Cybersecurity News — July 23, 2025

Table of Contents

• Critical Unpatched Microsoft SharePoint Zero-Day Exploited
• NIST Withdraws HMAC Standard and Proposes Cryptographic Accordion Techniques
• RingReaper: New Linux EDR Evasion Tool Leveraging io_uring
• Linux Boot Vulnerability Permits Secure Boot Bypass
• Dell Data Breach by World Leaks Extortion Group

Critical Unpatched Microsoft SharePoint Zero-Day Exploited

CVE-2025-53770 Attack Waves and Technical Exploitation Details

A significant zero-day vulnerability, identified as CVE-2025-53770, is actively exploited against Microsoft SharePoint on-premises servers. Attackers leverage this flaw for remote code execution on over 75 corporate networks. The technique involves stealing SharePoint server cryptographic keys, granting adversaries the ability to forge legitimate __VIEWSTATE payloads. These crafted payloads bypass core SharePoint security checks, resulting in arbitrary code execution on the server.

Response Challenges for Organizations

Remediation for CVE-2025-53770 is complex: even after patching, the threat persists unless the stolen cryptographic keys are rotated, a process not automated by standard security updates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent guidance for organizations to take immediate defensive measures, emphasizing the ongoing risk to unpatched on-premises SharePoint environments.

Misattribution Risks

Security analysts warn that some attack activity attributed to CVE-2025-53770 may overlap with or be mistaken for exploits targeting previous SharePoint vulnerabilities, such as CVE-2025-49704 and CVE-2025-49706. This underscores the need for meticulous incident investigation and comprehensive server key management protocols.

Mitigation and Community Collaboration

CISA and Microsoft are collaborating to notify affected entities and recommend immediate mitigation actions. This scenario exemplifies the critical importance of trust and communication between technology providers, researchers, and government agencies in responding to emergent nation-state-level threats.

NIST Withdraws HMAC Standard and Proposes Cryptographic Accordion Techniques

HMAC Standard Retirement

The National Institute of Standards and Technology (NIST) has formally proposed the withdrawal of Federal Information Processing Standard (FIPS) 198-1, the specification governing the HMAC (Hash-Based Message Authentication Code) algorithm. The community is invited to submit comments until July 23, 2025. This marks a substantial shift away from a two-decade standard underlying authentication and data integrity controls.

New Cryptographic “Accordion” Proposal

To address emerging post-quantum security needs, NIST has unveiled plans for three general-purpose cryptographic accordion primitives based on a variant of the HCTR2 technique. Full specifications are expected in future SP 800-197x publications, and the comment period remains open through August 6, 2025. “Accordion” ciphers focus on scalable security with variable domain and memory characteristics, optimizing for both modern hardware efficiency and resilience against advanced attacks.

RingReaper: New Linux EDR Evasion Tool Leveraging io_uring

Technical Operation of RingReaper

Security researchers have revealed a new Linux malware called RingReaper, which abuses the io_uring asynchronous I/O interface in modern Linux kernels to evade Endpoint Detection and Response (EDR) solutions. By exploiting legitimate ring buffer APIs, RingReaper camouflages typical process injection and fileless execution activities. Its operations blend seamlessly with benign system operations, complicating dynamic analysis and making detection by traditional security tools more challenging.

Implications for Defenders

The emergence of RingReaper signifies a shift in adversary tactics, highlighting the need for behavior-based anomaly detection and kernel telemetry monitoring. Effective defense may require custom kernel modules or advanced audit policies that can distinguish suspicious use of the io_uring feature from routine system workloads.

Linux Boot Vulnerability Permits Secure Boot Bypass

Attack Mechanism

A critical vulnerability has been discovered in the Linux boot process that allows attackers with brief physical access to bypass Secure Boot protections. The exploit takes advantage of manipulations to the early-stage initramfs, which can be modified to load malicious code before kernel signature checks take effect. Once compromised, the attacker obtains persistent control before security mechanisms are initialized.

Scope of Risk and Mitigation

This vulnerability threatens a wide range of modern Linux distributions. Mitigation strategies include enforcing tamper-evident boot paths, limiting physical access to devices, and regularly auditing boot loader integrity. Vendors are expected to issue firmware and boot loader updates to address the exposed vector.

Dell Data Breach by World Leaks Extortion Group

Incident Overview

An extortion group known as World Leaks claimed responsibility for breaching Dell’s Customer Solution Center. Dell reports that no customer or partner production data was involved; the accessed data consisted solely of “synthetic” datasets used for demo and internal testing.

Extortion Group Tactics

The breach highlights the trend of adversaries targeting not only operational environments but also demo and development systems containing non-production or placeholder data. The disclosure coincides with increased use of data extortion as a pressure tactic—even if stolen records do not contain real customer information.

Corporate Response and Sector Implications

Dell has emphasized the compartmentalized nature of its infrastructure and claims that critical customer or partner systems remain uncompromised. However, the incident demonstrates the reputational, operational, and compliance challenges enterprises face in managing the lifecycle of synthetic and test data across large organizations.