The month of July in 2025 saw many new cybersecurity developments that will have serious implications for businesses across the U.S. This recap by SWK Technologies features some of the top stories among these incidents, including multiple serious CVEs (Common Vulnerabilities and Exposures), major warnings from cyber agencies and researchers, and more news that could impact your business’s cyber defense needs.
Here are SWK’s top cybersecurity news stories for July 2025:
Microsoft SharePoint Vulnerability Exploited by Hackers
Microsoft released patches for two severe zero-day vulnerabilities in its SharePoint platform, which have already been exploited by different threat actors throughout July 2025. There were over 75 confirmed compromises as of this writing that spanned across different banks, universities, hospitals, corporate enterprises and public agencies throughout North America and Europe. The vulnerabilities, scoring 9.8 and 7.1 on the CVSS scale respectively, enable unauthenticated remote code execution (RCE) and administrative access to Microsoft SharePoint Server environments.
Multiple cybersecurity firms and even CISA (the U.S. Cybersecurity and Infrastructure Security Agency) have classified these CVEs as especially urgent and have called on everyone potentially affected to patch their Microsoft systems immediately. SharePoint is central to managing files across Microsoft 365 environments, meaning that if a hacker was able to gain backdoor access they would potentially be able to interact with all of the data stored by your business management applications from Word to Teams.
Attacks leveraging this exploit have been confirmed since at least earlier in the month, with proof-of-execution in several of these that have been specifically tailored to break past SharePoint’s built-in security measures. Microsoft has already addressed these exploits in their latest Patch Tuesday round of updates, but it is critical that users update their systems ASAP.
Ransomware Group Shuts Down IT Supplier Ingram Micro
Ingram Micro, an IT solutions distributor, was targeted by the ransomware group, SafePay, between July 3 to July 9 and forced to shut down multiple systems and operations to isolate the attack. The company told several employees to work from home while they worked to restore their data and resume business processes, with experts estimating losses of up to $136 million per day during the shutdown.
Ingram announced on Saturday, July 5 that it had identified a ransomware infection within their internal systems; the SafePay group claimed responsibility in a ransom note obtained by BleepingComputer, who reported that the attack was likely preceded by compromising Ingram’s VPN platform. The hackers initially used “password spraying” attacks to collect credentials for the VPN instance and leveraged these to break in remotely, exfiltrating data directly from Ingram’s systems.
SafePay is proving to be a unique player in cybercrime for several reasons, from emerging suddenly in 2024 to pulling off several high-profile cyber attacks such as this one in a relatively short time. Most notable, however, is that the group claims not to operate as a typical RaaS (Ransomware as a Service) model where their malware would be licensed out to others – they work on their campaigns directly in a closed group of a few dozen individuals. They also focus more on capturing and extracting data directly, as they performed against Ingram, creating more pressure for victims than by simply encrypting files.
CISA Warns of Citrix NetScaler Flaw Exploit Attacks
CISA joined several security researchers and other experts in warning the public about a major flaw present in Citrix NetScaler that has already seen a significant volume of exploitation in the wild by bad actors. Dubbed “Citrix Bleed 2” due to its similarity to an earlier bug in the same application, it allows hackers to bypass authentication protocols and gain direct access to connected devices, even potentially with MFA (multifactor authentication) enabled. Though Citrix seemed to initially deny the flaw was legitimate, it has been found that it has already been exploited since at least June 2025 and several users have likely been compromised already.
Application Delivery Controllers (ADC) such as NetScaler typically sit at the perimeter of organizational networks, serving as the primary gateway for remote workers accessing company resources through VPN connections, virtual desktop environments and web-based apps. When employees work from home or travel, their connection to company systems almost invariably passes through Citrix NetScaler, making these devices a single point of failure for security. This flaw allows attackers to exploit how the ADC processes authentication requests, leveraging a memory leak to collect token data.
Citrix’s initial response to both bugs has caused controversy, as they were initially dismissive of the extent of the risk or applicability of the potential exploitation. However, the alarm bells rung by private firms and CISA has brought attention to the severity of Citrix Bleed 2, with widespread attacks already seen in the wild confirming that it is being actively targeted by hackers.
Interlock Ransomware Targets Healthcare
Multiple government agencies issued a joint advisory warning of an observed spike in attacks using Interlock ransomware, including against targets in healthcare and other critical infrastructure industries. Though this strain is relatively young, only emerging in late 2024, it has already proven to be a serious danger for many unsuspecting victims, prompting the FBI, CISA and even the Department of Health and Human Services to take the extra step to warn the public.
As seen with the case of Kettering Health in May 2025, the Interlock group’s tactics can be particularly devastating for organizations with multiple connected medical facilities, allowing infections to spread across different systems and forcing staff to isolate resources to prioritize critical care in the event of a total collapse. The gang also uses many uncommon methods to infect victims’ networks, such as “drive-by downloads” from compromised websites and fake update messages for browsers and other applications, making it even harder to catch an initial attack.
Though the FBI and CISA emphasize that Interlock goes after targets of opportunity most often, rising global tensions from June 2025 may be contributing to this spike given the focus on infrastructure industries like healthcare. Several nation-states work closely with cybercriminal groups to achieve political objectives and some will even outsource cyberwarfare goals to these independent actors.
Discover More Cybersecurity Developments with SWK
The cyber incidents seen in July 2025 show how critical it is to stay on top of the continuous security developments that emerge every month in the increasingly digital world. The expert team at SWK Technologies actively monitors these emerging threats and stays ahead of the evolving risk landscape – partner with SWK today to leverage our award-winning managed IT and security services, and ensure your business is prepared to handle whatever challenges emerge.
Contact SWK here to learn more about current cybersecurity developments and what your business needs to do to maintain protection against sophisticated cyber threats.