This Week - Ending 25 July 2025

Originally posted on Substack - please subscribe there to get this a week earlier!

This weeks news cycle was dominated by the fallout from Microsoft’s flawed patching of SharePoint’s ToolShell zero‑day. Add in active exploitation of Cisco’s Identity Services Engine, and fresh zero‑days in CrushFTP and the continued exploitation of the Sonicwall and Netscaler products and you’ve got a messy patching landscape. Plus some possible chained vulnerabilities in another Citrix bug CVE-2025-6543.

News Round‑Up

SharePoint zero‑day escalates to ransomware and espionage – Microsoft warned that CVE‑2025‑49706 (spoofing) and CVE‑2025‑49704 (RCE) are being abused by Chinese groups Linen Typhoon, Violet Typhoon and Storm‑2603. Emergency updates for SharePoint 2016/2019/Subscription Edition were released on 19 July but attackers bypassed early patches, prompting new CVEs CVE‑2025‑53770 and CVE‑2025‑53771 microsoft.com. Microsoft advised enabling AMSI, rotating ASP.NET machine keys and patching immediately microsoft.com.
Microsoft’s incomplete fix exposed 100+ organisations – Reuters reported that the initial Microsoft patch failed to fully remediate the SharePoint flaw discovered during a May hacking contest, leaving ~100 organisations compromised reuters.com. Eye Security and Shadowserver estimate over 9 000 vulnerable servers; the U.S. National Nuclear Security Administration was among those breached reuters.com.
CVE-2025-5777 update: still rumbling on - Dutch department of Justice admits it may take weeks to recover and secure the network. prosecutionservice.nl . With a number of NCSCs repeating Kevin Beaumonts call to actively threat hunt against even patched devices. Shadowserver and Beaumont have noted there are still a large amount of unpatched devices in the wild. So while the world is burning about Sharepoint infrastructure patching is still behind.

Late extra here worth noting- An evolving story here thats being reported that some #Citrixbleed2 victims are also victims of another vulnerability which involves webshell implants via CVE-2025-6543. NL NCSC have released a script to check here. As reported by Kevin who has been fantastic at digging deep on this.
Cisco Identity Services Engine (ISE) critical bugs under active attack – We reported last week that Cisco had release more fixes around a previously botched patch, Shadowserver found attackers exploiting CVE‑2025‑20281 (CVSS 10) as early as 5 July to gain root access without credentials theregister.com. Cisco confirmed actiove exploitation on 21 July and patched CVE‑2025‑20281, CVE‑2025‑20337 and CVE‑2025‑20282, but there are no workarounds theregister.com.
SonicWall SMA 100 series remote code execution flaw (CVE‑2025‑40599) – SonicWall urged customers to upgrade SMA 210/410/500v appliances after Google’s We reported last week that Googles GTIG group had found flaws in Sonicalwall devices - Sonicwall are now urged customers to upgrade SMA 210/410/500v appliances including examining logs to determine exploitation helpnetsecurity.com. CVE‑2025‑40599 allows an authenticated file upload leading to RCE; organisations should patch to v10.2.2.1‑90sv, review logs, disable remote management and reset credentials helpnetsecurity.com.
CrushFTP zero‑day exploited (CVE‑2025‑54309) – A zero‑day in the CrushFTP server’s (I’m getting a sense of dejvu after Wing FTPs CVE-2025-47812 ) AS2 validation allowed unauthenticated attackers to obtain admin access. Around 1040 servers were exposed; organisations should upgrade to v10.8.5/11.3.4_23 and check for data theft helpnetsecurity.com. Running a DMZ proxy mitigates but is not foolproof helpnetsecurity.com.
Law enforcement takedowns – Authorities seized the leak sites of the BlackSuit ransomware gang under Operation Checkmate (multi‑agency effort) and arrested the suspected administrator of the Russian cybercrime forum XSS.is in Kyiv. The forum served over 50 000 users and generated more than €7 million reuters.com.
UK Government considers ransomware payments ban for public sector - What is not only a sensible but in my opinion needed, affected organsiations includes local councils, schools, and the National Health Service (NHS). Under the proposed law change other businesses not under the proposed ban will be required to notify the government if they intend to make a ransom payment bleepingcomputer.com.

Deep Dive: ToolShell and the SharePoint Patch Debacle

A Perfect Storm for SharePoint

When SharePoint on‑premises vulnerabilities CVE‑2025‑49704 and CVE‑2025‑49706 surfaced in May’s Pwn2Own hacking contest, Microsoft released patches on 8 July. However, by mid‑July researchers noticed exploitation increasing; attackers were deploying ToolShell, a web shell that uploads spinstall0.aspx to harvest machine keys and execute arbitrary codemicrosoft.com. Chinese APT actors Linen Typhoon and Violet Typhoon initially used the flaw for espionagemicrosoft.com.

On 19 July, Microsoft issued emergency updates and recommended rotating the ASP.NET machine keys, enabling AMSI and restarting IIS microsoft.com. Yet the guidance came too late. Reuters reported that the initial fix didn’t fully block the exploit, leaving at least 100 organisations exposed reuters.com. By 22 July, Microsoft acknowledged that two new CVEs (CVE‑2025‑53770 and CVE‑2025‑53771) were bypasses of the original patchesmicrosoft.com.

Ransomware Enters the Chat

By 24 July Microsoft warned that Storm‑2603—a China‑linked group previously known for deploying LockBit—had pivoted from espionage to Warlock ransomware. Using the same ToolShell chain, the group performs reconnaissance, drops a spinstall0.aspx web shell, steals machine keys and disables Defender services before detonating ransomware microsoft.com. Eye Security estimates that at least 400 SharePoint servers worldwide have been encrypted, and the National Nuclear Security Administration confirmed a breach reuters.com.

Implications

Patching is not optional – The remote code execution chain affects only on‑premises SharePoint; SharePoint Online is unaffectedmicrosoft.com. Install Microsoft’s July 19 and July 22 updates for SharePoint 2016/2019/SE immediately and confirm machine key rotation.
Detection and hunting – Monitor logs for unusual POST requests to /_layouts/15/ToolPane.aspx and for web shells such as spinstall0.aspx or variantsmicrosoft.com. Use Defender or your EDR to search for w3wp.exe executing unexpected commandsmicrosoft.com. Rotate machine keys to invalidate stolen tokens.
Identity protection – Attackers are using stolen machine keys to forge SAML tokens and pivot to other services. Enabling AMSI full‑mode scanning and auditing Windows event logs helps catch suspicious token issuancemicrosoft.com.
Strategic: trust but verify – The failure of the first patch underscores the need for defence in depth. Relying on vendor assurances alone is risky; organisations should implement layered controls such as web application firewalls, network segmentation and continuous monitoring.

What Next?

ToolShell exemplifies how quickly adversaries weaponise incomplete fixes. Expect further exploitation of on‑premises collaboration platforms, especially by ransomware operators seeking high‑value targets. Given the number of unmaintained SharePoint installations, defenders should consider migrating to cloud‑hosted services where possible or, at minimum, isolate on‑prem servers from the internet. Vendors must improve post‑patch validation; community testing and bug‑bounty transparency can help avert future patch fiascos.

Tech Tip

What to do: If you’re running on‑premises SharePoint Server 2016/2019/Subscription Edition, urgently install Microsoft’s July 19 and July 22 security updates. After patching:

Rotate the ASP.NET machine keys from Central Admin or via PowerShell to invalidate stolen tokens. Delete the old keys.
Enable the Antimalware Scan Interface (AMSI) in Full Mode and ensure Microsoft Defender Antivirus (or equivalent) is active on all SharePoint servers microsoft.com.
Restart IIS after updating and key rotation to ensure the new keys take effect.
Monitor for web shells like spinstall0.aspx by inspecting logs and scanning the %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS directory.
Restrict internet exposure by placing SharePoint behind a reverse proxy or VPN; require MFA for admin access.

Why: CVE‑2025‑49704/49706 and their bypasses allow unauthenticated attackers to steal machine keys and execute arbitrary code, enabling lateral movement and ransomware deployment. Patch gaps and unrotated keys leave servers vulnerable even after updates microsoft.com. Enabling AMSI and Defender intercepts malicious scripts, while rotating keys breaks attackers’ ability to forge SAML tokens. Restricting exposure reduces the attack surface and buys time for detection.

Late addition:
If your running Netscalers and have recently patched for CVE-2025-5777, please use this script provided to check for code implants that persist after patching due to CVE-2025-6543.

NCSC-NL Scanning Script Github.

Resource Picks

Microsoft Security Blog – Disrupting active exploitation of on‑premises SharePoint vulnerabilities In‑depth technical analysis of ToolShell, indicators of compromise, detection queries and mitigation guidance microsoft.com. Bookmark it for incident response.
HelpNetSecurity – SonicWall fixes critical flaw in SMA appliances Clear summary of CVE‑2025‑40599, the OverStep backdoor campaign and recommended actionshelpnet. security.com.
Shadowserver Shadowserver is a great resource to help understand whats being seen including active exploitation of devices.
HelpNetSecurity – Critical CrushFTP vulnerability exploited Explains CVE‑2025‑54309, indicators of compromise and why DMZ proxies aren’t enough helpnetsecurity.com.
Proactive Security Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771) Deep technical dive into how attackers extract machine keys and craft ViewState payloads.

What’s your organisation’s policy on applying emergency patches? Do you deploy them immediately? How often do you do post patch testing other than clicking install?

Given this week’s SharePoint fiasco, I’d love to hear how you balance the risk of breaking critical systems versus the risk of exploitation. Drop me a reply or comment with your approach and any lessons learned.

That’s all for this week—patch early, test thoroughly and stay wary of quick fixes. See you next Friday.

Appendix: Sources

Microsoft Security Blog – “Disrupting active exploitation of on‑premises SharePoint vulnerabilities”microsoft.com.
Reuters – “Microsoft knew of SharePoint security flaw but failed to effectively patch it, timeline shows”reuters.com.
The Register – “No login? No problem: Cisco ISE flaw gave root access before fix arrived”theregister.com.
Help Net Security – “Sonicwall fixes critical flaw in SMA appliances, urges customers to check for compromise (CVE‑2025‑40599)”helpnetsecurity.com.
Help Net Security – “Critical CrushFTP vulnerability exploited (CVE‑2025‑54309)”helpnetsecurity.com.
Security Affairs – “Patch immediately: CVE‑2025‑25257 PoC enables remote code execution on Fortinet FortiWeb”securityaffairs.com.
Reuters – “Suspect linked to Russian language cybercrime forum arrested in Ukraine”reuters.com.