CVE-2025-53770
Microsoft SharePoint Deserialization of Untrusted - [Actively Exploited]
Description
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
INFO
Published Date :
July 20, 2025, 1:15 a.m.
Last Modified :
July 22, 2025, 3:15 a.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
3.9
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network.
CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
CISA Mitigation Instructions: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 ; https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ ; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53770
Public PoC/Exploit Available at Github
CVE-2025-53770 has a 26 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
Affected Products
The following products are affected by CVE-2025-53770
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-53770.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Python ASP.NET
None
Python
None
PowerShell
Comprueba si un servidor SharePoint on-premises es vulnerable a CVE-2025-53770
Python
Hunting for Critical SharePoint Vulnerability CVE-2025-53770
None
Python
Scanner for the SharePoint CVE-2025-53770 RCE zero day vulnerability.
cve poc sharepoint cve-2025-53770
Go Dockerfile Makefile
SharePoint WebPart Injection Exploit Tool
Python
A comprehensive security monitoring solution for SharePoint Server with specific protection against CVE-2025-53770 and other threats
PowerShell
Detects unauthenticated POST requests to ToolPane.aspx with a SignOut.aspx referer, observed in exploitation of CVE-2025-53770 against SharePoint
POC
This PowerShell script detects indicators of compromise for CVE-2025-53770 — a critical RCE vulnerability in Microsoft SharePoint. Created by @n1chr0x and @BlackRazer67
PowerShell
None
PowerShell Shell
A critical zero-day vulnerability CVE‑2025‑53770 has been actively exploited in the wild against on-premises Microsoft SharePoint Server. Dubbed "ToolShell," this exploit leverages a deserialization flaw (variant of CVE‑2025‑49706, CVSS: 6.3).
Threat Intelligence findings, advisories and indicators
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-53770 vulnerability anywhere in the article.
-
security.nl
Microsoft dicht actief aangevallen lek ook in SharePoint Server 2016
Microsoft heeft een actief aangevallen kwetsbaarheid ook in SharePoint Server 2016 verholpen. Afgelopen zondag verschenen er al beveiligingsupdates voor SharePoint Server 2019 en SharePoint Subscripti ... Read more
-
CrowdStrike.com
CrowdStrike Detects and Blocks Widespread SharePoint Zero-Day Exploitation
Beginning on July 18, 2025, at approximately 0700 UTC, CrowdStrike Falcon® Complete Next-Gen MDR and CrowdStrike Falcon® Adversary OverWatch™ identified a wave of Microsoft SharePoint exploitation att ... Read more
-
CybersecurityNews
Microsoft Releases Mitigations and Threat Hunting Queries for SharePoint Zero-Day
Thousands of organizations worldwide face active cyberattacks targeting Microsoft SharePoint servers through two critical vulnerabilities, prompting urgent government warnings and emergency patches. M ... Read more
-
Trend Micro
Proactive Security and Insights for SharePoint Attacks (CVE-2025-53770 and CVE-2025-53771)
Exploits & Vulnerabilities CVE-2025-53770 and CVE-2025-53771 are vulnerabilities in on-premise Microsoft SharePoint Servers that evolved from previously patched flaws, allowing unauthenticated remote ... Read more
-
The Register
Another massive security snafu hits Microsoft, but don't expect it to stick
comment Here we go again. Another major Microsoft attack, with this one seeing someone — most likely government-backed hackers — exploiting a zero-day bug in SharePoint Server that Redmond failed to f ... Read more
-
Ars Technica
SharePoint vulnerability with 9.8 severity rating under exploit across globe
ASSUME COMPROMISE Ongoing attacks are allowing hackers to steal credentials giving privileged access. Authorities and researchers are sounding the alarm over the active mass exploitation of a high-sev ... Read more
-
krebsonsecurity.com
Microsoft Fix Targets Attacks on SharePoint Zero-Day
On Sunday, July 20, Microsoft Corp. issued an emergency security update for a vulnerability in SharePoint Server that is actively being exploited to compromise vulnerable organizations. The patch come ... Read more
-
Kaspersky
Update Microsoft SharePoint ASAP | Kaspersky official blog
Unknown malefactors are actively attacking companies that use SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. By exploiting a chain of two vulnerabilities – ... Read more
-
CybersecurityNews
CISA Warns of Microsoft SharePoint Server 0-Day RCE Vulnerability Exploited in Wild
CISA has issued an urgent warning about a critical zero-day remote code execution vulnerability affecting Microsoft SharePoint Server on-premises installations that threat actors are actively exploiti ... Read more
-
Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
Microsoft Confirms Hackers Exploiting SharePoint Flaws, Patch Now
Microsoft has released new security updates to fix two serious vulnerabilities affecting on-premises SharePoint servers, warning that attackers are already exploiting them in active campaigns. The vul ... Read more
-
The Register
Microsoft patches under-attack SharePoint 2019 and SE
Microsoft is releasing out-of-band security updates for SharePoint Server 2019 and SharePoint Server Subscription Edition, following a warning that vulnerable versions were now under attack. If AMSI c ... Read more
-
CybersecurityNews
Microsoft Released Emergency Security Update to Patch Critical SharePoint 0-Day Vulnerability
Microsoft has issued an urgent security advisory addressing critical zero-day vulnerabilities in on-premises SharePoint Server that attackers are actively exploiting. The vulnerabilities, assigned as ... Read more
-
security.nl
NCSC en Microsoft waarschuwen voor actief misbruik van SharePoint-lek
maandag 21 juli 2025, 09:24 door Redactie, 18 reactiesLaatst bijgewerkt: Gisteren, 16:40 Het Nationaal Cyber Security Centrum (NCSC), Microsoft en het Amerikaanse cyberagentschap CISA waarschuwen voor ... Read more
-
The Cyber Express
Zero-Day Vulnerability Hits Microsoft SharePoint, Urgent Patch Issued
Microsoft has issued a warning about active cyberattacks targeting on-premises SharePoint servers widely used by government agencies and businesses. The cyberattacks exploit a zero-day vulnerability t ... Read more
-
BleepingComputer
