SharePoint Vulnerabilities and Security Updates

SharePoint Vulnerabilities and Security Updates

➡️ Watch full clip here: https://youtu.be/cLNedMpRCyk
➡️ Register for Patch Tuesday Webinar Series: https://www.ivanti.com/lp/webinar-series/patch-tuesday
➡️ Download slides here: https://www.ivanti.com/resources/patch-tuesday

SharePoint is currently facing vulnerabilities that are being actively exploited, leading to guidance from Microsoft and CISA. An attack chain known as Tool Shell is taking advantage of CVEs, revealing new security risks. On-prem software poses significant threats as attackers can decrypt it. Mitigation involves applying updates and improving threat detection. Additionally, Exchange Server has a security update addressing five vulnerabilities, and users must switch from EWS to Microsoft Graph by October 2026.

Key Takeaways
Microsoft resolved 107 new CVEs, including one public disclosure. Thirteen CVEs are rated Critical (nine RCE, three Information Disclosure, one Elevation of Privilege) by Microsoft and affect the Windows OS, Office, Azure Stack Hub and Azure Virtual Machines.
The highest priority for Microsoft updates is SharePoint. The recent exploits of SharePoint vulnerabilities identified in July is a continued risk and should be resolved ASAP. CISA has made multiple updates as has Microsoft in the MSRC blog.
Microsoft resolved one publicly disclosed vulnerability in Windows Kerberos (CVE-2025-53779). The CVE is an Elevation of Privilege vulnerability that could allow an attacker to gain domain admin privileges. The CVE is rated Medium and has a CVSS score of 7.2. The vulnerability only affects Windows Server 2025.
Microsoft SQL Server and Exchange Server each resolved five CVEs. The highest CVE rating for both updates is rated Important.
The urgent Adobe update released on August 5 and resolved two publicly disclosed CVEs (CVE-2025-54253 and CVE-2025-54254). APSB25-82 affects Adobe Experience Manager Forms and resolves two Critical CVEs which have proof-of-concept code released publicly.
Adobe resolved 68 CVEs across 13 updates that include Adobe Commerce, Substance 3D Viewer, Animate, Illustrator, Photoshop, Substance 3D modeler, Substance 3D Painter, Substance 3D Sampler, InDesign, InCopy, Substance 3D Stager, FrameMaker and Dimension.
Zero-day and 1-day exploits are increasing. Security vendor VulnCheck is tracking 432 KEVs for the first half of 2025 and 32% of those were zero-day or 1-day exploits leaving defenders with very limited time to respond to emerging threats. (Source CSOonline).
Let me start this month off with a question. Have you already decided what you are going to do for your remediation plan this month? Think about it for a second. OS updates, productivity apps, browsers, and other apps are already likely under consideration for your August patch maintenance. The real decisions you need to consider are around timing. Do you proceed with your typical Patch Tuesday plan or do you need to accelerate any zero-days, etc?

#PatchTuesday #Patchmanagement #Cybersecurity #SharePoint #vulnerabilities #securityupdates #MicrosoftGraph #CISA

Chapters:

0:00 - SharePoint & Tool Exploits

1:34 - On-Prem Security Risks

2:22 - Mitigation & Updates

5:15 - Microsoft Graph Transition