Microsoft SharePoint Zero-Day Exploits Trigger Global Security Emergency
Widespread exploitation of two zero-day vulnerabilities in Microsoft SharePoint has rapidly escalated into one of July’s most high-stakes cybersecurity crises. Over 400 organizations worldwide, including several banks, universities, hospitals, public sector agencies, and even critical government infrastructure, have reported confirmed compromises. Authorities and security vendors have classified these vulnerabilities—scoring 9.8 and 7.1 on the CVSS scale—as exceptionally severe. Both enable unauthenticated remote code execution (RCE) and, in some scenarios, full administrative access to target SharePoint environments.
Attack Vectors and Exploit Techniques
The attacks capitalize on two inherent flaws discovered during the May 2025 Pwn2Own contest. Exploit chains use sophisticated payload delivery, sometimes bypassing initial Microsoft emergency patches through advanced evasion tactics. Attackers employ tailored shellcode to slip past SharePoint’s built-in validation methods, allowing persistence and lateral movement across Microsoft 365 integrated environments.
Threat intelligence links the most advanced activity to at least three Chinese state-backed groups: Linen Typhoon, Violet Typhoon, and Storm-2603. Notably, Storm-2603 has also unleashed a new ransomware campaign called Warlock, leveraging post-exploitation access for rapid privilege escalation and data encryption operations against large enterprises.
Incident Response and Remediation
In response, both Microsoft and CISA issued emergency guidance urging:
- Immediate patching of all on-premises SharePoint servers
- Rotation of SharePoint encryption and authentication keys
- Network isolation or outright disconnection of end-of-life systems
- Retrospective validation of recent server activity and full compromise assessments
The scale and complexity of these campaigns highlight the critical dependence modern enterprises have on timely patch management, rigorous configuration management, and layered detection engineering.
Strategic Threat Landscape Implications
The SharePoint campaign illustrates the persistent threat pressure on business collaboration suites and the growing appetite among both financially motivated and state-supported adversaries for vulnerabilities that yield broad initial access. With tens of thousands of still-vulnerable systems and evidence that multiple ransomware collectives are adapting these exploits for their own objectives, incident responders warn that organizations slow to patch may see long-tail breaches, data thefts, and criminal extortion attempts for months to come.
Attacks on Critical Infrastructure Surge—Hacktivists and State Actors Target Power, Transit, and Public Sectors
July 2025 recorded a stark rise in targeted cyberattacks against critical infrastructure worldwide, including energy grids, transportation networks, and public agencies. These operations reflect a blend of ideological motives, nation-state geopolitics, and pure financial gain, with adversaries leveraging ransomware, supply chain manipulation, and direct operational system intrusion.
Notable Incidents and Techniques
Power distribution networks and water treatment facilities in both the U.S. and Europe experienced disruptions tied to sophisticated attack groups employing a combination of spear phishing, legacy vulnerability exploitation, and initial access broker partnerships. Several attacks demonstrated unusual precision and insider reconnaissance, suggesting the involvement of well-resourced operations.
In the public sector, the City of Saint Paul, Minnesota, faced a major breach prompting the deployment of the National Guard for cyber incident response. This surge demonstrates states’ increasing readiness to blend military and civilian resources in order to contain digital threats with potential kinetic consequences.
Mitigation: Virtual Patching and Zero Trust
Ongoing defense strategies emphasize virtual patching (deploying network- or endpoint-based controls to block exploits in real time) and accelerated adoption of Zero Trust architectures—requiring authentication and rigorous access verification for all users, devices, and systems. Both enterprise and government defenders are now prioritizing segregation of industrial control networks, continuous adversary simulation, and rapid internal threat intelligence sharing.
Google Chrome GPU Vulnerability (CVE-2025-6558) Exploited in the Wild
Google Project Zero and the Threat Analysis Group (TAG) flagged a newly exploited Chrome vulnerability tracked as CVE-2025-6558. This severe flaw affects the browser’s ANGLE and GPU components and was actively abused in real-world attacks, bypassing Chrome’s sandbox and operating system-level process isolation on both Windows and macOS.
