CVE-2025-53770
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability - [Actively Exploited]
Description
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
INFO
Published Date :
July 20, 2025, 1:15 a.m.
Last Modified :
July 30, 2025, 1 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network.
CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
CISA Mitigation Instructions: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 ; https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ ; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53770
Affected Products
The following products are affected by CVE-2025-53770
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Install the latest Microsoft security update.
- Implement the provided mitigation steps.
- Ensure SharePoint Server is updated.
Public PoC/Exploit Available at Github
CVE-2025-53770 has a 75 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-53770.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-53770 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-53770
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
MCP server for finding out what level of vulnerability a CVE is
Python
None
CVE-2025-53770 - SharePoint
None
CVE-2025-53770 SharePoint Deserialization Vulnerability Checker
Shell
SharePoint 2025 RCE Exploitation GUI
Python Ruby
A comprehensive penetration testing framework with a modular architecture for security researchers, penetration testers, and ethical hackers.
Python Shell
A comprehensive toolkit for searching CVE vulnerabilities across multiple sources with advanced error handling, rate limiting, and fallback strategies.
Shell Python
None
Python
None
A critical vulnerability in Microsoft SharePoint Server allows unauthenticated remote code execution via deserialization of untrusted data. Microsoft is aware of active exploitation; apply CVE mitigations immediately. Severity: Critical.
None
C#
Collection of attack flows, threat models, and detection strategies for various cybersecurity threats and vulnerabilities
🎯 Vulnerability scanner for SharePoint servers affected by CVE-2025-53770. Detects unsafe deserialization using ToolPane.aspx with a crafted base64+gzip payload. 🛡️ Developed by Ahmed Tamer.
Python
Valhalla API Demo - Python application demonstrating YARA and Sigma rule retrieval from Nextron Systems' Valhalla API
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-53770 vulnerability anywhere in the article.
-
nextron-systems.com
When Best Practices Aren’t Enough: UK Breaches Underscore the Importance of Compromise Assessments
Despite extensive guidance from national authorities, several prominent UK organizations have recently suffered significant cyber attacks. Incidents at Colt Technology Services, Marks & Spencer, and F ... Read more
-
AttackIQ
Emulating the Expedited Warlock Ransomware
Introduction Warlock is a ransomware strain operating under the Ransomware-as-a-Service (RaaS) model that emerged in June 2025, following an advertisement on the Russian Anonymous Marketplace (RAMP) w ... Read more
-
TheCyberThrone
Microst Restricts MAPP with China
The summer of 2025 brought a seismic shift in the way Microsoft engages with the global cybersecurity community. At the heart of the story: a wave of massive attacks against on-premises SharePoint ser ... Read more
-
Daily CyberSecurity
Warlock Ransomware: How a New Group Is Weaponizing Unpatched SharePoint Servers
A newly detailed report from Trend Micro has revealed how the Warlock ransomware group is weaponizing vulnerable Microsoft SharePoint servers in a series of global attacks. The group, which surfaced i ... Read more
-
fortra.com
Warlock ransomware: What you need to know
What is the Warlock?Warlock is a ransomware operation that emerged in 2025, combining the traditional "double extortion" tactics of encrypting victims' files so they cannot be accessed, and threatenin ... Read more
-
Trend Micro
Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware
Key takeaways Warlock ransomware operators exploited vulnerable Microsoft SharePoint servers, using targeted HTTP POST requests to upload web shells, enabling reconnaissance and credential theft. More ... Read more
-
VMRay
July 2025 Detection Highlights: 7 New VMRay Threat Identifiers, Config Extractors for 4 malware families, and 35+ fresh YARA rules.
