Resources
    Critical CVE Alert: July ...
    29 July 25

    Critical CVE Alert: July 2025 Active Threat Roundup

    Posted byINE
    news-featured

    Security teams face significant challenges this month as multiple critical CVE vulnerabilities demand immediate attention. Four distinct threat categories have emerged as top priorities, each representing active exploitation campaigns targeting enterprise environments. This roundup provides essential threat intelligence and mitigation guidance for the most pressing security concerns.

    SharePoint ToolShell Exploit Chain

    Threat: CVE-2025-53770 & CVE-2025-53771

    CVE-2025-53770 (CVSS 9.8) is a critical remote code execution vulnerability affecting on-premises Microsoft SharePoint servers only. SharePoint Online in Microsoft 365 is not impacted. The flaw stems from unsafe deserialization of untrusted data, allowing attackers to execute arbitrary code through crafted POST requests to the /_layouts/15/ToolPane.aspx endpoint.

    CVE-2025-53771 (CVSS 6.3) provides the authentication bypass component of the ToolShell attack chain. This spoofing vulnerability exploits improper pathname restrictions, enabling attackers to circumvent authentication mechanisms using forged Referer headers pointing to /_layouts/SignOut.aspx.

    These vulnerabilities represent bypass techniques for previously patched flaws CVE-2025-49704 and CVE-2025-49706. Microsoft's initial July 2025 patches proved insufficient, prompting emergency updates with enhanced protections.

    Why It Matters

    Active exploitation campaigns have compromised over 75 organizations worldwide. Attackers achieve complete SharePoint server control, including access to sensitive documents, internal configurations, and the ability to establish persistent backdoors. The attack requires no user interaction and can be executed remotely without authentication.

    Successful exploitation enables lateral movement throughout SharePoint environments and potential access to integrated Microsoft services. Organizations report discovery of spinstall0.aspx web shells providing continued attacker access for data exfiltration and further system compromise.

    Mitigation

    Microsoft released emergency security updates for all supported SharePoint versions. Organizations must apply these updates immediately to all on-premises SharePoint installations:

    • SharePoint 2016: KB5002760 (Core) and KB5002759 (Language Pack)

    • SharePoint 2019: KB5002754 (Core) and KB5002753 (Language Pack)

    • SharePoint Subscription Edition: KB5002768

    Enable Antimalware Scan Interface (AMSI) integration with Full Mode scanning. Deploy Microsoft Defender Antivirus on all SharePoint servers to prevent unauthenticated exploitation attempts. Configure network segmentation to limit SharePoint server exposure to untrusted networks.

    Threat hunting activities should focus on detecting spinstall0.aspx file creation in SharePoint layouts directories and monitoring for unusual PowerShell execution patterns initiated by w3wp.exe processes.


    DNS TXT Record Malware Delivery

    Threat: Malware Embedded in DNS Infrastructure

    Cybercriminals have developed sophisticated techniques for hiding malware within DNS TXT records. Attackers convert binary malware into hexadecimal format, segment it into small chunks, and store each fragment in separate subdomain TXT records under attacker-controlled domains.

    When victims access compromised networks, malicious scripts query these DNS records to retrieve and reassemble complete malware payloads. Recent discoveries include Joke Screenmate malware and PowerShell stagers designed to download additional malicious components. Attackers also embed AI prompt injection text in DNS records to manipulate automated systems.

    Why It Matters

    This technique bypasses traditional security controls because DNS traffic appears legitimate to most monitoring systems. The method exploits the trusted nature of DNS infrastructure, allowing malware delivery without triggering antivirus software, email filters, or firewalls.

    Organizations struggle to detect these attacks due to the hidden nature of DNS traffic content. Even well-equipped security teams may miss malicious activity because DNS requests look identical to normal domain resolution queries. The technique enables persistent command and control communication channels that are difficult to block.

    Mitigation

    Implement comprehensive DNS filtering solutions with advanced pattern detection capabilities. Deploy DNS security tools that inspect TXT record contents beyond basic resolution functions. Configure monitoring for unusually long TXT records and high-volume subdomain queries to recently registered domains.

    Establish baseline DNS traffic patterns and implement alerting for deviations such as frequent TXT record requests or connections to suspicious domain structures. Restrict outbound DNS access to trusted, monitored resolvers and maintain detailed logging for all DNS queries through internal resolvers.

    Security teams should integrate DNS monitoring into existing threat hunting programs, specifically looking for encoded content patterns and abnormal query frequencies targeting TXT records.


    Adobe Commerce Critical Vulnerability

    Threat: CVE-2024-34102 (CosmicSting)

    CVE-2024-34102 (CVSS 9.8) affects Adobe Commerce and Magento Open Source versions 2.4.7 and earlier. This critical XML External Entity (XXE) vulnerability stems from improper restriction of XML external entity references, enabling unauthenticated remote code execution.

