Posted inCybersecurity News Bytes

SparTech Software – Cybersecurity News Bytes (July 22, 2025 1:21 PM)

No CommentsPosted inCybersecurity News Bytes

Cybersecurity News – July 22, 2025

Table of Contents

  • Escalating Exploitation of Microsoft SharePoint Zero-Days: Global Implications and Technical Deep Dive
  • Cisco ISE Vulnerabilities: Active Wild Exploitation and the Risks to Enterprise Network Security
  • Advanced Attack Campaigns Targeting E-commerce and Authentication Platforms
  • CISA Updates Exploited Vulnerability Catalog

Escalating Exploitation of Microsoft SharePoint Zero-Days: Global Implications and Technical Deep Dive

Widespread Exploitation of Critical Vulnerabilities

Since July 7, 2025, attackers have actively exploited two critical zero-day vulnerabilities in Microsoft SharePoint Server—CVE-2025-53770, a remote code execution flaw (CVSS 9.8), and CVE-2025-53771, a spoofing flaw (CVSS 6.3). Despite a partial fix during July’s Patch Tuesday, threat actors continued to bypass previously deployed mitigations, prompting Microsoft to issue emergency out-of-band patches. The technical details indicate that the RCE vulnerability allows threat actors to execute arbitrary code and implant persistent access mechanisms even on fully patched systems.

Targets and Attack Scope

Attackers have focused on organizations in the government, telecommunications, banking, higher education, and healthcare sectors, spanning North America and Western Europe. At least 54 organizations are confirmed as affected, although the true scope may be broader. Attackers are employing privilege escalation, multifactor authentication (MFA) bypass, and single sign-on (SSO) circumvention, leading to the theft of cryptographic material and the deployment of persistent backdoors.

Threat Actor Activity and TTPs

Several sophisticated groups are involved:

  • China-backed groups, including Linen Typhoon and Violet Typhoon, are exploiting the vulnerabilities. These groups specialize in intellectual property theft and targeting strategic governmental and industrial entities.
  • Storm-2603 has reportedly leveraged SharePoint flaws to steal machine keys and deploy ransomware payloads such as Warlock and LockBit.

Attackers initiate reconnaissance by scanning for vulnerable SharePoint nodes, followed by exploitation leading to web shell installation or credential theft. Multiple attacker-controlled IPs have been identified originating exploitation attempts, one associated with previous exploits against Ivanti EPMM platforms.

Mitigation and Ongoing Risks

Microsoft has released updated security patches for SharePoint 2019 and Subscription Edition. SharePoint 2016 remains at risk pending a full fix. The sophistication and rapid adaptation of these attack campaigns highlight the urgent need for organizations to monitor exploitation attempts, apply patches without delay, and review system access logs for signs of compromise.

Cisco ISE Vulnerabilities: Active Wild Exploitation and the Risks to Enterprise Network Security

Critical Flaws in Network Access Control

Cisco has confirmed active exploitation of multiple critical zero-day vulnerabilities affecting its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products. These bugs, all rated with CVSS scores of 10.0, grant remote, unauthenticated attackers the ability to execute arbitrary commands as the root user on the underlying system.

Technical Breakdown

The actively exploited flaws include:

  • CVE-2025-20281, CVE-2025-20337: Vulnerabilities in specific ISE APIs enable arbitrary code execution as root.
  • CVE-2025-20282: An internal API flaw allows arbitrary file upload and execution at the root level.

Successful exploitation of these vulnerabilities turns the ISE network policy engine, a linchpin of corporate network access control, into an unrestricted entry point for attackers.

Potential Impact and Attack Vectors

Attackers exploiting these flaws can bypass all authentication and logging mechanisms, giving them the ability to move laterally across networks, deploy additional payloads, disrupt business operations, and access sensitive internal systems. The attack surface is especially critical in environments where ISE centrally manages authentication for users and devices.

Remediation and Recommendations

Cisco urges immediate patching for all vulnerable ISE deployments. Continuous threat monitoring, internal network segmentation, and the deployment of alternative authentication measures are also recommended in compromised environments due to the risk posed by persistence mechanisms installed before patch application.

Advanced Attack Campaigns Targeting E-commerce and Authentication Platforms

Evolution of Threat Strategies

Recent technical research has observed a convergence of advanced attack methodologies targeting digital authentication frameworks and e-commerce infrastructures. Threat actors are adopting tactics that combine living-off-the-land exploits, social engineering, and direct exploitation of unpatched third-party components.

Campaign Features and Technical Insights

Attackers have shifted to abusing weak points in self-hosted authentication solutions, notably:

  • Bypassing adaptive multi-factor authentication mechanisms via session hijacking and phishing-resistant prompt manipulation.
  • Infiltrating commerce platforms to intercept payment flows, modify backend logic, and exfiltrate sensitive customer data.
  • Leveraging vulnerabilities in unmaintained plugins or add-ons that introduce insecure authentication flows or hidden admin accounts.

Successful campaigns often blend commodity malware with custom initial access scripts, pivoting through cloud integrations and supply chain components.

Recommendations for Organizations

Security teams are urged to harden authentication flows, monitor session tokens for anomalies, isolate payment processing infrastructure, and conduct regular third-party component audits with a focus on authentication and payment modules.

CISA Updates Exploited Vulnerability Catalog

Latest Additions and Implications

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities Catalog with two new entries. These additions reflect vulnerability types currently under active exploitation in the wild and serve as mandates for federal agencies and critical infrastructure operators to prioritize patching.

Scope and Federal Mandates

All federal agencies and recommended infrastructure organizations must review the newly listed vulnerabilities and implement mitigations according to CISA’s remediation deadlines. The catalog’s updates are designed to drive rapid patch management and strategic risk reduction across the public and private sector alike.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply