­
CISOPlatform Breach Intelligence July 21, 2025 – CrushFTP Critical Flaw, State Farm Credential Stuffing - All Articles - CISO Platform

All Articles

CISOPlatform Breach Intelligence July 21, 2025 – CrushFTP Critical Flaw, State Farm Credential Stuffing

Posted by CISO Platform on July 22, 2025 at 12:09am in Blog

CISOPlatform Breach Intelligence July 21, 2025 – Microsoft SharePoint Zero-Day, CrushFTP Critical Flaw, State Farm Credential Stuffing

Executive Summary

The cybersecurity threat landscape on July 20, 2025 revealed three significant security incidents across critical infrastructure and enterprise environments. The most critical development was the active exploitation of a Microsoft SharePoint Server zero-day vulnerability (CVE-2025-53770) affecting dozens of organizations globally, including government agencies and multinational corporations. Simultaneously, threat actors exploited a critical CrushFTP vulnerability (CVE-2025-54309) targeting file transfer servers in healthcare and government sectors. Additionally, State Farm Insurance experienced ongoing credential stuffing attacks compromising user accounts. These incidents demonstrate sophisticated attack vectors, persistent threat actor activities, and the urgent need for immediate defensive measures while maintaining strategic security posture alignment with current threat intelligence indicators.

Key Breach Incidents Overview

  1. Critical Microsoft SharePoint Zero-Day (CVE-2025-53770) Actively Exploited - TheHackerNews, SecurityWeek, CSO Online, CISA
  2. CrushFTP Critical Vulnerability (CVE-2025-54309) Under Active Attack - TheHackerNews
  3. State Farm Insurance Credential Stuffing Campaign - Cybersecurity Insiders
  4. CISA Emergency Directive for Federal Agencies - CISA Alerts & Advisories
  5. Multiple Zero-Day Variants Discovered (CVE-2025-53771) - National Vulnerability Database
  6. Enterprise File Transfer Infrastructure Compromised - Multiple Sources
  7. Government and Healthcare Sectors Targeted - Multiple Sources
  8. Advanced Persistent Threat Activity Detected - Multiple Sources

Major Incident Analysis

Critical Microsoft SharePoint Zero-Day (CVE-2025-53770) Actively Exploited

Source: TheHackerNews, SecurityWeek, CSO Online, CISA

SharePoint Vulnerability Visualization
 
Timeline:
  • July 18, 2025 (~6:00 PM CET): Initial exploitation detected by Eye Security
  • July 19, 2025 (~7:30 AM CET): Second wave of attacks observed
  • July 20, 2025: CISA adds CVE-2025-53770 to Known Exploited Vulnerabilities Catalog
  • July 21, 2025: Microsoft releases emergency patch and assigns CVE-2025-53771
Attack Vector: Unauthenticated deserialization flaw in on-premises Microsoft SharePoint Server allowing remote code execution (CVSS 9.8). Attackers exploit specially crafted requests to the ToolShell component, bypassing authentication entirely to install web shells and execute arbitrary ASPX payloads.
Threat Actor: Unknown advanced threat actors with sophisticated reverse engineering capabilities, potentially state-sponsored given the scale and coordination of the campaign.
Indicators of Compromise (IOCs):
  • 107.191.58[.]76 - Exploitation IP address
  • 104.238.159[.]149 - Exploitation IP address
  • 96.9.125[.]147 - Exploitation IP address
  • HTTP POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
  • Web shell deployment: spinstall0.aspx
  • Modified MainUsers/default/user.xml files
CVE References:
  • CVE-2025-53770: Unauthenticated deserialization flaw in SharePoint Server ToolShell component (CVSS 9.8)
  • CVE-2025-53771: Path traversal in Microsoft Office SharePoint allowing authorized attacker spoofing
  • CVE-2025-49704: Related SharePoint vulnerability partially patched in July update
  • CVE-2025-49706: Original ToolShell vulnerability variant
MITRE ATT&CK Mapping:
  • T1190 (Initial Access): Exploit Public-Facing Application
  • T1505.003 (Persistence): Web Shell deployment
  • T1552.001 (Credential Access): Credentials in Files (ASP.NET MachineKey theft)
  • T1078 (Defense Evasion): Valid Accounts via forged authentication tokens
  • T1083 (Discovery): File and Directory Discovery
  • T1041 (Exfiltration): Exfiltration Over C2 Channel

Analysis: This represents one of the most significant zero-day exploitation campaigns of 2025, with over 85 SharePoint servers across 29 organizations compromised. The attack demonstrates sophisticated understanding of SharePoint's internal architecture, particularly the ASP.NET MachineKey validation system. Threat actors successfully chained multiple vulnerabilities to achieve persistent, unauthenticated access, enabling them to steal cryptographic secrets, deploy web shells, and move laterally within victim networks.

