Structured data rendered for: WebPage
INVADERS
Back to Blog

2025 Zero-Day Storm: SharePoint and CrushFTP Under Active Attack

August 11, 2025
Lucas OliveiraLucas Oliveira
4 min read
2025 Zero-Day Storm: SharePoint and CrushFTP Under Active Attack

🛡️ The July 2025 Zero-Day Storm: SharePoint and CrushFTP Under Active Attack

The cybersecurity landscape was rocked in July 2025 by two major zero-day) exploitations that sent shockwaves through enterprise security teams worldwide. The month began with what appeared to be business as usual, but quickly escalated into a critical situation as attackers weaponized newly discovered vulnerabilities in Microsoft SharePoint and CrushFTP, leaving hundreds of organizations scrambling to patch and assess damage.

🔧 The SharePoint "ToolShell" Crisis: A Perfect Storm

On July 18, 2025, Dutch cybersecurity firm Eye Security detected suspicious activity on a client's SharePoint server. The investigation revealed a sophisticated zero-day attack exploiting CVE-2025-53770, a critical remote code execution vulnerability with a CVSS score of 9.8.

This zero-day bypassed Microsoft's July Patch Tuesday updates, and was dubbed "ToolShell" by researchers—highlighting how incomplete fixes can be exploited by determined adversaries.

🔍 Technical Breakdown

The exploit chain combines two vulnerabilities:

  • Unsafe deserialization allows unauthenticated remote code execution.
  • Attackers send specially crafted HTTP POST requests to /_layouts/15/ToolPane.aspx with a spoofed Referer: /layouts/SignOut.aspx.

Once exploited, attackers drop spinstall0.aspx, a reconnaissance tool that:

  • Steals MachineKey configuration including:
    • ValidationKey
    • DecryptionKey
  • Grants access to forge __VIEWSTATE payloads accepted as legitimate by SharePoint.

🔁 Persistence Mechanism

With stolen cryptographic secrets, attackers maintain access even after patching:

“This approach makes remediation particularly difficult—a typical patch would not automatically rotate these stolen cryptographic secrets, leaving organizations vulnerable even after they patch.”
— Benjamin Harris, watchTowr

🌍 Global Impact

  • 🚨 400+ organizations breached
  • ⏱️ 85+ SharePoint servers compromised within hours
  • 🏢 29 major firms and government entities confirmed victims
  • 🌐 9,000+ internet-exposed instances at risk

Affected sectors:

  • Government
  • Universities
  • Energy
  • Telecommunications
  • Healthcare

⚠️ Notably, the National Nuclear Security Administration (NNSA) was among the victims.

📂 CrushFTP: The Second Zero-Day Punch

Also on July 18, 2025, attackers exploited CVE-2025-54309 in CrushFTP, a managed file transfer solution. The bug, with a CVSS score of 9.0, enables remote admin access when the DMZ proxy is disabled.

🔬 Reverse Engineering Angle

According to CrushFTP:

"Hackers apparently reverse engineered our code and found some bug which we had already fixed."

The vulnerability was inadvertently patched during unrelated AS2 bug fixes, but older versions remained exposed.

📊 CrushFTP Impact

  • 🌎 250,000+ exposed instances (Shodan)
  • 🔍 1,040 unpatched servers confirmed (Shadowserver)
  • 📦 Affects versions:
    • v10 < 10.8.5
    • v11 < 11.3.4_23

Attackers could:

  • Create new admin users
  • Modify file transfer configurations
  • Maintain persistent access

🌐 Broader July 2025 Threat Landscape

These incidents were part of a broader wave of zero-day activity:

  • 🧱 Microsoft Patch Tuesday 0-days:
    • CVE-2024-38080 – Hyper-V escalation
    • CVE-2024-38112 – MSHTML spoofing
  • 🔐 FortiManager exploited (CVE-2024-47575)
  • ⚠️ Citrix Bleed 2 (CVE-2025-5777) triggered emergency mandates

🕵️ Attribution & Threat Actors

  • Chinese state-sponsored groups suspected in SharePoint intrusions (per Google & Microsoft)
  • Three attack clusters identified (SentinelOne)
  • In-memory, fileless attacks evaded detection
  • Reused IP infrastructure from Ivanti exploits (Check Point)

🛠️ Emergency Response & Patching

Microsoft:

  • Released out-of-band patches (July 19–21)
  • Provided AMSI & cryptographic key rotation guidance
  • Published IOCs & hunting tips

CISA:

  • Added CVE-2025-53770 to KEV catalog
  • Issued immediate federal patch requirements
  • Published joint advisories with EU partners

Industry:

  • Vendors released YARA/SIGMA rules
  • Cloud WAF providers deployed emergency mitigations

📚 Key Lessons for Cybersecurity Professionals

  1. Incomplete patches are dangerous
  2. Assume breach for internet-facing systems
  3. Cryptographic key management is essential
  4. Advanced EDR and behavioral monitoring are critical

🚨 Looking Ahead: The New Normal

The July 2025 zero-day storm marks a turning point in cybersecurity strategy.

  • 116+ zero-days exploited in 2024, with more in 2025

  • State-sponsored actors and aging enterprise infrastructure = perfect storm

In this new era, zero-day readiness is a survival skill, not a luxury.

📌 Organizations must:

  • Shorten patch cycles
  • Deploy assume-compromise strategies
  • Maintain visibility and readiness

🧠 The question isn’t if you’ll face a zero-day—but when.

Tags:
cyberthreads
zeroday
vulnerability
L

Written by

Lucas Oliveira

Research

A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.