CVE-2025-53770
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability - [Actively Exploited]
Description
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
INFO
Published Date :
July 20, 2025, 1:15 a.m.
Last Modified :
Oct. 27, 2025, 5:12 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network.
CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
CISA Mitigation Instructions: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 ; https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ ; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53770
Affected Products
The following products are affected by CVE-2025-53770
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Install the latest Microsoft security update.
- Implement the provided mitigation steps.
- Ensure SharePoint Server is updated.
Public PoC/Exploit Available at Github
CVE-2025-53770 has a 96 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-53770.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-53770 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-53770
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Reproducible incident micro-postmortem for on-prem Microsoft SharePoint “ToolShell” (CVE-2025-53770): ATT&CK snapshot, “logs that matter” table, three hunts (KQL/SPL/Sigma), first-4-hours comms, sample data, and figures. Built for fast triage; no org data; SharePoint Online out of scope.
Makefile Python
None
Dockerfile Python JavaScript HTML TypeScript CSS PowerShell Shell
Crawler to get the CVEs
Python
None
None
None
None
Dockerfile Python Makefile Shell
None
list of cve from 2001 to 2024
Python
None
🔍 Scan for potential exposure to the critical SharePoint vulnerability CVE-2025-53770 with this simple and effective tool for authorized testing.
blueteam cve cve-2025-53770 osint pentest poc reconnaissance security-tool sharepoint sharepoint-2016 toolshell vulnerability
Python
None
attack bugbounty cve cve-2025-49706 cve-2025-53770 exploit osint pentest poc postexplotation python reconnaissance security-tool sharepoint sharepoint-2016 sharepoint-exploit toolshell vulnerability
Dockerfile Makefile Go
CVE-2025-53770 实验环境
This repo explores hybrid cloud routing vulnerabilities across Azure, Cisco ISE, SharePoint, NVIDIA Triton AI, and IaC tools. It includes CVE analysis, exploit chaining via PowerShell, and mitigation strategies to secure on-prem and cloud networks from privilege escalation and lateral movement.
None
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-53770 vulnerability anywhere in the article.
-
Kaspersky
Exploits and vulnerabilities in Q3 2025
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulne ... Read more
-
Huntress
Velociraptor Misuse, Pt. II: The Eye of the Storm
Acknowledgements: Special thanks to Ben Folland, Anna Pham, Michael Tigges, and Anton Ovrutsky for contributing to this investigation and writeup. We recently outlined an incident on November 12 where ... Read more
-
DataBreaches.Net
How a noisy ransomware intrusion exposed a long-term espionage foothold
Zeljka Zorz reports: Getting breached by two separate and likely unconnected cyber attack groups is a nightmare scenario for any organization, but can result in an unexpected silver lining: the noisie ... Read more
-
Help Net Security
How a noisy ransomware intrusion exposed a long-term espionage foothold
Getting breached by two separate and likely unconnected cyber attack groups is a nightmare scenario for any organization, but can result in an unexpected silver lining: the noisier intrusion can draw ... Read more
-
The Cloudflare Blog
Get better visibility for the WAF with payload logging
2025-11-247 min readAs the surface area for attacks on the web increases, Cloudflare’s Web Application Firewall (WAF) provides a myriad of solutions to mitigate these attacks. This is great for our c ... Read more
-
Kaspersky
IT threat evolution in Q3 2025. Non-mobile statistics
IT threat evolution in Q3 2025. Mobile statistics IT threat evolution in Q3 2025. Non-mobile statistics Quarterly figures In Q3 2025: Kaspersky solutions blocked more than 389 million attacks that ori ... Read more
-
cloudsecurityalliance.org
SecretPoint: How OneDrive Auto-Sync Turns SharePoint into a Hidden Secrets Vault
Written by Itzik Alvas, Entro Security. One in every five exposed enterprise secrets originated from SharePoint. It wasn’t the result of a zero-day or a sophisticated exploit. Instead, the exposure tr ... Read more
-
CybersecurityNews
Warlock Ransomware Actors Exploiting Sharepoint ToolShell Zero-Day Vulnerability in New Attack Wave
The cybersecurity landscape experienced a significant shift in July 2025 when threat actors associated with Warlock ransomware began exploiting a critical zero-day vulnerability in Microsoft SharePoin ... Read more
-
Daily CyberSecurity
Warlock Ransomware Hits US Firms Exploiting SharePoint Zero-Day, Linked to China’s CamoFei APT
Researchers from Symantec and Carbon Black have published a detailed analysis of Warlock ransomware, a newly emerging threat that made its debut in June 2025 and rapidly gained notoriety after being d ... Read more
-
cybereason.com
Cybereason TTP Briefing Q3 2025: LOLBINs and CVE Exploits Dominate
Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q3 2025, a report built on frontline threat intelligence from ... Read more
-
The Register
Salt Typhoon hit governments on three continents with SharePoint attacks
Security researchers now say more Chinese crews - likely including Salt Typhoon - than previously believed exploited a critical Microsoft SharePoint vulnerability, and used the flaw to target governme ... Read more
-
CybersecurityNews
Chinese Hackers Using ToolShell Vulnerability To Compromise Networks Of Government Agencies
China-based threat actors have exploited the critical ToolShell vulnerability in Microsoft SharePoint servers to infiltrate networks across multiple continents, targeting government agencies and criti ... Read more
-
The Hacker News
Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft's July Patch
