Latest Security Updates: Insights on Sharepoint, Initramfs, and Further Topics in Cybersecurity
In a series of recent events, cybersecurity experts have uncovered a new malware strain, Coyote, and two vulnerabilities in Microsoft's SharePoint, which have been exploited by Chinese threat actors.
The Coyote Malware and Microsoft UI Automation Framework
Akamai has reported on Coyote, a malware strain that uses the Microsoft UI Automation (UIA) framework to spy on users. By exploiting the UIA accessibility feature, malware can pull detailed information from inside a running application.
The SharePoint Vulnerabilities and Their Exploitation
Two vulnerabilities in Microsoft's SharePoint were discovered by Khoa Dinh and the team at Viettel Cyber Security. Chinese threat actors have been exploiting these vulnerabilities by chaining together multiple flaws—specifically CVE-2025-49704, CVE-2025-49706, and a new variant, CVE-2025-53770—to achieve unauthenticated remote code execution (RCE) in on-premises Microsoft SharePoint Servers.
The exploitation technique involves sending specially crafted HTTP POST requests to the vulnerable endpoint using a unique Referer header () to bypass authentication mechanisms. This allows attackers to upload a malicious ASPX web shell called onto the server, which they use to extract cryptographic keys from the SharePoint instance. These keys enable them to forge valid and signed payloads that bypass authentication entirely, thereby allowing persistent and stealthy full remote code execution without re-exploiting the original vulnerability.
Impact and Discovery
The bypass was found in the wild when security researchers observed large-scale active attacks starting around mid-July 2025, shortly after the vulnerabilities were disclosed and patches were released. The attackers exploited the authentication bypass to gain initial access and then used the stolen cryptographic keys to maintain persistent control and move laterally within networks, often blending in with legitimate SharePoint activity, which made detection difficult.
More than 400 compromised systems worldwide have been identified, including some high-profile systems. The live exploitation appears to be coming from a set of Chinese threat actors.
Patch and Preventive Measures
Microsoft issued an emergency patch to address the vulnerabilities on July 20th. To prevent such attacks, it is recommended to apply the latest security updates promptly and to implement robust authentication and authorisation mechanisms.
[1] Viettel Cyber Security's demonstration of the chained exploit at Pwn2Own Berlin in May 2025 [2] Akamai's report on the Coyote malware [3] Microsoft's advisory on the SharePoint vulnerabilities [4] The Hacker News' coverage of the SharePoint vulnerabilities [5] ZDNet's article on the SharePoint vulnerabilities
- In light of recent findings, it's crucial for Linux users to be vigilant, as the Coyote malware, discovered to exploit the Microsoft UI Automation framework, might potentially adapt to similar accessibility features in other technology.
- To fortify cybersecurity in data-and-cloud-computing environments, it's essential to prioritize the prompt application of security updates, such as the one Microsoft released to address the chained vulnerabilities in SharePoint, and to reinforce authentication and authorization hardware measures.
