Cybersecurity Today: SharePoint Hack Reaches Crisis Level and More – July 25, 2025
In the July 25, 2025 episode of Cybersecurity Today, hosted by David Shipley, several critical cybersecurity issues were discussed, including a severe SharePoint vulnerability, urgent patches from Mitel Networks, a high-stakes lawsuit involving Clorox, and a significant phishing attack targeting popular NPM packages. This comprehensive summary delves into each topic, highlighting key points, expert insights, and notable quotes to provide a clear understanding of the current cybersecurity landscape.
1. Critical SharePoint Vulnerability Sparks Widespread Breaches
At the heart of the episode is a discussion on a critical vulnerability in Microsoft's legacy SharePoint server software, which has led to extensive cyber attacks and data breaches. This flaw originated from a flawed patch for a zero-day (0day) vulnerability disclosed during the PWN to Own competition in May. Since its disclosure, multiple threat actors, including the China-linked group Storm 2603, have exploited this vulnerability to deploy ransomware, marking a shift from traditional cyber espionage to more disruptive activities.
Key Points:
- Scope of Impact: Over 400 organizations have been compromised, a figure that has quadrupled since initial reports. This number is likely underestimated, with high-profile victims including US Federal agencies such as the National Institutes of Health (NIH), Department of Homeland Security (DHS), Department of Energy (DoE), and the National Nuclear Security Administration (NNSA).
- Vulnerable Systems: The vulnerability specifically affects self-managed, on-premises SharePoint servers. Many of these servers are outdated and exposed to the internet, making them prime targets for attackers.
- Expert Insight: Jake Williams of Hunter Strategy emphasized the inevitability of breaches in exposed systems, stating,
"If you're exposing a SharePoint server to the Internet, I would emphasize that you also have to budget for incident response because that server will eventually get popped." [12:45]
Recommendations:
- Upgrade or Decommission: Microsoft is urging organizations to upgrade to supported SharePoint versions or decommission unsupported servers.
- Apply Latest Patches: Ensure that all supported versions, including SharePoint Server 2016 and 2019, have the latest security patches applied.
- Enhanced Monitoring: Implement robust monitoring and incident response strategies to quickly detect and mitigate potential breaches.
2. Mitel Networks Issues Urgent Patches for Critical Vulnerabilities
Mitel Networks has identified and addressed two significant vulnerabilities affecting its enterprise communications platforms, underscoring the growing threat landscape targeting collaboration and communication tools.
Vulnerabilities Discussed:
-
MyVoice MXOne Authentication Bypass: A critical flaw that allows attackers to gain administrative access without authentication. This vulnerability lacks a Common Vulnerabilities and Exposures (CVE) identifier but poses a severe risk due to its exploitability in low-complexity attacks without user interaction.
- Affected Versions: 7.37.3.0.0.50 through 7.1 SP1.7.8.1.0.14
- Mitigation: Mitel has released patches in version 7.8. Customers must request these patches through authorized service providers and are strongly advised against exposing MX1 services to the internet. Deployment within trusted internal networks with strict access controls is recommended.
-
MyCollab SQL Injection Vulnerability (CVE-2025-52914): A high-severity SQL injection flaw that could allow attackers to execute arbitrary SQL commands on vulnerable devices. While there are no known exploits in the wild currently, the history of attacks on Mitel products necessitates immediate action.
Industry Context:
- Previous vulnerabilities, such as the MyCollab Path Traversal Vulnerability (CVE-2024-555550) and the arbitrary file read 0day (CVE-2024-41713) disclosed by Watchtower Labs, have been actively exploited, highlighting the persistent threats against Mitel's platforms.
Recommendations:
- Immediate Patching: Security and IT teams should apply the latest patches without delay.
- Restrict Access: Limit access to MyVoice MX1 services to internal, trusted networks.
- Enhanced Security Measures: Implement multi-factor authentication (MFA) and continuous monitoring to prevent unauthorized access.
3. Clorox Sues Former IT Service Provider Cognizant Over Massive Data Breach
A significant legal battle is unfolding as consumer goods giant Clorox files a lawsuit against its former IT service provider, Cognizant, seeking up to $380 million in compensation following a devastating cyber attack attributed to the Scattered Spider threat group.
