As enterprise environments grow more complex and decentralized, threat actors are evolving faster than ever. This week, three critical incidents reveal the scope and speed of today’s threat landscape: an actively exploited Microsoft SharePoint zero-day, real-world attacks on Fortinet WAFs just days after public disclosure, and widespread phishing leveraging leaked Dell customer data.
Here’s what happened, who’s at risk, and how your security team can stay ahead.
Microsoft SharePoint Zero-Day “ToolShell” Under Active Exploitation
Microsoft is urgently responding to a critical zero-day vulnerability in on-premises SharePoint Server. Tracked as CVE-2025-53770 and dubbed “ToolShell,” the flaw enables unauthenticated remote code execution. Threat actors are chaining it with related vulnerabilities (CVE-2025-53771, 49704, and 49706) to exfiltrate cryptographic MachineKey values and deploy web shells across enterprise environments.
Security researchers confirm that exploitation began around July 17, with over 9,000 internet-facing SharePoint instances still vulnerable. Microsoft has released emergency patches for Subscription Edition and SharePoint 2019, while updates for 2016 remain pending. CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, advising immediate mitigation.
What makes this threat particularly dangerous is that many organizations still rely on legacy on-prem systems for document management and internal collaboration, often without adequate segmentation or monitoring. The attack chain enables lateral movement from a single compromised SharePoint instance, potentially allowing access to integrated services like Exchange or Teams. This multi-vector nature of the exploit requires defenders to think beyond patching and implement holistic detection and isolation strategies.
Next Steps for Organizations:
- Apply Microsoft’s emergency patches.
- Rotate MachineKeys and isolate exposed servers.
- Enable Defender AV and AMSI protections.
Fortinet FortiWeb Flaw Exploited Days After Public PoC
Fortinet’s FortiWeb WAF is now under real-world attack via CVE-2025-25257, a critical SQL injection vulnerability (CVSS 9.6) that enables unauthenticated RCE. Although Fortinet issued patches on July 8, attackers moved quickly once a proof-of-concept exploit was released on July 11.
Threat intelligence platforms recorded dozens of compromised FortiWeb systems within days, with attackers dropping web shells and executing remote payloads. The vulnerability lies in the Fabric Connector module, which fails to validate HTTP(S) input properly. FortiWeb devices often sit at the enterprise perimeter, making exploitation highly impactful.
In many cases, these devices operate without centralized visibility or comprehensive log monitoring, making early detection difficult. Fortinet’s incident underscores the growing importance of external attack surface management (EASM) and automated scanning of publicly exposed services. Organizations should ensure their WAFs and other edge devices are consistently updated and that security teams are alerted when new administrative interfaces or ports are exposed to the public internet.
Mitigation Steps:
- Patch to FortiWeb versions 7.6.4, 7.4.8, 7.2.11, or 7.0.11.
- Disable external HTTP(S) admin access.
- Monitor for post-exploitation web shell activity.
Dell Data Breach Fuels Phishing Surge
A partner-portal API compromise at Dell has led to the exposure of 49 million customer records. The breach, which occurred in early 2024 has resurfaced in recent weeks with the rise of phishing attacks connected to those impacted from the events.
but continues to have ripple effects, includes service tags, names, addresses, and order histories. While sensitive financial or credential data wasn’t included, the leaked information is now fueling widespread phishing campaigns.
Attackers are using the data to craft personalized scam emails, increasing their success rate significantly. Customers report receiving fake Dell warranty updates, support requests, and refund offers, often including accurate purchase history. The breach highlights the long-term risks of supply chain and third-party access.
This breach also emphasizes the need for enterprise cybersecurity programs to extend beyond direct controls. While Dell’s core systems may have been secure, a third-party integration became the weak link. Vendors and partners with privileged API access should be continuously audited, and user communication protocols must be reviewed to ensure rapid notification in the event of data misuse or social engineering risk.
Phishing Defense Priorities:
- Flag Dell-themed emails in filtering rules.
- Notify users about active scams.
- Conduct targeted phishing awareness training.
Strengthening Your Enterprise Cybersecurity Posture
From zero-day exploitation to fast-moving PoC weaponization and supply chain data abuse, the threats facing enterprises are more dynamic than ever. Organizations must accelerate patching cycles, monitor infrastructure perimeters, and harden defenses against increasingly personalized phishing attempts.
RSI Security offers rapid patch readiness assessments, phishing simulations, and SharePoint/Cloud risk audits tailored to your environment. Explore solutions or schedule a consultation with RSI Security today.
Contact Us Now!
