Sharepoint Hack Reaches Crisis Level and more: Cybersecurity Today for July 25, 2025 - Cybersecurity Today

Summary6 min read

Cybersecurity Today: SharePoint Hack Reaches Crisis Level and More – July 25, 2025

In the July 25, 2025 episode of Cybersecurity Today, hosted by David Shipley, several critical cybersecurity issues were discussed, including a severe SharePoint vulnerability, urgent patches from Mitel Networks, a high-stakes lawsuit involving Clorox, and a significant phishing attack targeting popular NPM packages. This comprehensive summary delves into each topic, highlighting key points, expert insights, and notable quotes to provide a clear understanding of the current cybersecurity landscape.

1. Critical SharePoint Vulnerability Sparks Widespread Breaches

At the heart of the episode is a discussion on a critical vulnerability in Microsoft's legacy SharePoint server software, which has led to extensive cyber attacks and data breaches. This flaw originated from a flawed patch for a zero-day (0day) vulnerability disclosed during the PWN to Own competition in May. Since its disclosure, multiple threat actors, including the China-linked group Storm 2603, have exploited this vulnerability to deploy ransomware, marking a shift from traditional cyber espionage to more disruptive activities.

Key Points:

Scope of Impact: Over 400 organizations have been compromised, a figure that has quadrupled since initial reports. This number is likely underestimated, with high-profile victims including US Federal agencies such as the National Institutes of Health (NIH), Department of Homeland Security (DHS), Department of Energy (DoE), and the National Nuclear Security Administration (NNSA).
Vulnerable Systems: The vulnerability specifically affects self-managed, on-premises SharePoint servers. Many of these servers are outdated and exposed to the internet, making them prime targets for attackers.
Expert Insight: Jake Williams of Hunter Strategy emphasized the inevitability of breaches in exposed systems, stating,

"If you're exposing a SharePoint server to the Internet, I would emphasize that you also have to budget for incident response because that server will eventually get popped." [12:45]

Recommendations:

Upgrade or Decommission: Microsoft is urging organizations to upgrade to supported SharePoint versions or decommission unsupported servers.
Apply Latest Patches: Ensure that all supported versions, including SharePoint Server 2016 and 2019, have the latest security patches applied.
Enhanced Monitoring: Implement robust monitoring and incident response strategies to quickly detect and mitigate potential breaches.

2. Mitel Networks Issues Urgent Patches for Critical Vulnerabilities

Mitel Networks has identified and addressed two significant vulnerabilities affecting its enterprise communications platforms, underscoring the growing threat landscape targeting collaboration and communication tools.

Vulnerabilities Discussed:

MyVoice MXOne Authentication Bypass: A critical flaw that allows attackers to gain administrative access without authentication. This vulnerability lacks a Common Vulnerabilities and Exposures (CVE) identifier but poses a severe risk due to its exploitability in low-complexity attacks without user interaction.
- Affected Versions: 7.37.3.0.0.50 through 7.1 SP1.7.8.1.0.14
- Mitigation: Mitel has released patches in version 7.8. Customers must request these patches through authorized service providers and are strongly advised against exposing MX1 services to the internet. Deployment within trusted internal networks with strict access controls is recommended.
MyCollab SQL Injection Vulnerability (CVE-2025-52914): A high-severity SQL injection flaw that could allow attackers to execute arbitrary SQL commands on vulnerable devices. While there are no known exploits in the wild currently, the history of attacks on Mitel products necessitates immediate action.

Industry Context:

Previous vulnerabilities, such as the MyCollab Path Traversal Vulnerability (CVE-2024-555550) and the arbitrary file read 0day (CVE-2024-41713) disclosed by Watchtower Labs, have been actively exploited, highlighting the persistent threats against Mitel's platforms.

Recommendations:

Immediate Patching: Security and IT teams should apply the latest patches without delay.
Restrict Access: Limit access to MyVoice MX1 services to internal, trusted networks.
Enhanced Security Measures: Implement multi-factor authentication (MFA) and continuous monitoring to prevent unauthorized access.

3. Clorox Sues Former IT Service Provider Cognizant Over Massive Data Breach

A significant legal battle is unfolding as consumer goods giant Clorox files a lawsuit against its former IT service provider, Cognizant, seeking up to $380 million in compensation following a devastating cyber attack attributed to the Scattered Spider threat group.

Case Details:

Incident Overview: In August 2023, Clorox experienced a massive data breach that crippled its operations, leading to shutdowns of manufacturing facilities and empty shelves across stores.
Allegations Against Cognizant: Clorox claims that Cognizant failed to properly verify the identity of callers requesting password and multi-factor authentication (MFA) resets. Specifically, attackers pretended to be Clorox representatives, enabling unauthorized access that facilitated the breach.

"At no point during any of the calls did the agent verify the caller was in fact employee number one." [25:30]
Cognizant's Response: In a statement to Bleeping Computer, Cognizant defended its actions, asserting that Clorox had an inadequate internal cybersecurity system and that Cognizant was only responsible for help desk services.

"It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack... Cognizant did not manage cybersecurity for Clorox." [28:15]

Implications:

Industry Impact: This lawsuit, alongside the ongoing Delta Air Lines vs. CrowdStrike case, is set to have profound implications for IT service and solution providers, highlighting the critical importance of stringent security protocols in help desk operations.

Key Lesson:

Strengthening Help Desk Security:

"Your Help desk is your frontline. Harden it, train it, audit it." – David Shipley [30:50]

Organizations must ensure that their help desk teams are thoroughly trained in verification procedures and that third-party providers adhere strictly to established security protocols to prevent similar breaches.

4. Widespread Phishing Attack Compromises Popular NPM Packages

The episode also highlights a significant phishing attack that successfully targeted maintainers of widely-used NPM packages, injecting malicious code that affects millions of developers and organizations globally.

Attack Details:

Targeted Packages: The attack compromised popular packages such as eslint, Config, Prettier, eslint-plugin-prettier, and synckit, all linked to the phishing domain npnjs.com.
Methodology: On July 19, 2025, attackers hijacked maintainer credentials through a phishing campaign, allowing them to publish malware-laden updates in versions 3.3.1 through 5.0.0. These updates went unnoticed for nearly six hours.
Malware Functionality: The injected malware acts as a backdoor, establishing WebSocket connections to exfiltrate environment data and enabling remote execution of JavaScript, effectively turning development machines into compromised endpoints. In some instances, a Windows-based infostealer named "Scavenger" was deployed to extract browser-stored credentials.

Impact:

Download Figures: The compromised packages are integral to numerous development workflows, with downloads reaching over 2.8 million times weekly.
Developer and Organizational Risk: The backdoor access and credential theft pose severe risks, potentially leading to unauthorized access to sensitive systems and data.

Recommendations:

Immediate Actions for Developers:
- Stop Auto-Updates: Disable automatic updates for affected packages.
- Revert to Safe Versions: Downgrade to versions released before July 18, 2025.
- Rotate Credentials: Change passwords and revoke any compromised tokens.
- Lock Dependencies: Implement dependency locking and block malicious files.
- Audit Environments: Conduct thorough audits to detect and mitigate any compromises.
Protocol Enhancements for Maintainers:
- Enable MFA: Ensure multi-factor authentication is enabled to protect maintainer accounts.
- Monitor Packages: Continuously monitor package integrity and updates.
- Phishing Protections: Strengthen defenses against phishing to safeguard credentials.

Expert Advice: David Shipley emphasized the importance of transparency and prompt communication in the wake of such attacks:

"When a mistake happens, tell people about it as soon as possible. Don't hide it. As always, stay skeptical and stay patched." [35:20]

Closing Remarks

The episode concluded with a reminder of the critical importance of proactive cybersecurity measures. From addressing vulnerabilities in widely-used platforms like SharePoint and Mitel's MyVoice MXOne to enhancing help desk security and safeguarding against supply chain attacks on open-source projects, the landscape remains fraught with complex challenges. Organizations are urged to remain vigilant, apply timely patches, train their teams effectively, and adopt robust security protocols to mitigate the escalating threats.

For listeners seeking to stay ahead in the ever-evolving field of cybersecurity, this episode underscores the necessity of continuous monitoring, swift response to vulnerabilities, and the implementation of comprehensive security strategies across all facets of an organization.

Contact & Feedback: David Shipley invites listeners to share their opinions and feedback via email at us@EditorialEchnewsDayCA or by commenting under the podcast's YouTube video. Listeners are also encouraged to support the show by liking, subscribing, rating, and reviewing on their preferred podcast platforms.

Loading summary

Transcript1 lines

[00:02]
David Shipley
Hundreds of organizations, including a nuclear weapons agency hit with data breaches due to SharePoint patch flaw Mitel warns of critical MyVoice MX1 authentication bypass flaw, another popular NPM package poisoned with malware after phishing attack and Clorox, Sue's former IT service provider for $380 million following a 2023 scattered spider cyber attack. This is Cybersecurity Today and I'm your host David Shipley, sitting in for Jim Love. A quick programming note, Jim is still working with our podcasting infrastructure provider to figure out why some services like smart speakers may not be getting our latest episodes. Hopefully we'll have it resolved soon. I'm helping out today and we'll be back for Monday's episode. A critical vulnerability In Microsoft's legacy SharePoint server software has led to widespread cyber attacks and data breaches now escalating to include ransomware deployment, according to an update from Microsoft. The flaw, which initially stemmed from a botch patch for an oday disclosed at the PWN to Own competition in May, has since been exploited by multiple threat actors. Those threat actors include China linked group, Storm 2603 and Microsoft says this actor is also now deploying ransomware payloads, marking a significant shift from traditional cyber espionage towards more disruptive operations. Netherlands based Isecurity reports at least 400 organizations are known to have been compromised. That's quadruple the figure first reported early this week when the initial breaches became apparent. Isecurity believes the true number is even higher than that. Victims include high profile US Federal agencies. The National Institutes of Health confirmed one server was breached, while others were isolated as a precaution. Nextgov and Politico reported that the Department of Homeland Security and at least a dozen other agencies may have also been hit. The Department of Energy also acknowledged an earlier compromise involving the National Nuclear Security Administration. This SharePoint vulnerability specifically affects self managed on premise SharePoint servers, many of which are outdated and still exposed to the Internet. Experts warn these systems are rarely patched or monitored. Jake Williams of Hunter Strategy said, quote, if you're exposing a SharePoint server to the Internet, I would emphasize that you also have to budget for incident response because that server will eventually get popped. Microsoft is urging customers to upgrade or decommission unsupported servers and to apply the latest fixes to supported versions, including 2016 and 2019 versions of SharePoint Server. Mitel Networks has issued urgent patches for a critical authentication bypass vulnerability affecting its MyVoice MXOne Enterprise Communications platform, warning that attackers can exploit the flaw to gain administrative access without authentication. The flaw, which currently lacks a CVE identifier, stems from an improper access control issue within the MyVoice MX1 provisioning manager. Mitel says the attackers could exploit the bug in low complexity attacks, no user interaction required to seize control of unpatched systems. MyVoice MX1 is a SIP based enterprise communications platform used in large scale deployments across sectors like education, healthcare, government and financial services. It supports hundreds of thousands of users and is widely deployed in private networks. Systems running version 7.37.3.0.0.50 through 7.1 SP1. 7.8.1.0.14 are affected. Mitel has released fixes in version 7.8, so MXO 1571178SP0 and 78SP1 MXO 1571178SP1 customers on impacted versions must request patches via authorized service providers, and the company strongly advises against exposing MX1 services to the Internet, recommending deployments within trusted internal networks with access to the provisioning manager strictly controlled. In addition to this news, Mitel also disclosed a high severity SQL injection vulnerability, CVE202552 914 in its MyCollab platform that could also allow attackers to execute arbitrary SQL commands on vulnerable devices. While neither flaw is known to be exploited in the wild, yet Mitel products have drawn attention from attackers before. In January, the US Cybersecurity and Infrastructure Agency flagged a MyCollab Path Traversal Vulnerability CVE2024 555550, actively used in attacks that followed the patching of an arbitrary file read 0day CVE202441 713, disclosed by Watchtower Labs. Now Mitel's platform is used by over 60,000 organizations and 75 million users globally, with a rising trend of attackers targeting collaboration and communications tools. Security teams and IT teams are urged to patch immediately and to make sure that access to these services is restricted from external access. Scattered Spiders Fallout is starting to hit the nine figures with a scathing new lawsuit upping the stakes for IT service providers offering Help Desk services to companies. According to a lawsuit filed by consumer goods giant Clorox, Its then IT service provider Cognizant is reset a corporate user's password and Multi Factor authentication credentials without verifying the caller's identity, a move Clorox claims directly enabled a massive August 2023 breach allegedly carried out by Scattered Spider. The attackers reportedly used the same tactic not just once but twice, even gaining access to a Clorax IT Security employees account, which helped them move deeper into the network. The result? Clorox's operations were crippled, manufacturing shut down, shelves empty. They're now seeking $49 million in direct damages and up to $380 million in total compensation. The lawsuit alleges that on August 11, 2023, recordings show that a cybercriminal called Cognizant Service Desk multiple times pretending to be a Clorox representative and requesting a password and multi factor authentication reset. Quote at no point during any of the calls did the agent verify the caller was in fact employee number one. At no point did the agent follow Clorox's credential support procedures, either the pre2023 procedure or the January 2023 update before changing the password for the cybercriminal. The agent further reset Employee 1's MFA credentials multiple times without any identity verification at all. And at no point did the agent send the required emails to the employee or the employee's manager to alert them of the password reset. Clorox claims in its complaint Cognizant issued a scathing response to Bleeping Computer to the lawsuit on Thursday. Quote it is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of Help Desk services, which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox. End quote none of these claims have been proven in court. A few things to note this lawsuit alongside the ongoing Delta Air Lines vs CrowdStrike lawsuit will have massive impacts on IT service and solution provider risk. Stay tuned. Secondly, Help Desk processes have to be hardened if your frontline support staff aren't properly educated and trained, or worse, if they ignore basic verification steps, you are one call away from chaos. The lesson for organizations here is simple. Your Help desk is your frontline. Harden it, train it, audit it. And don't assume third party providers are following your procedures unless you verify regularly. You don't need to spend millions of dollars to fix this and you don't need a fancy new vendor Silver Bullet AI powered blinky box solution. But ignoring this could cost you hundreds of millions of dollars. Yet another day, yet another breach tied to the successful phishing attack on a popular maintainer for NPM packages on July 19, 2025. The popular npm package is which has downloaded more than 2.8 million times a week was also found. Compromised malicious code was slipped into versions 3.3.1 through 5.0.0 after a phishing campaign hijacked the maintainer's credentials. The attackers then published malware laced updates and went unnoticed for nearly six hours. This wasn't an isolated hit. Other widely used packages like eslint, Config, Prettier, eslint, Plugin, Prettier and Synckit were also affected, all tied to the same phishing domain, npnjs.com We've reported on Monday on the attack on eSlint. That particular plugin is downloaded more than 3 million times weekly. This new malware in IS acts as a backdoor. It opens a WebSocket connection, exfiltrates environment data, and allows attackers to execute JavaScript remotely, effectively turning dev machines into puppet endpoints. In other packages, researchers found a Windows based infostealer dubbed Scavenger, capable of extracting browser stored credentials while using techniques to dodge extraction and watch out the extraction of developer or IT admin credentials. This is what burned popular password manager LastPass years ago. Be careful. If this feels familiar, it should. Supply chain attacks on open source projects are a standard and growing threat vector now. Here's what developers and teams should be thinking about right now. Stop auto updates for any of the affected packages, revert to known safe versions that were before July 18, 2025, rotating passwords and revoking compromised tokens. Lock dependencies, block files and audit your environment. Assume compromise if you pulled the affected versions and for maintainers, enable mfa monitor your packages and don't sleep on phishing protection now. One thing I want to say do what the maintainer behind is and eslint has done. When a mistake happens, tell people about it as soon as possible. Don't hide it. As always, stay skeptical and stay patched. And if you're running SharePoint on prem unpatched, may the Force be with you. We're always interested in your opinion and you can contact us@EditorialEchnewsDay CA or leave a comment under the YouTube video as well. A small ask Help us spread the word about the show. Give us a Like or subscribe a rating on your popular podcast platform or leave a review. If you like the show, please tell others we'd love to grow our audience even more and we need your help. I've been your host David Shipley. I'll be back on Monday to kick off the week and Jim Love will be back on Wednesday. Thanks for listening.

