CVE-2025-53770
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability - [Actively Exploited]
Description
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
INFO
Published Date :
July 20, 2025, 1:15 a.m.
Last Modified :
Oct. 21, 2025, 11:17 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network.
CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
CISA Mitigation Instructions: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 ; https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ ; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53770
Affected Products
The following products are affected by CVE-2025-53770
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Install the latest Microsoft security update.
- Implement the provided mitigation steps.
- Ensure SharePoint Server is updated.
Public PoC/Exploit Available at Github
CVE-2025-53770 has a 91 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-53770.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-53770 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-53770
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
None
list of cve from 2001 to 2024
Python
None
🔍 Scan for potential exposure to the critical SharePoint vulnerability CVE-2025-53770 with this simple and effective tool for authorized testing.
blueteam cve cve-2025-53770 osint pentest poc reconnaissance security-tool sharepoint sharepoint-2016 toolshell vulnerability
Python
None
attack bugbounty cve cve-2025-49706 cve-2025-53770 exploit osint pentest poc postexplotation python reconnaissance security-tool sharepoint sharepoint-2016 sharepoint-exploit toolshell vulnerability
Dockerfile Makefile Go
CVE-2025-53770 实验环境
This repo explores hybrid cloud routing vulnerabilities across Azure, Cisco ISE, SharePoint, NVIDIA Triton AI, and IaC tools. It includes CVE analysis, exploit chaining via PowerShell, and mitigation strategies to secure on-prem and cloud networks from privilege escalation and lateral movement.
None
None
Python Ruby
MCP server for finding out what level of vulnerability a CVE is
Python
None
CVE-2025-53770 - SharePoint
None
CVE-2025-53770 SharePoint Deserialization Vulnerability Checker
Shell
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-53770 vulnerability anywhere in the article.
-
Daily CyberSecurity
Warlock Ransomware Hits US Firms Exploiting SharePoint Zero-Day, Linked to China’s CamoFei APT
Researchers from Symantec and Carbon Black have published a detailed analysis of Warlock ransomware, a newly emerging threat that made its debut in June 2025 and rapidly gained notoriety after being d ... Read more
-
cybereason.com
Cybereason TTP Briefing Q3 2025: LOLBINs and CVE Exploits Dominate
Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q3 2025, a report built on frontline threat intelligence from ... Read more
-
The Register
Salt Typhoon hit governments on three continents with SharePoint attacks
Security researchers now say more Chinese crews - likely including Salt Typhoon - than previously believed exploited a critical Microsoft SharePoint vulnerability, and used the flaw to target governme ... Read more
-
CybersecurityNews
Chinese Hackers Using ToolShell Vulnerability To Compromise Networks Of Government Agencies
China-based threat actors have exploited the critical ToolShell vulnerability in Microsoft SharePoint servers to infiltrate networks across multiple continents, targeting government agencies and criti ... Read more
-
The Hacker News
Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft's July Patch
Oct 22, 2025Ravie LakshmananCyber Espionage / Vulnerability Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications com ... Read more
-
BleepingComputer
Sharepoint ToolShell attacks targeted orgs across four continents
Hackers believed to be associated with China have leveraged the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint in attacks targeting government agencies, universities, telecommunicati ... Read more
-
cybereason.com
Addressing the CL0P Extortion Campaign Targeting Oracle E-Business Suite (EBS) Users
Cybereason is continuing to investigate. Check the Cybereason blog for additional updates. Overview and What Cybereason Knows So Far July 2025, Oracle released security updates including 309 patches, ... Read more
-
The Cyber Express
22 Vulnerabilities Under Attack – And Another That Could Be
Cyble researchers detailed 22 vulnerabilities under active attack in a blog post today – and nine of them aren’t in CISA’s Known Exploited Vulnerabilities (KEV) catalog. Twelve of the vulnerabilities ... Read more
-
CybersecurityNews
GOLD SALEM Compromise Networks and Bypass Security Solutions to Deploy Warlock Ransomware
The cyberthreat landscape has witnessed the emergence of another sophisticated ransomware operation as GOLD SALEM, a new threat actor group also known as Warlock Group, has been actively compromising ... Read more
-
BleepingComputer
Target-rich environment: Why Microsoft 365 has become the biggest risk
Microsoft 365 has become the central nervous system of modern business — and cybercriminals know it. Just as Windows became the primary target for attackers because of its market dominance in the 1990 ... Read more
-
europa.eu
Cyber Brief 25-09 - August 2025
Cyber Brief (August 2025)September 2, 2025 - Version: 1TLP:CLEARExecutive summaryWe analysed 321 open source reports for this Cyber Brief1.Relating to cyber policy and law enforcement, Ukraine, Romani ... Read more
-
nextron-systems.com
When Best Practices Aren’t Enough: UK Breaches Underscore the Importance of Compromise Assessments
Despite extensive guidance from national authorities, several prominent UK organizations have recently suffered significant cyber attacks. Incidents at Colt Technology Services, Marks & Spencer, and F ... Read more
-
AttackIQ
Emulating the Expedited Warlock Ransomware
