Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from July that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2025-53770
CVE-2025-53770 is a critical vulnerability affecting on-premises Microsoft SharePoint Server, stemming from the unsafe deserialization of untrusted data. The flaw enables unauthenticated remote attackers to execute arbitrary code over a network without needing any prior access. The issue was confirmed to be exploited in the wild as of July 2025, prompting Microsoft and CISA to issue urgent guidance. Until a full patch is released, Microsoft has advised all administrators to apply a mitigation strategy described in the CVE documentation, which includes hardening machineKey configuration and isolating untrusted inputs.
The vulnerability lies in how SharePoint handles serialized data. When untrusted or manipulated input is passed to the server and deserialized without adequate validation, it can be crafted in such a way that code is executed during the deserialization process. In the case of CVE-2025-53770, this flaw enables attackers to leak or modify critical configuration values such as machineKey parameters, which are used to sign and encrypt authentication tokens. If an attacker is able to retrieve or guess these keys, they can forge authentication tokens or session identifiers, ultimately granting themselves unauthorized administrative access.
Because the exploit requires no authentication and can be executed remotely, the risk is exceptionally high, particularly for organizations exposing SharePoint to the internet or using it for cross-organizational collaboration. The attack chain is typically initiated via a specially crafted HTTP request that triggers the deserialization logic. From there, attackers can escalate privileges, install webshells, pivot into the internal network, or steal sensitive internal documents.
The CVSS v3 score of 9.8 accurately reflects the severity of the issue, especially since exploitation does not require user interaction, privileges, or prior compromise. Organizations running affected versions of SharePoint should treat this as a high-priority threat. Even in environments with limited internet exposure, internal attackers or compromised devices can exploit the flaw to move laterally or establish persistent access.
Until Microsoft completes its patch testing and release cycle, the only protection available is through manual mitigations and enhanced monitoring. Administrators are urged to follow Microsoft’s mitigation steps immediately and to monitor for signs of compromise—such as anomalous web requests, PowerShell activity, or unexpected machineKey changes. Detection rules focused on deserialization payloads, encoded web requests, and suspicious access to configuration files should be deployed across affected SharePoint environments.
CVE-2025-53771
CVE-2025-53771 is a medium-severity vulnerability in Microsoft Office SharePoint that stems from improper restrictions on pathnames, leading to a path traversal condition. This flaw allows an unauthenticated, remote attacker to perform spoofing attacks by crafting malicious requests that reference directories outside of the intended file structure. The vulnerability was publicly disclosed on July 21, 2025, and appears to be part of the same broader issue set as CVE-2025-53770, though it involves a different attack vector and threat outcome.
In this case, the weakness lies in SharePoint’s failure to properly sanitize or validate user-supplied input used in file or directory paths. Exploiting this, an attacker could manipulate HTTP requests to access or reference unauthorized files or directories, potentially tricking users or systems into accepting spoofed responses or metadata. This could result in the exposure of sensitive file locations or allow redirection to malicious content under the guise of legitimate resources.
The vulnerability does not require user interaction or authentication, which makes it accessible to unauthenticated attackers over the network. However, because the impact is limited to confidentiality and integrity, without availability or direct code execution, the CVSS v3 score is capped at 6.5.
While Microsoft has not flagged active exploitation as of its initial advisory, organizations using SharePoint in externally accessible environments should still apply available updates promptly. Monitoring for unexpected file references or URL patterns containing encoded traversal sequences (such as ../) may help detect early reconnaissance or exploitation attempts. Given its proximity in disclosure date to the high-profile CVE-2025-53770 SharePoint flaw, it is likely that threat actors targeting one may probe for the other.
CVE-2025-49704
CVE-2025-49704 is a high-severity remote code execution vulnerability in Microsoft SharePoint Server that stems from improper control over the generation of code, enabling a code injection condition. The vulnerability was first disclosed during the May 2025 Pwn2Own Berlin competition and later patched by Microsoft as part of the July 2025 Patch Tuesday updates. Despite being addressed, it remains under active exploitation and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to its inclusion in real-world attack chains.
This flaw arises from deserialization of untrusted data, a scenario where the server processes attacker-controlled input in a way that allows arbitrary code execution. The vulnerability specifically affects on-premises SharePoint environments where authenticated users—those with limited privileges—can exploit the platform’s internal mechanisms to inject and execute code without requiring user interaction. The attack is conducted over the network and does not rely on elevated privileges or local access, making it an attractive vector for lateral movement or privilege escalation within compromised environments.
