- A bogus of remote code in SharePoint allows hackers to divert systems without even connecting
- Storm-2603 operates unlikely servers using chained bugs to obtain long-term access not detected
- Eloutlates has marked a perfect 10 on the risk scale of bitsight, triggering an immediate federal concern
A critical flaw in Microsoft SharePoint servers on site has turned into a wider cybersecurity crisis, while attackers go from espionage to extortion.
The campaign, initially retraced to a vulnerability which has enabled stealth access, now distributes ransomware, a development which adds an alarming layer of disruption of what was previously understood as data focused on data.
Microsoft has linked this pivot to a threat actor whom he calls “Storm-2603”, and the victims whose systems have been locked must pay a ransom, generally in cryptocurrency.
From silent access to full -fledged extortion
At the heart of the compromise are two severe vulnerabilities, which are CVE-2025-53770, nicknamed “Tools fly” and its CVE-2025-53771 variant.
These defects allow the execution of remote code not authenticated, giving attackers a control over uncharted systems simply by sending a manufactured request.
The absence of connection requirements makes these exploits particularly dangerous for organizations that have delayed the application of security updates.
Bitsight experts claim that the CVE-2025-53770 score the maximum 10 on its dynamic vulnerability scale (DVE), highlighting the urgency of sanitation.
Security companies have noted a sharp increase in attacks. The eye security, which first reported signs of compromise, estimated 400 confirmed victims, against 100 during the weekend, and warned that the actual number was probably much higher.
“There are many more, because all the attacks of attack have not left artifacts that we could scrutinize,” said Vaisha Bernard, chief hacker for eye security.
American government agencies, including NIH and reportedly declared the Ministry of Internal Security (DHS), were also affected.
In response, Cisa, the Cyberdefense arm of DHS, added the CVE-2025-53770 CVE-2025-5377 to its list of known vulnerabilities, requiring immediate action in federal systems once the fixes.
It is said that a strain in circulation is the ransomware of the “Demonist”, distributed freely in compromised environments.
The model of chained exploits, combining the more recent CVEs with older CVEs like CVE-2025-49704, underlines a deeper structural problem in the safety of SharePoint on-site instances.
The attackers would have succeeded in bypassing multi-factor authentication, stealing keys from the machine and maintaining persistent access on affected networks.
Although SharePoint Online in Microsoft 365 is not affected, the impact on deployments of traditional servers has been spread.
Researchers estimate more than 75 to 85 servers worldwide have already been compromised, the affected sectors covering the government, finance, health care, education, telecommunications and energy.
Globally, up to 9,000 exposed services remain in danger if they have remained unlike.
Organizations are strongly asked to install the latest updates, KB5002768 for the subscription edition, KB5002754 for SharePoint 2019 and KB5002760 for SharePoint 2016.
Microsoft also recommends rotating machine values after treatment and activation of AMSI integration (Antimalware scan interface) with the antivirus defender.
Additional advice includes the digitization of compromise signs, such as the presence of SHELLS Web Spinstall0.aspx and newspaper surveillance for an unusual lateral movement.
In addition, some organizations are now exploring ZTNA and corporate VPN models to isolate critical systems and access to segments.
However, these measures are only effective if they are combined with strong protection of termination criteria and timely management of patches.
Via PK Press Club
