eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Threat Actors Exploit Critical Cisco Vulnerabilities
Bottom Line: Cisco updated a recently published advisory on two critical Remote Code Execution (RCE) vulnerabilities found within its Identity Services Engine (ISE) products, confirming that active exploitation is underway. As there are no workarounds, organizations must apply relevant security patches as soon as possible.
On July 21st, 2025, Cisco updated a previously published advisory, adding an additional vulnerability and confirming exploitation of at least one of the vulnerabilities having been observed, but did not specify which vulnerability. The initial advisory, published on June 25th, 2025, addressed the vulnerabilities CVE-2025-20281 and CVE-2025-20282, impacting Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Conductor (ISE-PIC) products. These products are “widely deployed in enterprise, government, and academic networks as a core network access control and policy enforcement platform”.
CVE-2025-20281 (CVSS: 10) is a Remote Code Execution (RCE) vulnerability that can allow an unauthenticated attacker to execute arbitrary code due to insufficient validation of user-supplied input. CVE-2025-20282 (CVSS: 10) allows for attackers to upload arbitrary files to an impacted device and execute them as root, due to a lack of file validation checks. After Cisco's disclosure of the vulnerabilities, Proof-of-Concept (PoC) exploit code for CVE-2025-20281 was published. On July 17th, 2025, Cisco disclosed and patched CVE-2025-20337 (CVSS: 10), an RCE vulnerability that is similar to CVE-2025-20281. Within their advisory, Cisco confirmed that only Cisco ISE or ISE-PIC releases 3.3 and 3.4 are impacted (release 3.2 and earlier are not affected), and patches for all three vulnerabilities are included in version 3.3 Patch 7 and version 3.4 Patch 2.
On July 23rd, 2025, Trend Micro's Zero Day Initiative (ZDI) stated that they had detected active exploitation of CVE-2025-20281 as of July 17th, 2025, and indicate that due to the similarities between this vulnerability and CVE-2025-20337, they “believe both are under active attack”. Trend Micro indicated that the attacks “appear to be limited and targeted”, but because Cisco ISE and ISE-PIC products are widely used, the “potential impact is large”. It should be noted that ISE and ISE-PIC devices are not generally exposed to the Internet, as such, threat actors would need to achieve initial access via alternative means, prior to exploitation.
eSentire Threat Intelligence Analysis:
Cisco ISE is a security policy management platform that provides organizations with secure network access controls for users and devices. Vulnerabilities within this platform are considered to be critical and are targeted by threat actors, due to the platform controlling access to networks, storing sensitive data, and integration with security products and tools. Trend Micro has stated that these devices have “a high degree of network visibility through logging, which gives threat actors insight for further attacks in the network”, underscoring how critical these vulnerabilities are, and the potential impact of exploitation.
The release of PoC exploit code lowers the barrier for threat actors of all skill levels to target vulnerabilities within their attacks. Evidence also shows that PoC exploit code can be adopted quickly by threat actors after its release, causing widespread exploitation. Due to the nature of ISE devices, the maximum severity of the vulnerability, and the release of PoC exploit code, eSentire's Threat Intelligence team assesses with medium confidence that exploitation of CVE-2025-20281 will become more widespread in the future. As such, organizations should ensure that the relevant security patches are applied, as Cisco has stated within their advisory that there are no workarounds for the vulnerabilities.
eSentire MDR for Network has detections in place monitoring for exploit attempts relating to CVE-2025-20281. eSentire's Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337. eSentire published an advisory for the vulnerabilities on July 24th, 2025, urging organizations that are running vulnerable instances of Cisco ISE and ISE-PIC to apply security updates. eSentire's Threat Response Unit (TRU) continues to track this topic for additional information and detection opportunities.
CrushFTP Zero-Day Vulnerability
Bottom Line: CrushFTP confirms active exploitation of a critical zero-day vulnerability (CVE-2025-54309) since July 18th, allowing remote attackers to gain administrative access. Over 1,000 instances remain unpatched as of July 20th, putting organizations at risk of data theft and extortion attacks.
On July 18th, 2025, CrushFTP published a security advisory confirming a critical zero-day vulnerability impacting the file transfer application, tracked as CVE-2025-54309, that is being exploited in the wild.
CVE-2025-54309 (CVSS: 9.0) occurs due to mishandling of AS2 validation in CrushFTP instances with DMZ feature disabled, allowing remote attackers to gain administrator access via HTTPS. Successful exploitation of the vulnerability may result in theft of sensitive data leading to data extortion attacks. As of July 20th, 2025, the Shadowserver Foundation reported that 1,040 CrushFTP instances remain unpatched and are likely vulnerable to exploitation. The vulnerability affects all versions of CrushFTP 10 prior to version 10.8.5 and all versions of CrushFTP 11 prior to version 11.3.4_23.
CrushFTP believes the attackers reverse engineered their code to identify the vulnerability and exploit it in instances that had not been updated. Organizations running up-to-date versions of CrushFTP are not affected by the reported exploitation. The security advisory also mentioned that enterprise customers with DMZ enabled remain unaffected.
No other technical details related to CVE-2025-54309 are disclosed, and no Proof-of-Concept (PoC) exploit code is publicly available at the time of writing.
Organizations should review systems for the following signs of exploitation:
- The MainUsers/default/user.XML file may contain a "last_logins" field, or the file may show a recent modification timestamp
- The default user account may suddenly have administrative privileges, even if that was not previously configured
- Unrecognized or randomly formatted new user IDs
- Certain UI elements, such as the “Admin” button, may be missing or altered
- The version display may show a fake version string; use the built-in hash validation tool in the About tab to detect tampering
eSentire Threat Intelligence Analysis:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-54309 to its Known Exploited Vulnerabilities (KEV) catalog on July 22nd, 2025, requiring Federal Civilian Executive Branch (FCEB) agencies to fix the flaw by August 12th, 2025. CrushFTP is a widely adopted file transfer solution used across multiple industries, making it a recurring and attractive target for threat actors. Due to its critical role in securely transferring sensitive files, vulnerabilities in CrushFTP pose a significant risk to organizational security. The ability to compromise a central data exchange hub can provide attackers with access to vast quantities of sensitive information, which increases the likelihood of successful post-exploitation activities. These platforms, if left unpatched or misconfigured, offer a relatively easy entry point for attackers into otherwise secure environments. This vulnerability follows a pattern of exploitation seen in other managed file transfer (MFT) platforms like MOVEit Transfer and Cleo MFT, both of which have been previously targeted in high-profile extortion and data theft campaigns.
The data-extortion group CL0p targeted zero-day vulnerabilities in file transfer applications like Cleo MFT, MOVEit FTA, GoAnywhere MFT, and Accellion FTA over the years. In 2024, a zero-day vulnerability CVE-2024-4040, impacting CrushFTP was exploited by the threat actors enabling them to download system files; the flaw was soon added to CISA’s KEV catalog. The eSentire Threat Intelligence team investigated an incident in the past where the customer's CrushFTP server was exploited by the threat actor via CVE-2025-31161 (also tracked as CVE-2025-2825). The threat actor gained remote access, created a new user, and installed an AnyDesk client for persistence. Organizations are therefore strongly advised to regularly patch and update CrushFTP applications to the latest secure versions. If exploitation of CVE-2025-54309 is identified, it is recommended that organizations restore the default user from a backup created before the vulnerability was exploited or delete the default user entirely, allowing CrushFTP to automatically regenerate a clean configuration. These actions can help mitigate unauthorized administrative access resulting from the exploit.
In order to mitigate risk, organizations can take the following actions:
- Limit administrative access by enforcing IP allowlisting, ensuring that only authorized IP addresses can reach the CrushFTP management interface
- Enable the DMZ in front of the CrushFTP instance to prevent direct exposure of the backend server to the Internet
- Allow automatic updates to reduce response time between vendor patch releases and actual deployments
- Avoid storing sensitive files in File Transfer Applications when not necessary, to prevent the risk of theft
In response to the release of this critical vulnerability, eSentire Threat Response Unit (TRU) issued a security advisory on July 21st, 2025. eSentire’s Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2025-54309. eSentire’s MDR for Log includes detections to identify anomalous user authentication activity in CrushFTP. The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.
SharePoint Zero-Day Vulnerabilities
Bottom Line: Microsoft has confirmed that two recently disclosed zero-day vulnerabilities were exploited by both financially motivated and state-sponsored threat actors. As these vulnerabilities were exploited prior to the release of security patches, potentially impacted devices should be treated as compromised until proven otherwise.
On July 19th, 2025, Microsoft confirmed active exploitation of two critical, zero-day vulnerabilities, tracked as CVE-2025-53770 (CVSS: 9.8) and CVE-2025-53771 (CVSS: 6.3). These vulnerabilities are variants of the previously patched SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706. The flaws, colloquially referred to as ToolShell, enable threat actors to achieve Remote Code Execution (RCE) on vulnerable on-premises SharePoint servers. The cybersecurity firm Eye Security was the first to report the exploitation, noting that it affected a range of entities such as federal governments, healthcare organizations, state agencies, energy sector operators, educational institutions, and fintech companies.
