Hello and welcome to the Monday, July 21st, 2025 edition of the Sands Enanded Storm Centers.

Stormcast, my name is Johannes Orich, recording today from Jacksonville, Florida.

And this episode is brought to you by the Sands.edu Master's Degree program in information security engineering.

The top news today is a new actively exploited SharePoint vulnerability.

Microsoft published a special bulletin over the weekend to alert of this vulnerability,

but has not yet released a patch.

Microsoft's advice at this point is twofold.

First of all, deploy Antimalver on your SharePoint server. If you're unable to do so, block access to the SharePoint server,

basically take down your SharePoint site. Need of workaround is great. At this point,

the attackers exploiting this vulnerability have been deploying web shells.

Webshells are the preferred payload, of course, for exploits like this,

and Microsoft's anti-malware tools will detect web shells currently deployed by the group

attacking vulnerable SharePoint servers.

But it is likely only a matter of time for the web shells to emerge that will bypass current detection rules.

If you are operating a SharePoint server that is currently exposed to the internet, assume compromise.

There is no patch.

The vulnerability does not appear to be linked to a particular configuration.

Any currently deployed SharePoint server should be considered vulnerable,

and given the widespread exploitation of the vulnerability, should be considered compromise.

The exploit targets the toolpane.aspx script.

First evidence of the vulnerability was made public by researchers with Code White last week. But initially, no proof of concept, exploit or additional details were released.

The new vulnerability is a variant of an older vulnerability patch that this July is part

...