Cybersecurity News — July 23, 2025
Table of Contents
- 1. Microsoft SharePoint Zero-Day Under Mass Exploitation by State Actors
- 2. CISA Mandates Emergency SharePoint Patch Across U.S. Agencies Amid Chinese State-Linked Intrusions
- 3. Microsoft’s Cybersecurity Crisis Exposed: SharePoint Attacks Pressure Secure Future Initiative
- 4. Linux Kernel Vulnerabilities: EDR Evasion with RingReaper and Secure Boot Flaw Uncovered
- 5. NIST Announces HMAC FIPS Withdrawal and SCAP Validation Program Phase-Out
1. Microsoft SharePoint Zero-Day Under Mass Exploitation by State Actors
Discovery and Timeline
A critical zero-day vulnerability targeting on-premises Microsoft SharePoint servers has been actively exploited in the wild since at least July 7, 2025. The campaign initially targeted a major Western government, but rapidly expanded over the following weeks to include numerous government, telecommunications, and software organizations across North America and Western Europe.
Technical Analysis
Attackers are leveraging a previously undisclosed SharePoint flaw capable of bypassing authentication mechanisms and extracting sensitive keys. The vulnerability allows remote code execution on vulnerable servers and facilitates the theft of cryptographic assets, granting persistent and potentially undetectable backdoor access.
Investigators attribute the attacks to three core IP addresses; one has a history of being linked with prior exploits against Ivanti Endpoint Manager Mobile appliances. The campaign demonstrates an advanced understanding of Microsoft stack internals and involves multiple attack vectors, including custom payload delivery and lateral movement within breached environments.
Operational Impact
Organizations impacted face the dual risk of compromised data and ongoing attacker persistence, as the stolen keys may be reused for escalation or wider supply chain threats. The exploit chain indicates a high sophistication, requiring urgent mitigation measures to prevent further breaches.
Mitigation Recommendations
Security teams are urged to apply official patches immediately, review security logs for anomalous access, and rotate potentially affected keys. Detection rules should be updated, and out-of-band alerts set up to monitor for behaviors consistent with this campaign.
2. CISA Mandates Emergency SharePoint Patch Across U.S. Agencies Amid Chinese State-Linked Intrusions
Government Response
In direct reaction to the active exploitation of SharePoint vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring all federal agencies to apply the latest SharePoint patches by the end of July 23, 2025. This directive follows confirmed reports that Chinese nation-state actors have been successfully weaponizing the vulnerabilities to breach federal and private sector systems.
Exploit Methodology: AMSI Bypass
Recent findings reveal that known mitigations, such as enabling Microsoft’s Antimalware Scan Interface (AMSI), are insufficient to fully block the exploit. Researchers have demonstrated that crafted exploits can bypass AMSI checks, leaving unpatched servers exposed to remote code execution and credential theft. All public proof-of-concept code, as observed, reliably triggers AMSI, potentially giving a false sense of security to administrators relying solely on this mitigation.
Technical Implications for Defenders
The exploit’s ability to bypass AMSI highlights the ongoing arms race between red team tool developers and defenders. Security guidance emphasizes patching over reliance on runtime mitigations, as post-exploitation tools are evolving faster than static detection mechanisms. The situation showcases the criticality of rapid vulnerability management and cross-team threat intelligence sharing in the face of active nation-state campaigns.
3. Microsoft’s Cybersecurity Crisis Exposed: SharePoint Attacks Pressure Secure Future Initiative
Backdrop: Microsoft’s Overhaul Timeline
In late 2023, Microsoft launched the Secure Future Initiative, a sweeping program intended to embed security by design throughout its engineering culture and platform architecture. By April 2025, the company reported significant process and technology improvements, but acknowledged that setbacks were inevitable given the complexity and scale of its global operation.
Escalating Attacks and High-Profile Victims
The latest wave of SharePoint exploitation, attributed to three Chinese-affiliated hacking groups, has directly targeted U.S. Department of Education systems along with numerous private and governmental entities. The campaign focuses on self-hosted SharePoint deployments, leveraging their widespread use to maximize reach. While cloud-hosted instances are unaffected, the breadth of the on-premises ecosystem constitutes a major attack surface.
Long-Term Strategic Concerns
Microsoft faces intensified scrutiny over its software development lifecycle and vulnerability response processes. The company’s forward-looking security ambitions are now measured against the real-world consequences of unaddressed architectural flaws. These incidents highlight the operational difficulty of shifting security postures in legacy-dense, widely adopted enterprise platforms.
4. Linux Kernel Vulnerabilities: EDR Evasion with RingReaper and Secure Boot Flaw Uncovered
Emergence of RingReaper EDR Evasion Tool
The Linux threat landscape saw the introduction of RingReaper, a novel endpoint detection and response (EDR) evasion tool that manipulates the io_uring kernel feature. This tool exploits legitimate high-performance I/O capabilities in contemporary Linux kernels to obscure malware operations from modern security products, including runtime memory scanners and behavioral analytics.
Technical Breakdown
RingReaper hijacks io_uring’s asynchronous job scheduling to execute payloads outside the visibility scope of most EDR hooks. By crafting I/O operations that appear innocuous, but trigger malicious code execution, attackers bypass both file-based and in-memory detection methodologies.
Secure Boot Bypass Vulnerability
Separately, a newly disclosed Linux vulnerability enables attackers with brief physical access to a system to tamper with the initramfs (initial RAM filesystem) during the boot phase, effectively bypassing Secure Boot integrity protections. Exploitation enables arbitrary code execution prior to operating system initialization, undermining one of the most critical hardware-rooted defense mechanisms in modern Linux deployments.
Mitigation Guidance
Administrators are advised to closely monitor kernel updates, scrutinize the utilization of io_uring within monitored systems, and enforce strict hardware-level security for sensitive endpoints. Systems should be reconfigured to minimize physical attack surfaces, including disabling unnecessary boot devices and enforcing firmware password protections.
5. NIST Announces HMAC FIPS Withdrawal and SCAP Validation Program Phase-Out
FIPS 198-1 (HMAC) Withdrawal Proposal
The National Institute of Standards and Technology has proposed withdrawing Federal Information Processing Standard (FIPS) 198-1, which governs the use and validation of HMAC (Hash-based Message Authentication Code) algorithms. This follows a review of evolving cryptographic standards and the practical application of HMAC across sectors.
Security Content Automation Protocol (SCAP) Program Retiring
In parallel, NIST is concluding the Security Content Automation Protocol (SCAP) Validation Program, signaling a broader shift toward more flexible, modern approaches for standardizing configuration and vulnerability data exchange. The SCAP phase-out reflects advancing automation expectations and a recognition of limitations in previous compliance-oriented toolsets.
Next Steps and Industry Impact
Organizations dependent on NIST validation frameworks must transition to new compliance and automation benchmarks, updating risk management policies and toolchains. Stakeholders are invited to submit public comments and begin migration planning as NIST finalizes these foundational changes over the coming year.