    Attackers exploit this vulnerability by submitting crafted XML documents containing malicious external entity references to vulnerable endpoints. The flaw allows arbitrary file reading, potentially accessing configuration files containing cryptographic keys used for JWT authentication. Advanced exploitation chains combine this capability with other techniques to achieve full system compromise.

    Why It Matters

    Adobe confirmed limited exploitation attempts targeting Adobe Commerce merchants in the wild. The vulnerability requires no user interaction and enables complete e-commerce security compromise without authentication credentials. Successful attacks provide access to customer data, payment information, and administrative controls.

    The vulnerability affects millions of online stores worldwide, creating significant risk for both merchants and customers. Attackers can steal sensitive customer information, manipulate product catalogs, and establish persistent access for ongoing malicious activities. The impact extends beyond individual stores to affect customer trust and regulatory compliance.

    Mitigation

    Adobe released security updates for all supported versions, including isolated patches for older installations. Organizations must update to Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, or 2.4.4-p9 immediately. A hotfix released July 17, 2024, addresses additional exploitation techniques.

    Implement Web Application Firewall rules to block suspicious XML patterns and known exploit signatures. Restrict administrative access to Magento panels and API endpoints from untrusted network locations. Enable comprehensive logging and monitoring for all Adobe Commerce installations.

    Rotate encryption keys following patch application to ensure compromised keys cannot be used for persistent access. Conduct thorough security scans to identify potential indicators of compromise and verify complete patch deployment across all production and development environments.


    DNS Infrastructure Hijacking

    Threat: Domain Takeover via Abandoned Resources

    The Hazy Hawk threat group demonstrates advanced techniques for hijacking legitimate domains through abandoned cloud resources and dangling DNS CNAME records. Attackers identify organizations with DNS records pointing to decommissioned cloud services, then register the abandoned resources to gain control of trusted domains.

    This technique affects high-profile organizations including government agencies, major corporations, and educational institutions. Hijacked domains are used to host malicious content while maintaining the reputation and trust associated with legitimate organizations.

    Why It Matters

    Domain hijacking enables attackers to bypass security controls that rely on domain reputation and trust indicators. Users and security systems may not recognize malicious content hosted on hijacked legitimate domains. The technique provides persistent access to trusted infrastructure for hosting scams, malware distribution, and command and control operations.

    The impact extends beyond individual organizations to affect their customers, partners, and stakeholders who may unknowingly access malicious content through trusted domain names. Regulatory and compliance implications arise when customer data or sensitive information becomes accessible through hijacked domains.

    Mitigation

    Conduct regular audits of DNS configurations to identify and remediate dangling CNAME records pointing to decommissioned cloud resources. Implement monitoring for unauthorized changes to DNS settings and establish formal procedures for properly decommissioning cloud resources and updating associated DNS records.

    Deploy automated scanning tools to detect dangling DNS records and abandoned cloud resources. Maintain comprehensive asset inventories including cloud services and associated DNS configurations. Establish incident response procedures for addressing compromised or hijacked domains.


    Response Priorities and Threat Hunting Focus

    Current threat activity demonstrates coordinated exploitation campaigns targeting specific vulnerability classes. CISA has added multiple CVEs to the Known Exploited Vulnerabilities catalog, indicating widespread exploitation attempts across government and private sector organizations.

    Security teams should prioritize threat hunting activities focused on these specific attack patterns. Establish detection rules for ToolShell exploitation indicators, unusual DNS TXT record access patterns, and Adobe Commerce XXE attack signatures. Regular vulnerability scanning combined with threat intelligence feeds helps identify exposure to these critical vulnerabilities.

    Develop incident response procedures specifically addressing SharePoint compromise scenarios and e-commerce platform breaches. Ensure security teams understand the technical indicators associated with each threat category and can respond effectively to potential incidents.


    Conclusion

    Attackers continue to find new ways to exploit enterprise systems through SharePoint servers, DNS infrastructure, and e-commerce platforms. These vulnerabilities underscore why staying current with critical CVE vulnerabilities remains essential for security teams.

    Stay tuned for monthly updates from INE on the latest urgent CVEs and active exploitation campaigns. We'll continue highlighting the threats that matter most to help you prioritize your security efforts.

    To strengthen your vulnerability management skills, consider practicing CVE mitigation techniques using INE's Skill Dive Vulnerabilities Lab Collection. These hands-on labs provide practical experience with vulnerability assessment, exploitation techniques, and remediation strategies in safe, controlled environments. Building proficiency with vulnerability management processes ensures security teams can respond effectively when critical CVE vulnerabilities emerge.


    © 2024 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    Terms of servicePrivacy policy
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo