Morning, cyber pros! 
It's been a bit quiet over the last 24 hours, but we've still got some critical updates to chew on, including a nasty SharePoint zero-day, new GRU malware, and a warning about hardcoded credentials in Aruba access points. Let's dive in:
SharePoint Zero-Day Under Active RCE Exploitation 
- A critical zero-day, CVE-2025-53770, in Microsoft SharePoint Server is being actively exploited for Remote Code Execution (RCE) since at least July 18th, with over 75 organisations already compromised.
- This flaw is a variant of CVE-2025-49706, part of the "ToolShell" chain demonstrated at Pwn2Own Berlin, and allows attackers to steal the server's MachineKey configuration to craft valid ViewState payloads for RCE.
- No patch is available yet, but Microsoft recommends enabling AMSI integration (default since Sep 2023 updates for SharePoint Server 2016/2019/Subscription Edition) and deploying Defender AV. If AMSI isn't an option, disconnect servers from the internet. Check for `C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx` and specific IIS log entries as IOCs.
Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/
UK Sanctions GRU, Uncovers New Microsoft Credential Stealer 
- The UK government has sanctioned three GRU units (26165, 29155, 74455) and several individuals for a sustained campaign of malicious cyber activity, including targeting logistics providers and using cyber reconnaissance for missile strikes in Ukraine.
- Specifically, GRU's APT28 (Fancy Bear/Forest Blizzard, Unit 26165) is attributed to deploying "Authentic Antics," a novel Windows malware that steals Microsoft email credentials and OAuth tokens by displaying fake login prompts.
- Authentic Antics also exfiltrates victim data by sending emails from the compromised account to an actor-controlled address without appearing in the 'sent' folder, highlighting the sophistication and stealth of GRU operations.
The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/20/uk_microsoft_snooping_russia/
HPE Warns of Hardcoded Passwords in Aruba Access Points 
- HPE has issued a critical warning (CVE-2025-37103, CVSS 9.8) regarding hardcoded administrative credentials in Aruba Instant On Access Points running firmware version 3.2.0.1 and below.
- This vulnerability allows remote attackers to bypass authentication and gain full administrative access to the web interface, enabling configuration changes, backdoor installation, or traffic surveillance.
- A second high-severity flaw, CVE-2025-37102, an authenticated command injection, can be chained with the hardcoded password vulnerability for further compromise. Immediate upgrade to firmware version 3.2.1.0 or newer is recommended as no workarounds are available.
Bleeping Computer | https://www.bleepingcomputer.com/news/security/hpe-warns-of-hardcoded-passwords-in-aruba-access-points/