CrushFTP Critical Vulnerability (CVE-2025-54309) Under Active Attack

Source: TheHackerNews

CrushFTP Attack Visualization
 
Attack Vector: AS2 validation mishandling in CrushFTP 10 < 10.8.5 and 11 < 11.3.4_23 when DMZ proxy feature is not used, allowing unauthenticated remote attackers to gain administrative access via HTTPS (CVSS 9.0).
CVE References:
  • CVE-2025-54309: AS2 validation mishandling in CrushFTP allowing unauthenticated admin access (CVSS 9.0)

Analysis: The CrushFTP vulnerability represents a critical supply chain risk affecting government, healthcare, and enterprise file transfer operations. The attack pattern demonstrates sophisticated threat actor capabilities in reverse engineering vendor patches to identify exploitable variants.

Strategic Threat Intelligence Analysis

Current threat intelligence indicates a convergence of advanced persistent threat (APT) activities with opportunistic vulnerability exploitation targeting critical infrastructure. The simultaneous exploitation of SharePoint and CrushFTP vulnerabilities demonstrates coordinated threat actor capabilities in identifying and weaponizing zero-day vulnerabilities across enterprise collaboration and file transfer platforms. Organizations should enhance monitoring for lateral movement indicators, implement advanced behavioral analytics to detect novel attack methodologies, and prioritize zero-day detection capabilities across internet-facing applications.

CISO Strategic Recommendations

  1. Emergency Patch Management: Implement immediate patching for CVE-2025-53770 and CVE-2025-54309 within 24-hour emergency SLA framework
  2. Enhanced Threat Hunting: Deploy advanced behavioral analytics and IOC monitoring for SharePoint and file transfer infrastructure
  3. Incident Response Activation: Execute comprehensive threat hunting protocols for similar attack vector identification across all internet-facing applications
  4. Supply Chain Security Assessment: Conduct immediate third-party risk assessment for file transfer and collaboration platform vendors
  5. Executive Security Briefing: Schedule emergency board-level security posture review with current threat landscape assessment

Threat Landscape Analysis

The current threat landscape demonstrates unprecedented sophistication in multi-vector attack campaigns targeting critical enterprise infrastructure. Threat actors are leveraging advanced reverse engineering capabilities to identify and exploit zero-day variants in widely deployed enterprise applications. Organizations must adopt zero-trust architecture principles, implement continuous security validation, and enhance supply chain security assessments to maintain defensive effectiveness against evolving threat methodologies.

Conclusion and Forward-Looking Insights

The cybersecurity incidents analyzed on July 20, 2025 demonstrate the critical importance of proactive threat intelligence integration with operational security controls. The simultaneous exploitation of multiple zero-day vulnerabilities across different vendor platforms indicates coordinated threat actor capabilities requiring immediate defensive response and strategic security architecture enhancement. Future threat evolution will likely focus on AI-enhanced vulnerability research, supply chain exploitation, and coordinated multi-platform attack campaigns, requiring adaptive defensive strategies and enhanced vendor security requirements.

Sources and References

  1. TheHackerNews - Critical SharePoint Zero-Day
  2. TheHackerNews - CrushFTP Vulnerability
  3. SecurityWeek - SharePoint Under Attack
  4. CISA Alert - SharePoint Vulnerability
  5. CSO Online - SharePoint Zero-Day Breach
  6. Cybersecurity Insiders - State Farm Attack
  7. Krebs on Security - SharePoint Fix
  8. National Vulnerability Database

 

For more breach intelligence reports and cybersecurity insights, visit CISOPlatform.com and sign up to be a member.

Nominate for Global CISO 100 Awards & Future CISO Awards (1-2 October Atlanta, USA): Nominate Your Peer

Views: 52
Tags: breach intelligence
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by CISO Platform

Priyanka, Co-Founder and Editor, CISO Platform Breach Intelligence, leads our threat intelligence and incident analysis efforts, providing actionable insights to the global cybersecurity community. With extensive experience in cybersecurity leadership and breach analysis, she specializes in translating complex technical threats into strategic intelligence for security executives.

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (Monthly)

Jun 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am UTC+5.5
Virtual
  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

6 City Round Table On "New Guidelines & CISO Priorities for 2025" (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

Dec 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am UTC+5.5
India
  • Description:

    We are pleased to invite you to an exclusive roundtable series hosted by CISO Platform in partnership with FireCompass. The roundtable will focus on "New Guidelines & CISO Priorities for 2025"

    Date: December 1st - December 31st 2025

    Venue: Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata

    >> Register Here

  • Created by: Biswajit Banerjee

Fireside Chat With Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.)

Jan 10, 2026 from 4:30pm to 5:00pm UTC+5.5
Online
  • Description:

    We’re excited to bring you an insightful fireside chat with Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.) and Erik Laird (Vice President - North America, FireCompass). 

    About Sandro:

    Sandro Bucchianeri is an award-winning global cybersecurity leader with over 25…

  • Created by: Biswajit Banerjee
  • Tags: ciso, sandro bucchianeri, nab