The July 2025 Zero-Day Storm: SharePoint and CrushFTP Under Active Attack
🛡️ The July 2025 Zero-Day Storm: SharePoint and CrushFTP Under Active Attack
The cybersecurity landscape was rocked in July 2025 by two major zero-day exploitations that sent shockwaves through enterprise security teams worldwide. The month began with what appeared to be business as usual, but quickly escalated into a critical situation as attackers weaponized newly discovered vulnerabilities in Microsoft SharePoint and CrushFTP, leaving hundreds of organizations scrambling to patch and assess damage.
🔧 The SharePoint "ToolShell" Crisis: A Perfect Storm
On July 18, 2025, Dutch cybersecurity firm Eye Security detected suspicious activity on a client's SharePoint server. The investigation revealed a sophisticated zero-day attack exploiting CVE-2025-53770, a critical remote code execution vulnerability with a CVSS score of 9.8.
This zero-day bypassed Microsoft's July Patch Tuesday updates, and was dubbed "ToolShell" by researchers—highlighting how incomplete fixes can be exploited by determined adversaries.
🔍 Technical Breakdown
The exploit chain combines two vulnerabilities:
- Unsafe deserialization allows unauthenticated remote code execution.
- Attackers send specially crafted HTTP POST requests to
/_layouts/15/ToolPane.aspxwith a spoofedReferer: /layouts/SignOut.aspx.Once exploited, attackers drop
spinstall0.aspx, a reconnaissance tool that:
- Steals MachineKey configuration including:
ValidationKeyDecryptionKey- Grants access to forge
__VIEWSTATEpayloads accepted as legitimate by SharePoint.
🔁 Persistence Mechanism
With stolen cryptographic secrets, attackers maintain access even after patching:
“This approach makes remediation particularly difficult—a typical patch would not automatically rotate these stolen cryptographic secrets, leaving organizations vulnerable even after they patch.”
— Benjamin Harris, watchTowr
🌍 Global Impact
- 🚨 400+ organizations breached
- ⏱️ 85+ SharePoint servers compromised within hours
- 🏢 29 major firms and government entities confirmed victims
- 🌐 9,000+ internet-exposed instances at risk
Affected sectors:
- Government
- Universities
- Energy
- Telecommunications
- Healthcare
⚠️ Notably, the National Nuclear Security Administration (NNSA) was among the victims.
📂 CrushFTP: The Second Zero-Day Punch
Also on July 18, 2025, attackers exploited CVE-2025-54309 in CrushFTP, a managed file transfer solution. The bug, with a CVSS score of 9.0, enables remote admin access when the DMZ proxy is disabled.
🔬 Reverse Engineering Angle
According to CrushFTP:
"Hackers apparently reverse engineered our code and found some bug which we had already fixed."
The vulnerability was inadvertently patched during unrelated AS2 bug fixes, but older versions remained exposed.
📊 CrushFTP Impact
- 🌎 250,000+ exposed instances (Shodan)
- 🔍 1,040 unpatched servers confirmed (Shadowserver)
- 📦 Affects versions:
- v10 <
10.8.5- v11 <
11.3.4_23Attackers could:
- Create new admin users
- Modify file transfer configurations
- Maintain persistent access
🌐 Broader July 2025 Threat Landscape
These incidents were part of a broader wave of zero-day activity:
- 🧱 Microsoft Patch Tuesday 0-days:
CVE-2024-38080– Hyper-V escalationCVE-2024-38112– MSHTML spoofing- 🔐 FortiManager exploited (
CVE-2024-47575)- ⚠️ Citrix Bleed 2 (
CVE-2025-5777) triggered emergency mandates
🕵️ Attribution & Threat Actors
- Chinese state-sponsored groups suspected in SharePoint intrusions (per Google & Microsoft)
- Three attack clusters identified (SentinelOne)
- In-memory, fileless attacks evaded detection
- Reused IP infrastructure from Ivanti exploits (Check Point)
🛠️ Emergency Response & Patching
Microsoft:
- Released out-of-band patches (July 19–21)
- Provided AMSI & cryptographic key rotation guidance
- Published IOCs & hunting tips
CISA:
- Added
CVE-2025-53770to KEV catalog- Issued immediate federal patch requirements
- Published joint advisories with EU partners
Industry:
- Vendors released YARA/SIGMA rules
- Cloud WAF providers deployed emergency mitigations
📚 Key Lessons for Cybersecurity Professionals
- Incomplete patches are dangerous
- Assume breach for internet-facing systems
- Cryptographic key management is essential
- Advanced EDR and behavioral monitoring are critical
🚨 Looking Ahead: The New Normal
The July 2025 zero-day storm marks a turning point in cybersecurity strategy.
116+ zero-days exploited in 2024, with more in 2025
State-sponsored actors and aging enterprise infrastructure = perfect storm
In this new era, zero-day readiness is a survival skill, not a luxury.
📌 Organizations must:
- Shorten patch cycles
- Deploy assume-compromise strategies
- Maintain visibility and readiness
🧠 The question isn’t if you’ll face a zero-day—but when.