Cybersecurity Today: SharePoint Hack Reaches Crisis Level and More – July 25, 2025

1. Critical SharePoint Vulnerability Sparks Widespread Breaches

Key Points:

Scope of Impact: Over 400 organizations have been compromised, a figure that has quadrupled since initial reports. This number is likely underestimated, with high-profile victims including US Federal agencies such as the National Institutes of Health (NIH), Department of Homeland Security (DHS), Department of Energy (DoE), and the National Nuclear Security Administration (NNSA).
Vulnerable Systems: The vulnerability specifically affects self-managed, on-premises SharePoint servers. Many of these servers are outdated and exposed to the internet, making them prime targets for attackers.
Expert Insight: Jake Williams of Hunter Strategy emphasized the inevitability of breaches in exposed systems, stating,

"If you're exposing a SharePoint server to the Internet, I would emphasize that you also have to budget for incident response because that server will eventually get popped." [12:45]

Recommendations:

Upgrade or Decommission: Microsoft is urging organizations to upgrade to supported SharePoint versions or decommission unsupported servers.
Apply Latest Patches: Ensure that all supported versions, including SharePoint Server 2016 and 2019, have the latest security patches applied.
Enhanced Monitoring: Implement robust monitoring and incident response strategies to quickly detect and mitigate potential breaches.