While CVE-2025-49704 alone poses significant risk, it has been observed in conjunction with related vulnerabilities, including CVE-2025-49706, to form more robust exploit chains capable of bypassing Microsoft’s initial mitigations. The underlying deserialization issue that enables code injection makes this a particularly dangerous vulnerability in environments where SharePoint serves as an externally accessible collaboration or content management platform.
The vulnerability has a CVSS v3 base score of 8.8 and an EPSS score of 0.14805, reflecting a moderate likelihood of exploitation and significant impact on confidentiality, integrity, and availability. Organizations using vulnerable SharePoint versions should apply Microsoft’s July 2025 updates immediately, audit SharePoint logs for suspicious user actions or unexpected workflow behavior, and isolate internet-facing SharePoint instances where possible until patching is confirmed. The continued presence of CVE-2025-49704 in active exploit chains indicates that threat actors view this vulnerability as a reliable entry point, particularly when paired with newer bypasses or privilege escalation techniques.
CVE-2025-49706
CVE-2025-49706 is a medium-severity vulnerability in Microsoft SharePoint that allows remote, unauthenticated attackers to bypass authentication mechanisms through improper validation of HTTP Referer headers. Initially demonstrated during the May 2025 Pwn2Own competition, this flaw was a key component in the broader ToolShell exploit chain. It enables spoofing attacks that grant unauthorized access to sensitive SharePoint components, particularly the ToolPane.aspx endpoint, which is crucial in the deployment of further exploitation payloads.
Although Microsoft released a patch as part of its July 2025 Patch Tuesday updates, this vulnerability has retained significance in active threat campaigns. Attackers have continued to use it as an entry point to exploit CVE-2025-49704 for remote code execution. In environments where the authentication bypass is successful, the attacker can trigger the deserialization of malicious input, resulting in full compromise of the underlying system. The vulnerability does not require user interaction, privileges, or complex attack setup, making it especially dangerous when used in chained attacks.
Security researchers have since observed follow-on bypasses, such as CVE-2025-53771, that emerged shortly after Microsoft’s patch. This indicates that mitigation efforts targeting CVE-2025-49706 alone may be insufficient without broader hardening of authentication and input validation logic within SharePoint.
The CVSS v3 base score for this vulnerability is 6.5, reflecting moderate impact with low attack complexity, while the EPSS score remains low at 0.00041, suggesting that exploitation is highly targeted. Despite its medium rating, the real-world risk escalates when CVE-2025-49706 is leveraged as part of an exploit chain. Organizations using on-premises SharePoint installations should not only apply the July 2025 security updates, but also monitor for signs of Referer-based manipulation in web traffic, and review access logs to detect unauthorized entry attempts. The vulnerability’s role in the ToolShell campaign makes clear its value to threat actors seeking stealthy network entry and control.
CVE-2025-54309
CVE-2025-54309 describes a critical vulnerability in CrushFTP versions 10 prior to 10.8.5 and version 11 prior to 11.3.4_23 that permits unauthenticated remote attackers to gain administrative access over HTTPS. The flaw lies in improper handling of AS2 validation logic, and it only affects configurations where the DMZ proxy feature is not enabled. By bypassing proper verification in the AS2 request processing, a remote attacker can craft malicious HTTPS requests that are accepted as legitimate administrative actions—resulting in full compromise of the affected CrushFTP server.
The vulnerability was first identified and exploited in the wild in mid-July 2025, prompting an emergency response from the vendor. Researchers observed the flaw being actively used to deploy remote access payloads on exposed systems, often without triggering standard detection mechanisms. Successful exploitation does not require user interaction or any level of prior authentication, making this vulnerability especially dangerous for publicly accessible instances of CrushFTP.
The issue carries a CVSS v3 base score of 9.8 (CVSS v2: 10.0), placing it at the highest tier of severity. With an EPSS score of 0.00101, it represents a highly targeted attack surface, rather than a broad-based exploitation pattern. Nevertheless, the fact that it has been confirmed as actively exploited and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog means that organizations should prioritize patching immediately.
CrushFTP administrators are advised to update to version 10.8.5 or 11.3.4_23 and review any anomalous access logs dating back to early July 2025. Those not using the DMZ proxy, particularly in cloud or externally accessible deployments, face the greatest exposure. Vendors and security teams should also validate that AS2 message handling is properly gated by access controls in any customized configurations. Failure to patch this flaw may lead to silent compromise and persistent unauthorized access across enterprise file transfer systems.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