Microsoft releases emergency patches for SharePoint RCE flaws exploited in attacks
Microsoft has released emergency SharePoint security updates for two zero-day vulnerabilities tracked as CVE-2025-53770 and CVE-2025-53771 that have compromised services worldwide in "ToolShell" attac ... Read more
-
The Hacker News
Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks
Microsoft on Sunday released security patches for an actively exploited security flaw in SharePoint and also released details of another vulnerability that it said has been addressed with "more robust ... Read more
-
TheCyberThrone
CISA adds CVE-2025-53770 SharePoint Vulnerability to KEV
July 21, 2025SummaryA critical remote code execution (RCE) vulnerability has been discovered in Microsoft SharePoint Server (on-premises versions only). The vulnerability, tracked as CVE-2025-53770, a ... Read more
-
Daily CyberSecurity
ToolShell: New SharePoint RCE Zero-Day Chain Under Active Global Exploitation
Image: CODE WHITE GmbH On the evening of July 18, 2025, Eye Security identified an active, large-scale exploitation of a newly discovered Microsoft SharePoint remote code execution (RCE) vulnerability ... Read more
-
The Register
Microsoft patches failed to fix on-prem SharePoint, which is now under zero-day attack
Infosec In Brief Microsoft has warned users of SharePoint Server that three on-prem versions of the product include a zero-day flaw that is under attack – and that its own failure to completely fix pa ... Read more
-
Help Net Security
Microsoft SharePoint servers under attack via zero-day vulnerability with no patch (CVE-2025-53770)
Attackers are exploiting a zero-day variant (CVE-2025-53770) of a SharePoint remote code execution vulnerability (CVE-2025-49706) that Microsoft patched earlier this month, the company has confirmed o ... Read more
-
CybersecurityNews
Weekly Cybersecurity Newsletter: Chrome 0-Day, VMware Flaws Patched, Fortiweb Hack, Teams Abuse, and More
It’s been a busy seven days for security alerts. Google is addressing another actively exploited zero-day in Chrome, and VMware has rolled out key patches for its own set of vulnerabilities. We’ll als ... Read more
-
BleepingComputer
Microsoft SharePoint zero-day exploited in RCE attacks, no patch available
A critical zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, has been actively exploited since at least July 18th, with no patch available and at least 85 servers already comp ... Read more
-
The Hacker News
Critical Unpatched SharePoint Zero-Day Actively Exploited, Breaches 75+ Global Organizations
Jul 20, 2025Ravie LakshmananZero-Day / Vulnerability A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an "active, large-scale" exploitation campaign. T ... Read more
-
CybersecurityNews
SharePoint 0-Day RCE Vulnerability Actively Exploited in the Wild to Gain Full Server Access
A sophisticated cyberattack campaign targeting Microsoft SharePoint servers has been discovered exploiting a newly weaponized vulnerability chain dubbed “ToolShell,” enabling attackers to gain complet ... Read more
-
Daily CyberSecurity
SharePoint Server Under Active Zero-Day Attack (CVE-2025-53770, CVSS 9.8), No Patch Yet!
Microsoft has issued an urgent security advisory for on-premises SharePoint Server customers in response to active exploitation of a critical remote code execution (RCE) vulnerability. The issue—now t ... Read more
The following table lists the changes that have been made to the
CVE-2025-53770 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 22, 2025
Action Type Old Value New Value Added Reference https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/ Added Reference https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 22, 2025
Action Type Old Value New Value Added Reference https://news.ycombinator.com/item?id=44629710 -
Initial Analysis by [email protected]
Jul. 21, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:* *cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:* *cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:* versions up to (excluding) 16.0.18526.20508 Added Reference Type CVE: https://github.com/kaizensecurity/CVE-2025-53770 Types: Exploit Added Reference Type CVE: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ Types: Mitigation, Vendor Advisory Added Reference Type Microsoft Corporation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 Types: Vendor Advisory Added Reference Type CVE: https://research.eye.security/sharepoint-under-siege/ Types: Exploit, Mitigation, Third Party Advisory Added Reference Type CVE: https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally Types: Press/Media Coverage Added Reference Type CVE: https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/ Types: Press/Media Coverage Added Reference Type CVE: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 Types: Mailing List, Third Party Advisory, US Government Resource Added Reference Type CVE: https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/ Types: Press/Media Coverage Added Reference Type CVE: https://x.com/Shadowserver/status/1946900837306868163 Types: Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 21, 2025
Action Type Old Value New Value Added Reference https://github.com/kaizensecurity/CVE-2025-53770 Added Reference https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 21, 2025
Action Type Old Value New Value Added Date Added 2025-07-20 Added Due Date 2025-07-21 Added Required Action CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. Added Vulnerability Name Microsoft SharePoint Deserialization of Untrusted Data Vulnerability -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 21, 2025
Action Type Old Value New Value Added Reference https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ Added Reference https://research.eye.security/sharepoint-under-siege/ Added Reference https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/ Added Reference https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 Added Reference https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/ Added Reference https://x.com/Shadowserver/status/1946900837306868163 -
New CVE Received by [email protected]
Jul. 20, 2025
Action Type Old Value New Value Added Description Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-502 Added Reference https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-53770 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-53770
weaknesses.