Introduction Warlock is a ransomware strain operating under the Ransomware-as-a-Service (RaaS) model that emerged in June 2025, following an advertisement on the Russian Anonymous Marketplace (RAMP) w ... Read more
-
TheCyberThrone
Microst Restricts MAPP with China
The summer of 2025 brought a seismic shift in the way Microsoft engages with the global cybersecurity community. At the heart of the story: a wave of massive attacks against on-premises SharePoint ser ... Read more
-
Daily CyberSecurity
Warlock Ransomware: How a New Group Is Weaponizing Unpatched SharePoint Servers
A newly detailed report from Trend Micro has revealed how the Warlock ransomware group is weaponizing vulnerable Microsoft SharePoint servers in a series of global attacks. The group, which surfaced i ... Read more
-
fortra.com
Warlock ransomware: What you need to know
What is the Warlock?Warlock is a ransomware operation that emerged in 2025, combining the traditional "double extortion" tactics of encrypting victims' files so they cannot be accessed, and threatenin ... Read more
-
Trend Micro
Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware
Key takeaways Warlock ransomware operators exploited vulnerable Microsoft SharePoint servers, using targeted HTTP POST requests to upload web shells, enabling reconnaissance and credential theft. More ... Read more
-
VMRay
July 2025 Detection Highlights: 7 New VMRay Threat Identifiers, Config Extractors for 4 malware families, and 35+ fresh YARA rules.
The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking an ... Read more
-
The Cyber Express
Qilin Remains Top Ransomware Group as Attacks Rise
Qilin continues to stake a claim as the top ransomware group in the wake of the decline of RansomHub earlier this year. In July, Qilin led all ransomware groups in claimed victims for the third time i ... Read more
-
BleepingComputer
Colt Telecom attack claimed by WarLock ransomware, data up for sale
UK-based telecommunications company Colt Technology Services is dealing with a cyberattack that has caused a multi-day outage of some of the company's operations, including hosting and porting service ... Read more
The following table lists the changes that have been made to the
CVE-2025-53770 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Removed Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770 -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 30, 2025
Action Type Old Value New Value Changed Required Action CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. -
Modified Analysis by [email protected]
Jul. 23, 2025
Action Type Old Value New Value Added Reference Type CVE: https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/ Types: Exploit, Press/Media Coverage Added Reference Type CVE: https://news.ycombinator.com/item?id=44629710 Types: Issue Tracking Added Reference Type CVE: https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw Types: Press/Media Coverage -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 22, 2025
Action Type Old Value New Value Added Reference https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/ Added Reference https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 22, 2025
Action Type Old Value New Value Added Reference https://news.ycombinator.com/item?id=44629710 -
Initial Analysis by [email protected]
Jul. 21, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:* *cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:* *cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:* versions up to (excluding) 16.0.18526.20508 Added Reference Type CVE: https://github.com/kaizensecurity/CVE-2025-53770 Types: Exploit Added Reference Type CVE: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ Types: Mitigation, Vendor Advisory Added Reference Type Microsoft Corporation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 Types: Vendor Advisory Added Reference Type CVE: https://research.eye.security/sharepoint-under-siege/ Types: Exploit, Mitigation, Third Party Advisory Added Reference Type CVE: https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally Types: Press/Media Coverage Added Reference Type CVE: https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/ Types: Press/Media Coverage Added Reference Type CVE: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 Types: Mailing List, Third Party Advisory, US Government Resource Added Reference Type CVE: https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/ Types: Press/Media Coverage Added Reference Type CVE: https://x.com/Shadowserver/status/1946900837306868163 Types: Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 21, 2025
Action Type Old Value New Value Added Reference https://github.com/kaizensecurity/CVE-2025-53770 Added Reference https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 21, 2025
Action Type Old Value New Value Added Date Added 2025-07-20 Added Due Date 2025-07-21 Added Required Action CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. Added Vulnerability Name Microsoft SharePoint Deserialization of Untrusted Data Vulnerability -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 21, 2025
Action Type Old Value New Value Added Reference https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ Added Reference https://research.eye.security/sharepoint-under-siege/ Added Reference https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/ Added Reference https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 Added Reference https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/ Added Reference https://x.com/Shadowserver/status/1946900837306868163 -
New CVE Received by [email protected]
Jul. 20, 2025
Action Type Old Value New Value Added Description Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-502 Added Reference https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770