Week of July 25th, 2025

Welcome to Your Cybersecurity Recap: a bite-sized weekly newsletter by cybersecurity enthusiasts, for cybersecurity enthusiasts.

Here are this week’s top takeaways:

SharePoint Servers Under Active Attack by State-Linked Groups

On July 20th, CISA confirmed that on-premises Microsoft SharePoint servers are being actively exploited through a zero‑day vulnerability chain—ToolShell—comprising spoofing (CVE‑2025‑49706) and remote code execution (CVE‑2025‑49704) flaws. These bugs allow unauthenticated attackers to take command of SharePoint content, deploy DLL or ASPX web shells, and even extract cryptographic machine keys to maintain persistence across reinstalls or patch cycles.

Eye Security first highlighted anomalous activity on July 18th, and compromise evidence now spans nearly 100 global organizations, including U.S. federal bodies, universities, critical infrastructure, and private sector firms. Security incident professionals caution that organizations with internet-exposed SharePoint deployments should assume breach, emphasizing that patching alone is not sufficient; deep threat hunting and cryptographic key rotation are critical to eviction.

➡️ Read More: What to Know About SharePoint Servers Being Under Attack

CISA’s updated guidance now includes detection rules, IP indicators (e.g. 107.191.58[.]76), and instructions for configuring Defender, AMSI, rotating ASP.NET keys, and isolating SharePoint servers until mitigation is confirmed CISA.

New Actively Exploited Chrome V8 Zero-Day: CVE‑2025‑6554

Google has disclosed the fourth active zero-day for Chrome in 2025: CVE‑2025‑6554, a type-confusion flaw in Chrome’s V8 JavaScript engine that allows remote memory access and arbitrary code execution.

The vulnerability was patched via version 138.0.7204.96/.97 in late June after immediate detection by Google’s Threat Analysis Group. While limited exploit details are available publicly, it's confirmed to be in the wild, prompting automatic updates and wide-scale urgency.

Google emphasizes that users update Chrome manually and that enterprise deployments enforce update enforcement—since these zero-days are particularly favored in targeted espionage and supply chain attacks.

Chrome Zero-Day CVE‑2025‑2783 Used in Sophisticated Espionage Attacks

In March 2025, Kaspersky’s Global Research and Analysis Team identified CVE‑2025‑2783, a Chrome sandbox escape used extensively in the espionage campaign codenamed Operation ForumTroll.

Attackers delivered the exploit to Russian government and media targets via phishing links masquerading as “Primakov Readings” forum invitations. A second-stage exploit enabled full remote code execution after bypassing sandbox protections without requiring further user action.

Google released patches for Chrome version 134 in late March, credited Kaspersky for discoveries, and advised users of Chromium-based browsers to update promptly. The operation's sophistication underscores a growing trend of covert browser-based attacks initiated via strategically targeted social engineering.

➡️ Learn More: Your Guide to Social Engineering Security Testing

Additional Critical Vulnerabilities: Apache Tomcat RCE & VMware Hypervisor Escapes

Security researchers report exploitation in the wild for Apache Tomcat’s CVE‑2025‑24813, a remote code execution bug enabling server takeover via unauthenticated PUT requests. P

Public PoCs appeared within 72 hours, indicating rapid weaponization and substantial risks for digital infrastructure reliant on Tomcat servers.

Similarly, Broadcom has issued urgent advisories for multiple zero-days (CVE‑2025‑22224, CVE‑2025‑22225, CVE‑2025‑22226) affecting VMware ESXi, Workstation, and Fusion—allowing hypervisor breakout and inter-VM lateral movement. Organizations using VMware-based virtualization are strongly advised to patch immediately.

Recent Posts From Our Ethical Hackers

Every month, our ethical hackers work to provide free resources so that your team can continue improving your organization's security posture.

• "Visit the Packetlabs Team at Black Hat USA" by Jack Duffy , Global Cybersecurity and Business Development Representative at Packetlabs

• "Call for Ethical Hackers: Open Positions at Packetlabs" by Denis Kucinic , VP of Operations at Packetlabs