Microsoft’s monthly batch of patches includes a vulnerability affecting on-premises Microsoft Exchange servers that the company and federal authorities warned about in a series of alerts last week. In its latest security update Tuesday, Microsoft maintained the flaw hasn’t been exploited in the wild and designated the exploitability of the defect — CVE-2025-53786 — as “more likely.”

Organizations have not applied the previously issued patch for the high-severity vulnerability en masse, despite the serious alarm raised by officials. More than 28,000 accessible Microsoft Exchange servers remained unpatched as of Monday, according to Shadowserver scans. 

The Cybersecurity and Infrastructure Security Agency’s deadline for all federal agencies to update eligible servers with a previously issued hotfix and disconnect outdated Exchange servers passed on Monday. 

Microsoft addressed 111 vulnerabilities affecting its various enterprise products, cloud services and foundational Windows systems in this month’s security update. The set of disclosures includes four additional defects affecting Microsoft Exchange Server.

The security update also comes on the heels of an attack spree targeting zero-day vulnerabilities in on-premises Microsoft SharePoint servers. More than 400 organizations were actively compromised by those attacks, including the Departments of Energy, Homeland Security and Health and Human Services. 

Those zero-days —  CVE-2025-53770 and CVE-2025-53771 — are variants of previously disclosed vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — that Microsoft addressed in its security update last month.

Microsoft said none of the vulnerabilities in this month’s update are actively exploited. Yet, researchers described CVE-2025-53779, an elevation of privilege vulnerability affecting Windows Kerberos, as a zero-day because functional exploit code exists.

“While Microsoft rates this flaw as ‘exploitation less likely’ with ‘moderate’ severity, the combination of a path traversal issue in a core authentication component like Kerberos and its potential high impact is concerning,” Mike Walters, president and co-founder of Action1, said in an email. “The need for high privileges may create a false sense of security, as accounts with these rights are common in decentralized IT environments. Once compromised, they can quickly lead to full domain takeover.”

The most critical vulnerability — CVE-2025-53767 — is a maximum-severity defect affecting Azure OpenAI, a cloud-based platform that provides access to OpenAI’s large language models. Additionally, a pair of critical, remote-code execution vulnerabilities with CVSS scores of 9.8 — CVE-2025-53766 and CVE-2025-50165 — affect Windows GDI+ and the Microsoft Graphics Component, respectively. 

The vulnerability in Microsoft Graphics Component could attract threat groups due to its high rating and ubiquitous use across environments. “The attack vector is incredibly broad, as the vulnerability is triggered when the operating system processes a specially crafted JPEG image,” Ben McCarthy, lead cybersecurity engineer at Immersive Labs, said in an email. 

“This means any application that renders images — from email clients generating previews and instant messaging apps displaying photos, to office documents with embedded pictures — can become an in for the attack,” McCarthy added.

The remaining critical vulnerabilities in this month’s security update include CVE-2025-53792, which affects Azure Portal, and CVE-2025-50171, which affects Remote Desktop Server.

Nearly 2 in 5 CVEs Microsoft patched this month are elevation of privilege vulnerabilities, reflecting an “upward trend in post-compromise vulnerabilities over code execution bugs,” Satnam Narang, senior staff research engineer at Tenable, said in an email. 

Microsoft’s monthly security fix includes 17 vulnerabilities that affect Microsoft Office and standalone Office products. The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft Patch Tuesday follows SharePoint attacks, Exchange server warnings appeared first on CyberScoop.

The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread nearly a week after zero-day exploits were discovered, setting off alarms across the globe. More than 400 organizations have been actively compromised across four waves of attacks, according to Eye Security.

Multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services, have been hit. The California Independent System Operator, which operates some of the state’s wholesale electric grid, was also impacted.

As more victims confirm varying levels of compromise from the attack spree, researchers are learning and sharing more details about post-exploit activities. One of the China-based attackers behind the initial wave of attacks, Storm-2603, deployed Warlock ransomware starting July 18, Microsoft Threat Intelligence said Wednesday in an updated blog post.

The Chinese government-affiliated threat groups Linen Typhoon and Violet Typhoon — which have been active for at least a decade — are also actively exploiting the zero-day vulnerabilities, Microsoft said. Linen Typhoon has focused on stealing intellectual property and Violet Typhoon is an espionage threat group. Storm is a moniker Microsoft uses for threat groups in development.

Microsoft said it observed Storm-2603 modifying policy settings to distribute Warlock ransomware in compromised environments. The attacker is also attempting to steal cryptographic keys from compromised SharePoint servers, which could allow attackers to maintain persistent access to victim environments after the patch has been applied. Microsoft did not say how many organizations have been hit with ransomware.

The zero-days under active exploit —  CVE-2025-53770 and CVE-2025-53771 — are variants of a pair of previously disclosed vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — Microsoft addressed in its security update earlier this month. After discovering the new flaws, Microsoft scrambled to develop patches, releasing the updates for all affected versions of SharePoint by late Monday.

The exploit dubbed “ToolShell,” which allows attackers to bypass multi-factor authentication and single sign-on, contains the newly discovered defects: CVE-2025-53770, a critical remote-code execution vulnerability, and CVE-2025-53771, a security-bypass vulnerability. 

The “ToolShell” exploit chain allows attackers to fully access SharePoint content and execute code over the network, the Cybersecurity and Infrastructure Security Agency said. ESET Labs researchers said threat groups often chain all four vulnerabilities to intrude organizations.

CISA added CVE-2025-53770 to its known exploited vulnerabilities catalog Sunday, and added CVE-2025-47904 and CVE-2025-47906 to the database Tuesday. CISA said CVE-2025-53770 is a patch bypass for CVE-2025-49704 and CVE-2025-53771 is a patch bypass for CVE-2025-49706.

Officials declined to describe the level of compromise sustained across the federal government.

“Once the Microsoft SharePoint vulnerability was identified on Friday, CISA quickly launched a national coordinated response through an initial alert and two cybersecurity updates,” a Department of Homeland Security spokesperson said in a statement. “CISA has been working around the clock with Microsoft, impacted agencies, and critical infrastructure partners to share actionable information, apply mitigation efforts, implement protective measures, and assess preventative measures to shield from future attacks.”

The spokesperson said an investigation to identify potential exposure remains ongoing, adding “there is no evidence of data exfiltration at DHS or any of its components at this time.”

The Energy Department, which was impacted along with the National Nuclear Security Administration, is also unaware of any compromise of sensitive or classified information. 

Exploitation of the Microsoft SharePoint zero-day vulnerability began affecting the Energy Department and the NNSA on Friday. “The department was minimally impacted due to its widespread use of the Microsoft 365 cloud and very capable cybersecurity systems,” an agency spokesperson said in a statement.

“A very small number of systems were impacted. NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate,” the spokesperson added.

The Department of Health and Human Services said it is monitoring, identifying and mitigating all risks to its IT systems posed by the Microsoft SharePoint vulnerability. “This vulnerability is not unique to HHS and has been observed in other federal agencies and the private sector,” a spokesperson for the agency said in a statement. “At present, we have no indication that any information was breached as a result of this vulnerability.”

Jayme Ackemann, director of communications at the California Independent System Operator, said the nonprofit, which manages long-distance power lines across 80% of California’s grid, became aware of potential exploitation Sunday. “There has been no impact to market operations or grid reliability due to this incident,” Ackemann said. “All systems remain stable and fully operational.”

Microsoft SharePoint is prevalent across enterprise and government and deeply integrated with Microsoft’s platform. Researchers warn that attackers could use intrusions to burrow deeper into victim networks.

Attacks have spread globally but U.S.-based organizations are the most heavily targeted to date, accounting for more than 13% of attacks, according to ESET’s telemetry data. Scans from the Shadowserver Foundation showed nearly 11,000 SharePoint instances were still exposed to the internet as of Wednesday.

The post Microsoft SharePoint attacks ensnare 400 victims, including federal agencies appeared first on CyberScoop.

Attackers are actively exploiting a critical zero-day vulnerability affecting on-premises Microsoft SharePoint servers, prompting industry heavyweights to sound the alarm over the weekend. 

Researchers discovered the active, ongoing attack spree Friday afternoon and warnings were issued en masse by Saturday evening. Microsoft released urgent guidance Saturday, advising on-premises SharePoint customers to turn on and properly configure Antimalware Scan Interface in SharePoint or disconnect servers from the internet until an emergency patch is available. The company released patches for two of the three versions of SharePoint affected by the defect Sunday, but has not issued a patch for SharePoint Server 2016 as of Monday morning. 

