Warlock ransomware has targeted multiple organizations using Microsoft SharePoint Server vulnerabilities. Threat actors, including Chinese state-affiliated groups, have exploited security flaws CVE-2025-53770 and CVE-2025-53771. Microsoft provided updated information on the ransomware's indicators of compromise, mitigations, and detection strategies. As of July 23, around 11,000 SharePoint instances are exposed globally, with 600 in the UK. The UK's National Cyber Security Centre reports active attacks on on-premises systems, with victims including the US's National Nuclear Security Administration.
Multiple organizations have been attacked by Warlock ransomware leveraging the ToolShell vulnerability in Microsoft SharePoint Server, with significant exposure noted worldwide.
Known Chinese state threat actors, Linen Typhoon and Violet Typhoon, are exploiting vulnerabilities CVE-2025-53770 and CVE-2025-53771, indicative of coordinated cyber operations.
The UK's National Cyber Security Centre acknowledged awareness of active attacks against on-premises SharePoint Server customers, highlighting vulnerabilities that remain exploited in various regions.
As of July 23, roughly 11,000 SharePoint instances globally are exposed, with about 600 in the UK and 424 remaining vulnerable, primarily in the US.
Collection
[
|
...
]