Case Details:
-
Incident Overview: In August 2023, Clorox experienced a massive data breach that crippled its operations, leading to shutdowns of manufacturing facilities and empty shelves across stores.
-
Allegations Against Cognizant: Clorox claims that Cognizant failed to properly verify the identity of callers requesting password and multi-factor authentication (MFA) resets. Specifically, attackers pretended to be Clorox representatives, enabling unauthorized access that facilitated the breach.
"At no point during any of the calls did the agent verify the caller was in fact employee number one." [25:30]
-
Cognizant's Response: In a statement to Bleeping Computer, Cognizant defended its actions, asserting that Clorox had an inadequate internal cybersecurity system and that Cognizant was only responsible for help desk services.
"It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack... Cognizant did not manage cybersecurity for Clorox." [28:15]
Implications:
- Industry Impact: This lawsuit, alongside the ongoing Delta Air Lines vs. CrowdStrike case, is set to have profound implications for IT service and solution providers, highlighting the critical importance of stringent security protocols in help desk operations.
Key Lesson:
-
Strengthening Help Desk Security:
"Your Help desk is your frontline. Harden it, train it, audit it." – David Shipley [30:50]
Organizations must ensure that their help desk teams are thoroughly trained in verification procedures and that third-party providers adhere strictly to established security protocols to prevent similar breaches.
4. Widespread Phishing Attack Compromises Popular NPM Packages
The episode also highlights a significant phishing attack that successfully targeted maintainers of widely-used NPM packages, injecting malicious code that affects millions of developers and organizations globally.
Attack Details:
- Targeted Packages: The attack compromised popular packages such as
eslint,Config,Prettier,eslint-plugin-prettier, andsynckit, all linked to the phishing domainnpnjs.com. - Methodology: On July 19, 2025, attackers hijacked maintainer credentials through a phishing campaign, allowing them to publish malware-laden updates in versions 3.3.1 through 5.0.0. These updates went unnoticed for nearly six hours.
- Malware Functionality: The injected malware acts as a backdoor, establishing WebSocket connections to exfiltrate environment data and enabling remote execution of JavaScript, effectively turning development machines into compromised endpoints. In some instances, a Windows-based infostealer named "Scavenger" was deployed to extract browser-stored credentials.
Impact:
- Download Figures: The compromised packages are integral to numerous development workflows, with downloads reaching over 2.8 million times weekly.
- Developer and Organizational Risk: The backdoor access and credential theft pose severe risks, potentially leading to unauthorized access to sensitive systems and data.
Recommendations:
-
Immediate Actions for Developers:
- Stop Auto-Updates: Disable automatic updates for affected packages.
- Revert to Safe Versions: Downgrade to versions released before July 18, 2025.
- Rotate Credentials: Change passwords and revoke any compromised tokens.
- Lock Dependencies: Implement dependency locking and block malicious files.
- Audit Environments: Conduct thorough audits to detect and mitigate any compromises.
-
Protocol Enhancements for Maintainers:
- Enable MFA: Ensure multi-factor authentication is enabled to protect maintainer accounts.
- Monitor Packages: Continuously monitor package integrity and updates.
- Phishing Protections: Strengthen defenses against phishing to safeguard credentials.
Expert Advice: David Shipley emphasized the importance of transparency and prompt communication in the wake of such attacks:
"When a mistake happens, tell people about it as soon as possible. Don't hide it. As always, stay skeptical and stay patched." [35:20]
Closing Remarks
The episode concluded with a reminder of the critical importance of proactive cybersecurity measures. From addressing vulnerabilities in widely-used platforms like SharePoint and Mitel's MyVoice MXOne to enhancing help desk security and safeguarding against supply chain attacks on open-source projects, the landscape remains fraught with complex challenges. Organizations are urged to remain vigilant, apply timely patches, train their teams effectively, and adopt robust security protocols to mitigate the escalating threats.
For listeners seeking to stay ahead in the ever-evolving field of cybersecurity, this episode underscores the necessity of continuous monitoring, swift response to vulnerabilities, and the implementation of comprehensive security strategies across all facets of an organization.
Contact & Feedback: David Shipley invites listeners to share their opinions and feedback via email at us@EditorialEchnewsDayCA or by commenting under the podcast's YouTube video. Listeners are also encouraged to support the show by liking, subscribing, rating, and reviewing on their preferred podcast platforms.
