CVE-2025-53770
CVE-2025-53770 is a critical-severity vulnerability in Microsoft Sharepoint Server with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-07-20). The underlying weakness is classified as CWE-502.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-07-20)
- EU (EUVD) id: EUVD-2025-23309
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-07-20)
- Weakness: CWE-502
- Affected product: Microsoft Sharepoint Server
- Published:
- Last modified:
Description
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
CVE-2025-53770: Critical SharePoint Server Deserialization RCE Under Active Exploitation
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2025-53770 |
| Published | 2025-07-20 |
| CVSS v3 | 9.8 (CRITICAL) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.99982 (99.98th percentile) |
| KEV Listed | Yes — added 2025-07-20 |
| CWE | CWE-502: Deserialization of Untrusted Data |
| Affected Product | Microsoft SharePoint Server (on-premises) |
Summary
A critical deserialization-of-untrusted-data vulnerability in on-premises Microsoft SharePoint Server enables unauthenticated remote code execution over the network. Microsoft has confirmed that exploits exist in the wild and that a comprehensive security update is still under preparation.
Background
In July 2025, security researchers and Microsoft identified active exploitation of a zero-day vulnerability in on-premises SharePoint Server deployments. The flaw resides in how SharePoint handles deserialization of attacker-controlled data, a historically high-impact vulnerability class in .NET-based enterprise applications. Because SharePoint is commonly exposed to internal networks and often to the internet for hybrid collaboration, the attack surface is significant.
Root Cause
The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. SharePoint Server improperly deserializes data from untrusted sources without adequate validation or sandboxing. In .NET environments, unsafe deserialization can allow attackers to instantiate arbitrary object types, chain gadget methods, and ultimately execute operating-system commands with the privileges of the SharePoint application pool — typically NT AUTHORITY\SYSTEM or an equivalent high-privilege account on Windows Server.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a base score of 9.8 (CRITICAL):
- Attack Vector: Network — exploitable remotely without local access.
- Attack Complexity: Low — no special conditions or race conditions required.
- Privileges Required: None — unauthenticated exploitation is possible.
- User Interaction: None — fully automated attacks are viable.
- Scope: Unchanged — the vulnerable component is the SharePoint server itself.
- Confidentiality, Integrity, Availability: All rated HIGH.
The near-certain probability of exploitation is underscored by an EPSS of 0.99982 (99.98th percentile), and CISA added the CVE to the Known Exploited Vulnerabilities catalog on the same day it was published.
Exploitation Walkthrough
Ethics caveat: The following description is provided for defensive awareness only. No weaponized exploit code is included. Security professionals should use this knowledge to improve detection and hardening, not to attack systems without authorization.
The attack likely proceeds as follows:
- Reconnaissance: The attacker identifies an on-premises SharePoint Server instance reachable over TCP/443 (or the configured alternate port).
- Payload crafting: The attacker constructs a serialized .NET object payload designed to trigger a gadget chain during deserialization. The specific entry point is a SharePoint endpoint or service that accepts serialized objects without cryptographic signatures or type whitelisting.
- Delivery: The payload is transmitted over HTTP(S) to the vulnerable endpoint. Because no authentication or user interaction is required, the request can be sent directly by the attacker.
- Execution: SharePoint deserializes the payload, the gadget chain executes within the application worker process, and the attacker gains remote code execution with the privileges of the SharePoint service account.
Defenders should monitor for anomalous serialized object traffic, unexpected process spawning from the SharePoint worker process (w3wp.exe), and outbound network connections originating from the SharePoint server.
Affected and Patched Versions
Affected products (per CPE data):
- Microsoft SharePoint Server — Subscription Edition
- Microsoft SharePoint Server 2016 (Enterprise)
- Microsoft SharePoint Server 2019
Patched versions: As of the last-modified date (2026-06-17), Microsoft has not released a comprehensive security patch. Microsoft has stated that a mitigation is available and a full update is under preparation. Administrators should consult the official Microsoft Security Response Center guidance for the latest patch status.
Remediation
- Apply Microsoft's interim mitigation immediately. Follow the guidance published in the MSRC blog post and CISA alert referenced below.