Eye Security reported that the threat actors exploited the previously patched SharePoint vulnerabilities (CVE-2025-49704 and CVE-2025-49706) in Microsoft’s July Patch Tuesday release. The exploitation chain, originally demonstrated as "ToolShell" at Pwn2Own Berlin, was weaponized by threat actors to bypass the security patches released in July. In response to Eye Security’s report, Microsoft issued security updates for Microsoft SharePoint Server 2019, 2016, and Subscription Edition.
CVE-2025-53770 allows RCE via untrusted data deserialization, while CVE-2025-53771 is a path traversal flaw enabling network-based spoofing by authorized users. Attacks start with crafted POST requests and HTTP referrer manipulation. Once exploited, attackers upload a malicious file and extract the server's MachineKey to forge malicious __VIEWSTATE payloads using tools like ysoserial, potentially resulting in full system compromise.
Both the Canadian Centre for Cyber Security (CCCS) and the United State (U.S.)’s CISA have issued urgent advisory warnings due to active exploitation in the wild. Since the initial disclosure, a large number of organizations have released reports outlining observations of exploitation of CVE-2025-53770 and CVE-2025-53771 with Proof-of-Concept (PoC) becoming publicly available. The vulnerabilities were reportedly exploited using varied attack methods to extract sensitive information, establish long-term backdoors, and obtain cryptographic keys. TrendMicro identified attacks targeting finance, education, energy, and healthcare, in the U.S., Europe, and Asia and SentinelOne reported waves of attacks observed on July 18th and July 19th, 2025. On July 22nd, 2025, Bloomberg News reported that the U.S. National Nuclear Security Administration was compromised due to SharePoint exploitation.
Microsoft reported exploitation attempts targeting CVE-2025-49704 and CVE-2025-49706 as early as July 7th, 2025, by Chinese state-sponsored groups Linen Typhoon (aka APT27) and Violet Typhoon (aka APT31), as well as the financially motivated threat actor Storm-2603. Among the three, Storm-2603 was observed deploying Warlock ransomware in compromised environments.
eSentire Threat Intelligence Analysis:
This is not the first time ASP.NET machine keys have been targeted by threat actors. In December 2024, the Microsoft Threat Intelligence team identified an attack where an unattributed threat actor was exploiting publicly available ASP.NET machine keys to perform ViewState code injection attacks. The attack involves using exposed ValidationKey and DecryptionKey values to craft malicious ViewState data that can be sent to websites via POST requests. When processed by ASP.NET Runtime, this allows for remote code execution on the target IIS web server. Since then, Microsoft has identified over 3,000 publicly disclosed keys that could be vulnerable to this type of attack.
According to Microsoft, the initial ToolShell attacks were observed in early July 2025. The attackers quickly weaponized vulnerabilities addressed in the July Patch release, rapidly expanding the scope of their operations. This swift escalation indicates a high level of coordination and preparedness in their exploitation efforts. From the initial attempts to successful exploitation, Microsoft attributed the operation to both state-sponsored and financially motivated Chinese threat actors. This indicates a likely sharing of zero-day exploits among these groups, enabling coordinated attacks against systems before security patches are available. Chinese state-sponsored APT groups are known to conduct sophisticated espionage campaigns such as LapDogs and attacks against multiple telecommunications companies targeting nations across the globe to support China’s interest. ESET Security reported that several high-value government organizations were among the victims of the ToolShell attacks. Given the high volume of detected exploitation attempts, it is likely that additional threat actors, including financially motivated actors, are leveraging these vulnerabilities to target unpatched on-premises SharePoint systems. With exploitation still ongoing, it is vital for organizations to ensure they are running secure and fully updated versions of SharePoint.
Microsoft strongly recommends applying the released security patches without delay to reduce the risk of exploitation. Until the patches are applied, SharePoint servers should be treated as compromised unless proven otherwise. Implementing robust Endpoint Detection and Response (EDR) solutions will help identify and contain deployment of webshells on the servers. Organizations should monitor for the presence of "spinstall0.aspx" in the SharePoint layouts directory. Organizations are recommended to rotate SharePoint Server ASP.NET machine keys post-update.
eSentire has observed exploitation attempts for CVE-2025-53770 in multiple customer environments with earliest observation tracked back to July 17th, 2025. eSentire published a security advisory addressing exploitation of SharePoint vulnerabilities on July 21st, 2025. eSentire's Threat Response Unit (TRU) is actively tracking this topic and evaluating the creation of threat detections related to CVE-2025-53770 and conducting threat hunts to identify signs of CVE-2025-53770 exploitation. The known Indicators of Compromise (IoCs) have been added to the eSentire Threat Intelligence Feed. eSentire MDR for Network & MDR for Endpoint have detections in place to identify successful exploitation of CVE-2025-53770. eSentire’s Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to both CVE-2025-53770 and CVE-2025-53771.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
