July 2025 Headlines
Critical SharePoint Zero-Day Vulnerability (CVE-2025-53770) Actively Exploited in the Wild
A new zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, is currently being exploited in the wild, posing a severe threat to organizations running on-premises SharePoint environments. With a CVSS score of 9.8, this critical flaw allows unauthenticated remote code execution (RCE) and has already compromised over 85 servers globally (Abrams, 2025). Dubbed "ToolShell" by researchers, the vulnerability is a variant of CVE-2025-49706, a spoofing bug addressed in Microsoft’s July 2025 Patch Tuesday updates. However, CVE-2025-53770 remains unpatched as of July 20, 2025, and is being actively weaponized in large-scale attacks (Riley, 2025).
Attack Vector and Exploitation Details
The flaw stems from the deserialization of untrusted data, enabling attackers to execute arbitrary code over the network. Once exploited, attackers can gain full access to SharePoint content, including file systems and internal configurations (cisa.gov, 2025).
The attack chain involves:
Delivering malicious ASPX payloads via PowerShell.
Extracting the SharePoint server’s MachineKey configuration (ValidationKey and DecryptionKey).
Using these keys to craft valid __VIEWSTATE payloads, effectively turning any authenticated request into an RCE opportunity (Lakshmanan, 2025).
Security researchers from Eye Security and Palo Alto Networks Unit 42 have confirmed that attackers are chaining this vulnerability with others (e.g., CVE-2025-49704) to facilitate lateral movement and persistent access across enterprise networks (Lakshmanan, 2025).
Microsoft and CISA Response
Microsoft has acknowledged the vulnerability and is currently testing a comprehensive patch. In the meantime, it has issued mitigation guidance, urging organizations to:
Enable Antimalware Scan Interface (AMSI) integration in SharePoint.
Deploy Microsoft Defender Antivirus and Defender for Endpoint.
Monitor for suspicious POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit.
Block known malicious IPs and update firewall rules (cisa.gov, 2025).
The Cybersecurity and Infrastructure Security Agency (CISA) has also released an alert, emphasizing the urgency of implementing these mitigations and reporting any suspicious activity (cisa.gov, 2025).
Which Affected?
On-premises SharePoint Server installations are at risk, and SharePoint Online (Microsoft 365) is not affected. Organizations across government, finance, healthcare, and education sectors have already reported breaches.
Recommendations for Information Security and IT Leaders
Audit all SharePoint servers for signs of compromise.
Isolate vulnerable systems from the internet if AMSI cannot be enabled.
Implement advanced logging and threat detection.
Stay updated with Microsoft’s advisories and prepare for rapid patch deployment once available.
Conclusion
CVE-2025-53770 represents one of the most serious SharePoint vulnerabilities in recent years. With no patch currently available and active exploitation underway, organizations must act swiftly to mitigate the risk. As always, layered defense, proactive monitoring, and timely updates remain the cornerstone of effective cybersecurity.
Tariff Tensions Fuel Data Sovereignty Concerns Among Canadian Cybersecurity Leaders
As global trade tensions escalate, particularly between the U.S. and its allies, cybersecurity leaders are sounding the alarm over a less visible but equally critical threat: data sovereignty. According to a recent report by Security Magazine, 64% of global security leaders are highly concerned about data sovereignty in the face of growing tariff uncertainty (securitymagazine.com, 2025). For Canadian cybersecurity professionals, this concern is not just theoretical — it’s a pressing national issue.
Why Data Sovereignty Matters More Than Ever
Data sovereignty refers to the concept that digital data is subject to the laws and governance structures of the country in which it is collected or stored. For Canadian organizations, this means ensuring that sensitive data — especially that of citizens, government, and critical infrastructure — remains under Canadian jurisdiction.
With the U.S. imposing new tariffs on Canadian digital services and infrastructure components in early 2025, the risk of foreign influence over Canadian data assets has intensified (Slavens & Sanathkumar, 2025). These tariffs have prompted fears that Canadian organizations may be forced to rely more heavily on U.S.-based cloud and cybersecurity providers, potentially compromising data control and compliance with Canadian privacy laws.
The Canadian Response: Building Domestic Cyber Resilience
In response to these challenges, Rogers Cybersecure Catalyst and In-Sec-M launched the Buy Canadian Cyber initiative in March 2025. This national platform connects Canadian organizations with homegrown cybersecurity vendors, aiming to reduce reliance on foreign providers and bolster national digital sovereignty (Slavens & Sanathkumar, 2025).
“The latest tariffs from the U.S. are deeply frustrating, but rather than let them dictate our future, we are doubling down on Canadian excellence,” said Charles Finlay, Executive Director of the Catalyst (Slavens & Sanathkumar, 2025).
This initiative is more than economic protectionism — it’s a strategic move to safeguard Canada’s digital infrastructure and ensure that cybersecurity solutions are developed and deployed by Canadians, for Canadians.
Implications for Canadian CISOs and IT Leaders
Canadian cybersecurity leaders must now navigate a complex landscape where geopolitics, trade policy, and data governance intersect. Key considerations include:
Cloud repatriation: Moving sensitive workloads from U.S.-based cloud providers to Canadian data centers.
Vendor diversification: Prioritizing Canadian cybersecurity vendors to reduce exposure to foreign policy shifts.
Regulatory alignment: Ensuring compliance with Canadian data protection laws like PIPEDA and provincial equivalents.
Conclusion
As Canada continues to digitize its economy, the intersection of trade policy and cybersecurity will only grow more pronounced. The State of Cybersecurity in Canada 2025 reports that the federal government has already signaled its intent to treat digital infrastructure and data sovereignty as national priorities (canadiancybersecuritynetwork.com, 2025). For Canadian organizations, this is a call to action: invest in local talent, support domestic innovation, and build a cybersecurity ecosystem that is resilient, sovereign, and future-ready.
WestJet Cybersecurity Breach: July Update
On June 13, 2025, WestJet detected suspicious activity on its internal systems. A subsequent investigation confirmed that a sophisticated criminal group had gained unauthorized access to its IT infrastructure (westjet.com, 2025). The breach did not compromise flight safety or operational integrity, but it did result in the illegal acquisition of certain personal and travel-related data.
WestJet has emphasized that no credit card or debit card numbers and no guest user passwords were accessed. However, the stolen data varies by individual and may include names, travel itineraries, and contact information (westjet.com, 2025).
Who Was Behind the Attack?
According to a Forbes investigation, the breach is believed to be part of a coordinated campaign by the hacker group “Scattered Spider”, which also targeted Hawaiian Airlines and Qantas within the same three-week period (Kelleher, 2025). This group is known for its advanced social engineering tactics, including phishing and SIM swapping, and has previously been linked to high-profile attacks on MGM Resorts and Caesars Entertainment.
WestJet’s Response and Mitigation
WestJet took immediate action to contain the breach, engaging both internal and external cybersecurity experts. The airline has:
Completed containment of the incident.
Implemented additional security measures.
Notified affected individuals in compliance with Canadian privacy laws.
Informed authorities including Transport Canada, the Office of the Privacy Commissioner of Canada, and international counterparts (westjet.com, 2025).
Final Thoughts
WestJet continues to monitor its systems and is working closely with law enforcement and cybersecurity agencies. The breach serves as a wake-up call for other Canadian enterprises to review their incident response plans, audit access controls, and educate staff on social engineering threats.
Stefan Myroniuk, MSc., CISSP
(ISC)2 Alberta Chapter | Communications Director
E: communications@isc2chapter-alberta.org
http://isc2chapter-alberta.org
