Warlock Ransomware Exploits SharePoint Flaws for Initial Access and Credential Theft

The Warlock ransomware group has intensified its operations by targeting unpatched on-premises Microsoft SharePoint servers, leveraging critical vulnerabilities to achieve remote code execution and initial network access.

This campaign, observed in mid-2025, involves sending crafted HTTP POST requests to upload web shells, facilitating reconnaissance, privilege escalation, and credential theft.

Initial Exploitation

Attackers exploit flaws like CVE-2023-27532 in outdated Veeam Backup software and recently disclosed SharePoint deserialization issues, enabling them to bypass authentication and pivot into enterprise environments.

Victims span multiple continents, including North America, Europe, Asia, and Africa, with sectors such as government, finance, manufacturing, technology, and critical infrastructure heavily impacted.

Warlock’s tactics echo those of groups like Black Basta, suggesting possible affiliations or rebranding, and demonstrate a rapid evolution from forum advertisements in June 2025 to sophisticated global attacks.

By abusing Group Policy Objects for privilege escalation, attackers create new GPOs, activate guest accounts, and add them to ...