The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking an ... Read more
-
The Cyber Express
Qilin Remains Top Ransomware Group as Attacks Rise
Qilin continues to stake a claim as the top ransomware group in the wake of the decline of RansomHub earlier this year. In July, Qilin led all ransomware groups in claimed victims for the third time i ... Read more
-
BleepingComputer
Colt Telecom attack claimed by WarLock ransomware, data up for sale
UK-based telecommunications company Colt Technology Services is dealing with a cyberattack that has caused a multi-day outage of some of the company's operations, including hosting and porting service ... Read more
-
CybersecurityNews
Qilin Ransomware Leads The Attack Landscape With 70+ Claimed Victims in July
The ransomware threat landscape witnessed a concerning surge in July 2025, with the Qilin ransomware group maintaining its dominant position for the third time in four months. The group successfully c ... Read more
-
CybersecurityNews
Canada’s House of Commons Hit by Cyberattack Exploiting Recent Microsoft vulnerability
A cyberattack hit the Canadian House of Commons on August 9, 2025, when threat actors exploited a recently disclosed Microsoft vulnerability to gain unauthorized access to sensitive employee informati ... Read more
-
BleepingComputer
Canada’s House of Commons investigating data breach after cyberattack
The House of Commons of Canada is currently investigating a data breach after a threat actor reportedly stole employee information in a cyberattack on Friday. While the lower house of the Parliament o ... Read more
-
Help Net Security
Microsoft fixes “BadSuccessor” Kerberos vulnerability (CVE-2025-53779)
For August 2025 Patch Tuesday, Microsoft has released security updates resolving 100+ security vulnerabilities in its various solutions, including a relative path traversal flaw in Windows Kerberos (C ... Read more
-
Help Net Security
From legacy to SaaS: Why complexity is the enemy of enterprise security
In this Help Net Security interview, Robert Buljevic, Technology Consultant at Bridge IT, discusses how the coexistence of legacy systems and SaaS applications is changing the way organizations approa ... Read more
-
Help Net Security
August 2025 Patch Tuesday forecast: Try, try, again
July turned into a surprisingly busy month. It started slowly with a fairly ‘calm’ Patch Tuesday as I forecasted in my last blog. Although there were 130 new CVEs addressed across all the Microsoft re ... Read more
-
The Register
CISA releases malware analysis for Sharepoint Server attack
CISA has published a malware analysis report with compromise indicators and Sigma rules for "ToolShell" attacks targeting specific Microsoft SharePoint Server versions. "Cyber threat actors have chain ... Read more
-
security.nl
VS deelt informatie over malware aangetroffen bij SharePoint-aanvallen
Het Amerikaanse cyberagentschap CISA heeft informatie gedeeld over malware die bij recente aanvallen tegen Microsoft SharePoint-servers is aangetroffen. Met de informatie kunnen organisaties kijken of ... Read more
-
Daily CyberSecurity
CISA Warns of “ToolShell”: Critical Exploit Chain Hits SharePoint Servers, Bypasses Authentication
The Cybersecurity and Infrastructure Security Agency (CISA) has released an in-depth Malware Analysis Report warning of a sophisticated exploitation campaign targeting on-premises Microsoft SharePoint ... Read more
-
CybersecurityNews
Chinese Hackers Exploit SharePoint Vulnerabilities to Deploy Toolsets Includes Backdoor, Ransomware and Loaders
A sophisticated Chinese threat actor has been exploiting critical vulnerabilities in Microsoft SharePoint to deploy an advanced malware toolset dubbed “Project AK47,” according to new research publish ... Read more
-
BleepingComputer
The Heat Wasn't Just Outside: Cyber Attacks Spiked in Summer 2025
Summer 2025 wasn't just hot; it was relentless. Ransomware hammered hospitals, retail giants suffered data breaches, insurance firms were hit by phishing, and nation-state actors launched disruptive c ... Read more
The following table lists the changes that have been made to the
CVE-2025-53770 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 30, 2025
Action Type Old Value New Value Changed Required Action CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. -
Modified Analysis by [email protected]
Jul. 23, 2025
Action Type Old Value New Value Added Reference Type CVE: https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/ Types: Exploit, Press/Media Coverage Added Reference Type CVE: https://news.ycombinator.com/item?id=44629710 Types: Issue Tracking Added Reference Type CVE: https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw Types: Press/Media Coverage -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 22, 2025
Action Type Old Value New Value Added Reference https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/ Added Reference https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 22, 2025
Action Type Old Value New Value Added Reference https://news.ycombinator.com/item?id=44629710 -
Initial Analysis by [email protected]
Jul. 21, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:* *cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:* *cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:* versions up to (excluding) 16.0.18526.20508 Added Reference Type CVE: https://github.com/kaizensecurity/CVE-2025-53770 Types: Exploit Added Reference Type CVE: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ Types: Mitigation, Vendor Advisory Added Reference Type Microsoft Corporation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 Types: Vendor Advisory Added Reference Type CVE: https://research.eye.security/sharepoint-under-siege/ Types: Exploit, Mitigation, Third Party Advisory Added Reference Type CVE: https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally Types: Press/Media Coverage Added Reference Type CVE: https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/ Types: Press/Media Coverage Added Reference Type CVE: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 Types: Mailing List, Third Party Advisory, US Government Resource Added Reference Type CVE: https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/ Types: Press/Media Coverage Added Reference Type CVE: https://x.com/Shadowserver/status/1946900837306868163 Types: Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 21, 2025
Action Type Old Value New Value Added Reference https://github.com/kaizensecurity/CVE-2025-53770 Added Reference https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 21, 2025
Action Type Old Value New Value Added Date Added 2025-07-20 Added Due Date 2025-07-21 Added Required Action CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. Added Vulnerability Name Microsoft SharePoint Deserialization of Untrusted Data Vulnerability -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jul. 21, 2025
Action Type Old Value New Value Added Reference https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ Added Reference https://research.eye.security/sharepoint-under-siege/ Added Reference https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/ Added Reference https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 Added Reference https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/ Added Reference https://x.com/Shadowserver/status/1946900837306868163 -
New CVE Received by [email protected]
Jul. 20, 2025
Action Type Old Value New Value Added Description Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-502 Added Reference https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770