Critical Cybersecurity Updates and Vulnerabilities Discussed in Latest Stormcast

In the July 22, 2025 edition of the Sans Internet Storm Center Stormcast, Johannes Ullrich from Jacksonville, Florida, addresses several crucial cybersecurity topics. The first major point concerns Microsoft updates for SharePoint. Patches are now available for SharePoint Server Subscription Edition, SharePoint Server 2019, and 2016. However, no updates are yet available for earlier versions, making them vulnerable. Ullrich emphasizes the importance of considering these systems as compromised due to the public availability of functional exploits for this vulnerability.

Two CVEs (Common Vulnerabilities and Exposures) have been assigned to this flaw: CVE-2025-53770 for the deserialization vulnerability and CVE-2025-53771 for the authentication bypass issue. Ullrich explains that exploiting this vulnerability requires setting the referer header to the logout page of the SharePoint instance and including the .NET deserialization payload in the POST request. He stresses the importance of not being too specific in payload detection rules, as they can be easily generated using the YSO Serial tool.

Ullrich also mentions two critical vulnerabilities in HP Instant On access points, based on the Aruba brand. The first is an authentication bypass vulnerability, and the second is a remote code execution vulnerability requiring administrative access. However, by combining the two, an attacker can achieve full remote code execution as an administrator. Patches are available from HP.

Another topic discussed is a flaw in Windows AppLocker policies, discovered by the security company Veronis. AppLocker allows blocking the execution of untrusted binaries using an application control list. However, an error in the specification of file versions allows an attacker to bypass the block list by using a very high file version. Ullrich recommends also enforcing application signatures to prevent the execution of unsigned malicious binaries.

Finally, Ullrich discusses the distribution of the GhostCrypt malware via Soho Work, a commercial service used by many small businesses. Attackers exploit users' trust in this service to distribute malicious files. Ullrich emphasizes the importance of awareness and caution in excluding such services when writing detection rules.

In conclusion, this video highlights several critical vulnerabilities and provides practical advice on how to mitigate them. The information presented is essential for cybersecurity professionals seeking to protect their systems against the latest threats.