2. Mitel Networks Issues Urgent Patches for Critical Vulnerabilities

Vulnerabilities Discussed:

MyVoice MXOne Authentication Bypass: A critical flaw that allows attackers to gain administrative access without authentication. This vulnerability lacks a Common Vulnerabilities and Exposures (CVE) identifier but poses a severe risk due to its exploitability in low-complexity attacks without user interaction.
- Affected Versions: 7.37.3.0.0.50 through 7.1 SP1.7.8.1.0.14
- Mitigation: Mitel has released patches in version 7.8. Customers must request these patches through authorized service providers and are strongly advised against exposing MX1 services to the internet. Deployment within trusted internal networks with strict access controls is recommended.
MyCollab SQL Injection Vulnerability (CVE-2025-52914): A high-severity SQL injection flaw that could allow attackers to execute arbitrary SQL commands on vulnerable devices. While there are no known exploits in the wild currently, the history of attacks on Mitel products necessitates immediate action.

Industry Context:

Previous vulnerabilities, such as the MyCollab Path Traversal Vulnerability (CVE-2024-555550) and the arbitrary file read 0day (CVE-2024-41713) disclosed by Watchtower Labs, have been actively exploited, highlighting the persistent threats against Mitel's platforms.

Recommendations:

Immediate Patching: Security and IT teams should apply the latest patches without delay.
Restrict Access: Limit access to MyVoice MX1 services to internal, trusted networks.
Enhanced Security Measures: Implement multi-factor authentication (MFA) and continuous monitoring to prevent unauthorized access.

3. Clorox Sues Former IT Service Provider Cognizant Over Massive Data Breach

Case Details:

Incident Overview: In August 2023, Clorox experienced a massive data breach that crippled its operations, leading to shutdowns of manufacturing facilities and empty shelves across stores.
Allegations Against Cognizant: Clorox claims that Cognizant failed to properly verify the identity of callers requesting password and multi-factor authentication (MFA) resets. Specifically, attackers pretended to be Clorox representatives, enabling unauthorized access that facilitated the breach.

"At no point during any of the calls did the agent verify the caller was in fact employee number one." [25:30]
Cognizant's Response: In a statement to Bleeping Computer, Cognizant defended its actions, asserting that Clorox had an inadequate internal cybersecurity system and that Cognizant was only responsible for help desk services.

"It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack... Cognizant did not manage cybersecurity for Clorox." [28:15]

Implications:

Industry Impact: This lawsuit, alongside the ongoing Delta Air Lines vs. CrowdStrike case, is set to have profound implications for IT service and solution providers, highlighting the critical importance of stringent security protocols in help desk operations.

Key Lesson:

Strengthening Help Desk Security:

"Your Help desk is your frontline. Harden it, train it, audit it." – David Shipley [30:50]

Organizations must ensure that their help desk teams are thoroughly trained in verification procedures and that third-party providers adhere strictly to established security protocols to prevent similar breaches.

4. Widespread Phishing Attack Compromises Popular NPM Packages

Attack Details:

Targeted Packages: The attack compromised popular packages such as eslint, Config, Prettier, eslint-plugin-prettier, and synckit, all linked to the phishing domain npnjs.com.
Methodology: On July 19, 2025, attackers hijacked maintainer credentials through a phishing campaign, allowing them to publish malware-laden updates in versions 3.3.1 through 5.0.0. These updates went unnoticed for nearly six hours.
Malware Functionality: The injected malware acts as a backdoor, establishing WebSocket connections to exfiltrate environment data and enabling remote execution of JavaScript, effectively turning development machines into compromised endpoints. In some instances, a Windows-based infostealer named "Scavenger" was deployed to extract browser-stored credentials.

Impact:

Download Figures: The compromised packages are integral to numerous development workflows, with downloads reaching over 2.8 million times weekly.
Developer and Organizational Risk: The backdoor access and credential theft pose severe risks, potentially leading to unauthorized access to sensitive systems and data.

Recommendations:

Immediate Actions for Developers:
- Stop Auto-Updates: Disable automatic updates for affected packages.
- Revert to Safe Versions: Downgrade to versions released before July 18, 2025.
- Rotate Credentials: Change passwords and revoke any compromised tokens.
- Lock Dependencies: Implement dependency locking and block malicious files.
- Audit Environments: Conduct thorough audits to detect and mitigate any compromises.
Protocol Enhancements for Maintainers:
- Enable MFA: Ensure multi-factor authentication is enabled to protect maintainer accounts.
- Monitor Packages: Continuously monitor package integrity and updates.
- Phishing Protections: Strengthen defenses against phishing to safeguard credentials.

Expert Advice: David Shipley emphasized the importance of transparency and prompt communication in the wake of such attacks:

"When a mistake happens, tell people about it as soon as possible. Don't hide it. As always, stay skeptical and stay patched." [35:20]