Microsoft SharePoint Zero-Day Disrupts Servers Worldwide

Hey, it’s that time of week again. Cybersecurity Advisor Adam Pilton rips through the five biggest cyber headlines shaking up the internet right now.

From a critical SharePoint zero-day vulnerability to ransomware policy overhauls he explains what happened and gives you the actionable steps you need to stay safe.

SharePoint zero-day (CVE-2025-53770) under active exploitation

Microsoft just confirmed a brutal zero-day flaw slicing through on-prem SharePoint servers — CVE-2025-53770, clocking in at a nasty 9.8 on the CVSS scale. It lets unauthenticated attackers run arbitrary code. Over 80 servers are already toast across the globe.

Good news? SharePoint Online is unaffected. But if you’re running legacy boxes, you’re already late. Microsoft pushed a patch. No excuses — apply it now.

Safety advice

• Patch immediately – don’t wait for the weekend window.
• Audit all exposed SharePoint instances.
• Isolate unpatched servers if you can’t fix today.

Citrix Bleed strikes again

Thought Citrix Bleed was done? Nope. The sequel’s here, and it’s stealing session cookies just like the original. Proof of Concept (PoC) code dropped fast — within 40 hours attackers were scanning. GreyNoise tracked 11 million probes already, and 40% of those hit financial services.

Citrix’s fix missed some key targets: RDP, AAA, and load balancer sessions. So even patched boxes can still leak. Time to get surgical.

Safety advice

• Upgrade to the latest fixed builds – not just any patch.
• Kill all active sessions
• Rotate stored credentials.
• Audit for unauthorized logins. Now!

Chinese APT spends 9 months inside US Army Guard network

APT Salt Typhoon, a Chinese state-backed crew, hung out in a US State Army National Guard network for nine months. They walked off with admin creds and network diagrams mapping links across every US state. Yep, that’s nation-state-level recon.

Safety advice

• Enforce MFA everywhere – not just privileged accounts.
• Treat network diagrams like crown jewels – encrypt and segment them.
• Watch DNS like a hawk – check for DNS tunneling.
• Set SIEM alerts for outbound traffic to sketchy Chinese IPs.

Dell data breach shows “synthetic data” still hurts

Extortion gang World Leaks (formerly Hunters International) breached Dell’s customer solutions center and made off with 1.3TB of test lab files. Dell says it’s mostly synthetic. Reality check? The leaked dump shows real passwords.

Bottom line: “non-production” ≠ “non-sensitive.”

Safety advice

• Segregate demo and PoC environments. No raw creds, no customer data.
• Adopt zero-trust, even after the data breach.
• Force password resets for shared accounts.
• Alert users to phishing and prevent them against tailored lures.

UK Government proposes ransomware payment ban

On July 22, the UK Home Office dropped a bombshell proposal: a ban on ransom payments by public sector bodies and critical infrastructure. Private companies? You’ll need to notify the government before even considering payment. Instant reporting could become law too.

Safety advice

• If you’re an MSP working with UK orgs update your IR runbooks now.
• Add a legal compliance check before any ransom call.
• Rehearse offline backup restores.
• Run tabletop exercises: simulate, assess, repeat.
• Review cyber insurance clauses to ensure they align with the proposed ban.

If this saved you scrolling through 20 blog posts, hit that like button (or share if you’re feeling generous). Got thoughts? Drop them in the comments — tell me what hit hardest and what you want more of next time.

Stay sharp. Stay secure.

If you liked this article, follow us on LinkedIn, Reddit, X, Facebook, and Youtube.

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.