested four individuals in July 2025 investigating a spree of cyberattacks against major retailers, marking significant progress in the fight against the Scattered Spider cybercrime group. The group is known for sophisticated social engineering and credential theft affecting enterprises in retail, transport, and insurance sectors globally.
Background and Attack Patterns
Scattered Spider leverages social engineering, frequently impersonating employees or contractors to bypass controls such as multi-factor authentication. Their operations have led to high-profile breaches involving retailer and airline data, resulting in significant business disruption and data exposure. The latest attacks used IT help desk impersonation to subvert identification protocols and gain privileged access.
Law Enforcement Operations
The latest arrests, involving collaboration between national and international agencies, are seen as a breakthrough following months-long investigations into overlapping cyber incidents across multiple sectors. Investigations continue as authorities seek to dismantle the extended Scattered Spider infrastructure and prevent future attacks.
Enterprise Security Recommendations
Security teams are advised to reinforce help desk authentication, conduct staff awareness campaigns, and introduce stronger identity verification options. Continuous monitoring for anomalous access behavior and rapid post-incident investigation protocols are critical to containing risk from evolving social engineering campaigns.
Ransomware Attack on Ingram Micro Disrupts Operations, Linked to SafePay Group
Global IT distributor Ingram Micro experienced a significant ransomware attack in July 2025, resulting in widespread operational disruption. The SafePay hacker group is attributed as the likely operator. Customer-facing services and internal workflows faced outages, while the company rapidly initiated incident containment and forensic assessment.
Incident Timeline and Recovery Efforts
Ingram Micro reported system outages across its global network, prompting emergency response and engagement with cybersecurity experts. Data exfiltration methods and ransomware deployment scripts used in the attack align with previous SafePay group patterns, characterized by multi-stage lateral movement and encrypted network payloads.
Technical Analysis
Attackers leveraged vulnerabilities in remote access systems to gain initial access, followed by credential theft and propagation to sensitive segments. The ransomware variant used robust encryption and included mechanisms to obstruct restoration from backup, further increasing business recovery times.
Operational Impact and Lessons Learned
Restoration of normal operations occurred in phases, prioritizing critical service delivery and customer contract obligations. The attack exemplifies the risk of sophisticated ransomware affiliates targeting global distribution and supply chain operators and underscores the importance of robust backup, segmentation, and rapid incident response.