Technical Dissection
The bug enables remote attackers to execute arbitrary GPU code by leveraging a crafted sequence of WebGL calls, culminating in out-of-bounds memory accesses. Specially crafted graphics data embedded in web content trigger the flaw, allowing an attacker to gain access to browser process memory and potentially escalate privileges within the user’s environment.
Patching and Security Guidance
Google has pushed emergency browser updates for all platforms, and security teams are directed to enforce auto-updating wherever possible. Organizations are advised to monitor for unusual GPU activity and to isolate browser environments on endpoints that handle critical workflows.
Apple macOS TCC Bypass Exposes Sensitive Caches
A new attack technique targeting macOS exploits a weakness in the operating system’s Transparency, Consent, and Control (TCC) subsystem to bypass privacy restrictions. This allows exposure of sensitive cached data—including device geolocation and stored biometric information—previously protected from unprivileged process access.
Attack Method
The bypass makes use of application misconfiguration and legacy permissions artifacts to access privileged caches and tokens, circumventing normal dialog prompts for user consent. Exploitation is possible through both malware and malicious insider actions, raising concerns about privacy breaches and targeted surveillance on compromised endpoints.
Mitigation Actions
Apple is expected to deliver out-of-cycle security updates. Meanwhile, enterprise administrators should ensure proper TCC baseline enforcement, monitor for unauthorized process grants, and enforce rapid incident detection protocols for all high-value endpoints.
Linux “Koske” Malware Uses Polyglot JPEG Rootkits and AI-Assisted Code Evasion
Researchers have discovered a technically advanced Linux malware campaign deploying a new strain, dubbed Koske, capable of persistent cryptomining and anti-forensics through the use of polyglot JPEG images and AI-assisted payload morphing.
Malware Design and Techniques
Koske embeds shellcode and rootkit components inside JPEG image files, abusing Linux file parsing routines to achieve in-memory execution without leaving detectable traces on disk. The malware’s AI-assisted component dynamically alters code structures and system call patterns, complicating heuristic and behavioral detection by endpoint security tools.
The primary infection vector includes attacks on internet-exposed cloud platforms and misconfigured JupyterLab scientific notebook instances, with secondary spread via insecure SSH credentials. Infected endpoints become part of a global cryptomining botnet, with evidence of multiple revenue-generating operations in East Asia and Europe.
Defensive Guidance
System administrators should harden cloud deployments, restrict public service exposure, regularly rotate SSH keys, and conduct deep scans of both standard and non-standard file formats for signs of hidden executable content. Advanced anti-malware products leveraging memory forensics and anomaly detection may provide early warning of in-memory persistence.
Threat Actors Exploiting Legacy PaperCut Vulnerability for Ransomware and Data Exfiltration
Threat actors are actively weaponizing a two-year-old vulnerability in PaperCut print management software, enabling remote code execution and unauthorized lateral movement within enterprise networks, often as an initial stage for ransomware operations and large-scale data exfiltration.
Tools and Tactics
Attackers exploit the flaw through exposed web interfaces, deploying staged malware payloads and backdoors. The operation chain frequently includes credential dumping, Active Directory reconnaissance, and propagation to backup systems and sensitive document stores. Multiple ransomware collectives, including those emulating Scattered Spider’s playbook, have been observed adapting these workflows for high-value extortion campaigns.
Recommended Remediation
Organizations relying on PaperCut are strongly urged to close all externally accessible management interfaces and validate that current security patches are applied. It is advised to carry out a full compromise assessment for shadow administration accounts and to segment printing environments from core business assets wherever feasible.
Telecom Giant Orange Hit by Service-Disrupting Cyberattack
French telecommunications operator Orange suffered a significant cyberattack in late July that resulted in a loss of connectivity and interruptions for both corporate and individual subscribers. The incident underscores ongoing vulnerability of global communications infrastructure to targeted disruption and extortion attempts.
Impact and Response
The attack employed denial-of-service and service-layer manipulation techniques, exploiting network configuration flaws to cause cascading failures across Orange’s European infrastructure. Response teams implemented emergency rerouting and access throttling to restore essential services while working to identify the perpetrator group and method of campaign control.
Operational Lessons
Service providers are advised to review disaster recovery and continuity-of-operations plans, bolster segmentation of core routing environments, and launch comprehensive external threat monitoring to anticipate emerging network-layer attacks.