Researchers warn that attackers have already used the exploit dubbed “ToolShell” to intrude hundreds of organizations globally, including private companies and government agencies. The Cybersecurity and Infrastructure Security Agency issued an alert about active attacks and added the defect to its known exploited vulnerabilities catalog Saturday.

“This is a high-severity, high-urgency threat,” Michael Sikorski, chief technology officer and head of threat intelligence at Palo Alto Networks Unit 42, said in a statement. 

Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said hundreds of organizations across government, education and critical infrastructure have been impacted across the United States, Germany, France and Australia. “This is going global, fast,” he said, adding that initial scans for the exploit started Wednesday, and exploitation was in full swing through Thursday and Friday.

The critical remote-code execution vulnerability, CVE-2025-53770, has an initial CVSS score of 9.8 and allows attackers to intrude unauthenticated systems with full access to files, internal configurations and code execution. The defect is a variant of CVE-2025-49706, which was patched in Microsoft’s security update earlier this month. 

The new widely exploited defect “reflects a bypass around Microsoft’s original patch” for CVE-2025-49706, Dewhurst said. Microsoft confirmed attacks are targeting on-premises SharePoint server customers by exploiting vulnerabilities partially addressed in the company’s July security update.

“Attackers are bypassing identity controls, including multi-factor authentication and single sign-on, to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys,” Sikorski added. 

“The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold. If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point,” he said. “Patching alone is insufficient to fully evict the threat.”

Palo Alto Networks Unit 42 said attackers are targeting organizations worldwide by dropping malicious ASPX payloads via PowerShell and stealing SharePoint servers’ internal cryptographic machine keys to maintain persistent access. 

“The theft of the MachineKey is critical because it allows attackers persistent, unauthenticated access that can bypass future patching,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said in a LinkedIn post Saturday. “Organizations with vulnerable, public-facing SharePoint instances must urgently investigate for compromise and be prepared to rotate these keys to fully remediate the threat.”

Researchers at Eye Security said they’ve observed at least two waves of attacks as part of the mass exploitation campaign, and upon scanning more than 8,000 public-facing SharePoint servers determined the exploit is systemic. 

“Within hours, we identified more than dozens of separate servers compromised using the exact same payload at the same filepath. In each case, the attacker had planted a shell that leaked sensitive key material, enabling complete remote access,” Eye Security said in a blog post Saturday.

Attribution efforts are ongoing, but early signs point to nation-state attackers focused on persistence, Dewhurst said. “As always, when there is mass attention to a vulnerability, crime gangs and other threat actor groups will follow, which is what we’re seeing now.”

Shadowserver, which is working with Eye Security and watchTowr to notify impacted organizations, said its scans found about 9,300 SharePoint servers exposed to the internet daily.

“CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action. Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations,” Chris Butera, acting executive assistant director at CISA, said in a statement. “CISA encourages all organizations with on-premise Microsoft Sharepoint servers to take immediate recommended action.”

Microsoft declined to answer questions, as its top security executives issued updates on social media throughout the weekend, noting that the company is working urgently to release patches for all impacted versions of SharePoint. The cloud-based version of SharePoint in Microsoft 365 is not impacted.

“We’re fairly certain it’s for once acceptable to call this a close-to-worst-case scenario. We spent the weekend trying to alert organizations to their exposure and, in some cases, were forced to watch them get compromised in real-time,” Dewhurst said.

“The sad reality is that we’ll see this vulnerability exploited long into the future as organizations fail to patch or as attackers return to regain access after stealing cryptographic keys, as has been seen heavily in activity this weekend,” he said.

Sikorski noted that SharePoint’s deep integration with Microsoft’s platform, which contains all the information valuable to an attacker, makes this especially concerning. “A compromise doesn’t stay contained — it opens the door to the entire network,” he said.

“An immediate, Band-Aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,” Sikorski added. “A false sense of security could result in prolonged exposure and widespread compromise.”

The post Mass attack spree hits Microsoft SharePoint zero-day defect appeared first on CyberScoop.