SANS Stormcast Tuesday, July 22nd, 2025: SharePoint Emergency Patches; How Long Does Patching Take; HPE Wifi Vuln; Zoho WorkDrive Abused

Microsoft Released Patches for SharePoint Vulnerability CVE-2025-53770 CVE-2025-53771
Microsoft released a patch for the currently exploited SharePoint vulnerability. It also added a second CVE number identifying the authentication bypass vulnerability.
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
How Quickly Are Systems Patched?
Jan took Shodan data to check how quickly recent vulnerabilities were patched. The quick answer: Not fast enough.
https://isc.sans.edu/diary/How%20quickly%20do%20we%20patch%3F%20A%20quick%20look%20from%20the%20global%20viewpoint/32126
HP Enterprise Instant On Access Points Vulnerability
HPE patched two vulnerabilities in its Instant On access points (aka Aruba). One allows for authentication bypass, while the second one enables arbitrary code execution as admin.
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04894en_us
Revealing the AppLocker Bypass Risks in The Suggested Block-list Policy
AppLocker sample policies suffer from a simple bug that may enable some rule bypass, but only if signatures are not enforced.
While reviewing Microsoft s suggested configuration, Varonis Threat Labs noticed a subtle but important issue: the MaximumFileVersion field was set to 65355 instead of the expected 65535.
https://www.varonis.com/blog/applocker-bypass-risks
Ghost Crypt Malware Leverages Zoho WorkDrive
The Ghost malware tricks users into downloading by sending links to Zoho WorkDrive locations.
https://www.esentire.com/blog/ghost-crypt-powers-purerat-with-hypnosis