Oct 22, 2025Ravie LakshmananCyber Espionage / Vulnerability Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications com ... Read more
-
BleepingComputer
Sharepoint ToolShell attacks targeted orgs across four continents
Hackers believed to be associated with China have leveraged the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint in attacks targeting government agencies, universities, telecommunicati ... Read more
-
cybereason.com
Addressing the CL0P Extortion Campaign Targeting Oracle E-Business Suite (EBS) Users
Cybereason is continuing to investigate. Check the Cybereason blog for additional updates. Overview and What Cybereason Knows So Far July 2025, Oracle released security updates including 309 patches, ... Read more
-
The Cyber Express
22 Vulnerabilities Under Attack – And Another That Could Be
Cyble researchers detailed 22 vulnerabilities under active attack in a blog post today – and nine of them aren’t in CISA’s Known Exploited Vulnerabilities (KEV) catalog. Twelve of the vulnerabilities ... Read more
-
CybersecurityNews
GOLD SALEM Compromise Networks and Bypass Security Solutions to Deploy Warlock Ransomware
The cyberthreat landscape has witnessed the emergence of another sophisticated ransomware operation as GOLD SALEM, a new threat actor group also known as Warlock Group, has been actively compromising ... Read more
-
BleepingComputer
Target-rich environment: Why Microsoft 365 has become the biggest risk
Microsoft 365 has become the central nervous system of modern business — and cybercriminals know it. Just as Windows became the primary target for attackers because of its market dominance in the 1990 ... Read more
-
europa.eu
Cyber Brief 25-09 - August 2025
Cyber Brief (August 2025)September 2, 2025 - Version: 1TLP:CLEARExecutive summaryWe analysed 321 open source reports for this Cyber Brief1.Relating to cyber policy and law enforcement, Ukraine, Romani ... Read more
-
nextron-systems.com
When Best Practices Aren’t Enough: UK Breaches Underscore the Importance of Compromise Assessments
Despite extensive guidance from national authorities, several prominent UK organizations have recently suffered significant cyber attacks. Incidents at Colt Technology Services, Marks & Spencer, and F ... Read more
The following table lists the changes that have been made to the
CVE-2025-53770 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Oct. 27, 2025
Action Type Old Value New Value Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Removed Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770 -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 30, 2025
Action Type Old Value New Value Changed Required Action CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. -
Modified Analysis by [email protected]
Jul. 23, 2025
Action Type Old Value New Value Added Reference Type CVE: https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/ Types: Exploit, Press/Media Coverage Added Reference Type CVE: https://news.ycombinator.com/item?id=44629710 Types: Issue Tracking Added Reference Type CVE: https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw Types: Press/Media Coverage -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 22, 2025
Action Type Old Value New Value Added Reference https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/ Added Reference https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 22, 2025
Action Type Old Value New Value Added Reference https://news.ycombinator.com/item?id=44629710 -
Initial Analysis by [email protected]
Jul. 21, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:* *cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:* *cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:* versions up to (excluding) 16.0.18526.20508 Added Reference Type CVE: https://github.com/kaizensecurity/CVE-2025-53770 Types: Exploit Added Reference Type CVE: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ Types: Mitigation, Vendor Advisory Added Reference Type Microsoft Corporation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 Types: Vendor Advisory Added Reference Type CVE: https://research.eye.security/sharepoint-under-siege/ Types: Exploit, Mitigation, Third Party Advisory Added Reference Type CVE: https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally Types: Press/Media Coverage Added Reference Type CVE: https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/ Types: Press/Media Coverage Added Reference Type CVE: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 Types: Mailing List, Third Party Advisory, US Government Resource Added Reference Type CVE: https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/ Types: Press/Media Coverage Added Reference Type CVE: https://x.com/Shadowserver/status/1946900837306868163 Types: Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 21, 2025
Action Type Old Value New Value Added Reference https://github.com/kaizensecurity/CVE-2025-53770 Added Reference https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 21, 2025
Action Type Old Value New Value Added Date Added 2025-07-20 Added Due Date 2025-07-21 Added Required Action CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. Added Vulnerability Name Microsoft SharePoint Deserialization of Untrusted Data Vulnerability -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 21, 2025
Action Type Old Value New Value Added Reference https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ Added Reference https://research.eye.security/sharepoint-under-siege/ Added Reference https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/ Added Reference https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 Added Reference https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/ Added Reference https://x.com/Shadowserver/status/1946900837306868163 -
New CVE Received by [email protected]
Jul. 20, 2025
Action Type Old Value New Value Added Description Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-502 Added Reference https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770