- Network segmentation: Restrict SharePoint management and farm-tier traffic to dedicated VLANs. Do not expose on-premises SharePoint directly to the internet unless strictly required.
- Web Application Firewall (WAF): Deploy a WAF with rules tuned to detect anomalous serialized object payloads and block requests matching known exploit signatures.
- Least privilege: Ensure the SharePoint application pool identity runs with the minimum privileges necessary. Avoid
NT AUTHORITY\SYSTEMor domain-administrator accounts for application pools. - Monitor for exploitation: Enable process-creation and PowerShell logging on SharePoint servers. Alert on unexpected child processes spawned by
w3wp.exe. - Patch immediately when Microsoft releases the comprehensive update. Given the active exploitation and 9.8 CVSS score, this should be treated as a P0 change-window item.
Detection
- Network: Inspect HTTP(S) traffic to SharePoint for unusually large POST bodies or Content-Type headers associated with binary serialization formats (e.g.,
application/octet-streamcarrying .NET serialized data). - Endpoint: Monitor Windows Event ID 4688 (process creation) for suspicious child processes of
w3wp.exe, such ascmd.exe,powershell.exe, ormshta.exe. - EDR/XDR: Look for anomalous in-memory activity in the SharePoint worker process, including reflective DLL injection or suspicious .NET assembly loads.
- Threat-intelligence feeds: Correlate SharePoint server IPs against known exploit-server indicators shared by CISA and Shadowserver.
Assessment
With an EPSS of 0.99982 and confirmed KEV status, CVE-2025-53770 is not a theoretical risk — it is a near-certain exposure for any reachable, unpatched on-premises SharePoint Server. The absence of a permanent patch at the time of writing makes interim mitigation and detection the only viable defensive layers.
Key lessons:
- Deserialization is a critical attack surface in enterprise .NET applications. Frameworks and products that accept serialized objects from untrusted sources must implement strict type whitelisting or move to safer data formats such as JSON with schema validation.
- Zero-day response velocity matters. The gap between disclosure and patch availability is a window of guaranteed exploitation for high-value enterprise software. Organizations should have pre-approved emergency change processes and network-isolation playbooks ready for such scenarios.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
- https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/
- https://github.com/kaizensecurity/CVE-2025-53770
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- https://news.ycombinator.com/item?id=44629710
- https://research.eye.security/sharepoint-under-siege/
- https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally
- https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/
- https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
- https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw
- https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/
- https://x.com/Shadowserver/status/1946900837306868163
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770
Frequently asked questions
- What is CVE-2025-53770?
- Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
- How severe is CVE-2025-53770?
- CVE-2025-53770 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-53770 being actively exploited?
- Yes. CVE-2025-53770 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-07-20, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-53770?
- CVE-2025-53770 primarily affects Microsoft Sharepoint Server. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-53770?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-53770 have an EU (EUVD) identifier?
- Yes. CVE-2025-53770 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-23309. It is also flagged as exploited in the EUVD (since 2025-07-20).
- When was CVE-2025-53770 published?
- CVE-2025-53770 was published on 2025-07-20 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
- https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/
- https://github.com/kaizensecurity/CVE-2025-53770
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- https://news.ycombinator.com/item?id=44629710
- https://research.eye.security/sharepoint-under-siege/
- https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally
- https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/
- https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
- https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw
- https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/
- https://x.com/Shadowserver/status/1946900837306868163
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770
Affected products (3)
- cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Sharepoint Server
- CVE-2013-1330 — Critical (CVSS 10.0): The default configuration of Microsoft SharePoint Portal Server 2003 SP3, SharePoint Server 2007 SP3 and 2010 SP1 and…
- CVE-2020-1595 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from…
- CVE-2020-1210 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source…
- CVE-2026-20963 — Critical (CVSS 9.8): Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a…
- CVE-2023-29357 — Critical (CVSS 9.8): Microsoft SharePoint Server Elevation of Privilege Vulnerability
- CVE-2023-21716 — Critical (CVSS 9.8): Microsoft Word Remote Code Execution Vulnerability
All CVEs affecting Microsoft Sharepoint Server →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →