Microsoft SharePoint Zero-Day Exploits: Worldwide Attacks and Patch Urgency
July 2025 saw a critical escalation in threats targeting Microsoft SharePoint, with widespread zero-day exploits affecting organizations around the globe. The attacks have prompted emergency response measures from both Microsoft and CISA, underlining the severity of these vulnerabilities and the sophistication of the threat actors involved.
Nature of the Zero-Day Vulnerabilities
Two previously unpatched vulnerabilities were identified in Microsoft SharePoint Server, scoring 9.8 and 7.1 on the CVSS scale. Both flaws enable unauthenticated remote code execution, allowing attackers to gain administrative access to core SharePoint environments. This level of compromise can lead to broad exposure of files, data, and integrated business applications.
Global Impact and Exploitation
Attacks exploiting these zero-days were confirmed throughout July, with over 400 organizations compromised worldwide, including high-value targets such as banks, universities, hospitals, and public agencies. Notably, the US National Nuclear Security Administration was among the affected entities. The campaign, referred to as “ToolShell,” leveraged exploits initially uncovered during the Pwn2Own contest in May 2025. Despite an initial security patch released on July 8, attackers quickly found ways to bypass initial mitigations.
Attribution and Ongoing Threats
The campaign has been tentatively attributed to three China-linked threat groups: Linen Typhoon, Violet Typhoon, and Storm-2603. At least one group, Storm-2603, has been observed deploying the Warlock ransomware in conjunction with these exploits. Proof-of-execution indicates that these attacks are sophisticated, specifically tailored to circumvent SharePoint’s built-in security features.
Emergency Guidance and Defensive Actions
As tens of thousands of on-premises SharePoint servers remain at risk, Microsoft, alongside CISA, has issued urgent guidance. Recommended actions include immediate application of the latest patches, machine key rotations, and the disconnection of unsupported or end-of-life systems from the public internet. Organizations running hosted or on-prem SharePoint must investigate and remediated their environments without delay to prevent further compromises.
Emergence of Lionishackers: Corporate Data Exfiltration and Dark Web Sales
In recent months, a financially motivated group—Lionishackers—has intensified its efforts to exfiltrate corporate databases and sell their contents on the dark web. This development signals a worrying evolution in the business-model and reach of cybercriminal organizations, affecting a wide range of industries.
Modus Operandi and Technical Capabilities
Lionishackers has demonstrated advanced capabilities in breaching corporate networks, deploying sophisticated malware, and extracting high-value database assets. Once exfiltrated, these databases are auctioned or sold outright on illicit marketplaces. The group’s techniques have been described as multi-stage, often combining social engineering and technical exploits to gain initial entry before moving laterally within victim environments.
Targets and Implications for Enterprises
Their targets span multiple sectors, including healthcare, finance, and professional services. These campaigns pose significant risks around intellectual property theft, regulatory penalties, and reputational damage, as sensitive records—including customer and partner information—are routinely exposed or monetized.
Recommended Defenses
Organizations are strongly advised to reevaluate their incident response and threat intelligence capabilities, implement heightened monitoring of database access, and review user privileges. Prompt patching of known vulnerabilities and ongoing security awareness training are crucial components in reducing risk from these actors.
Chrome Browser Security Update: High-Severity Vulnerabilities Patched
Google released an urgent security update for Chrome in late July 2025, addressing several high-severity vulnerabilities. At least one flaw allowed attackers to manipulate memory and potentially execute arbitrary code, posing a significant risk to users who had not yet updated their browsers.
Vulnerability Details and Exploit Mechanism
The principal vulnerability involved improper memory handling during Chrome’s rendering operations. Exploitation permitted remote code execution within the context of the browser, giving attackers access to users’ data and potentially enabling lateral movement to other systems when combined with additional vulnerabilities or social engineering attacks.
Patch Distribution and User Guidance
Google’s security team distributed patches via the standard Chrome update mechanism. All users are advised to confirm that their browsers are updated to the latest release to mitigate the risk of exploitation. Organizations managing fleets of Chrome installations should enforce rapid update policies through centralized management tools.
