CVE-2025-53770

CVE-2025-53770 is a critical-severity vulnerability in Microsoft Sharepoint Server with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-07-20). The underlying weakness is classified as CWE-502.

Key facts

Description

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

CVE-2025-53770: Critical SharePoint Server Deserialization RCE Under Active Exploitation

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2025-53770
Published 2025-07-20
CVSS v3 9.8 (CRITICAL)
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS 0.99982 (99.98th percentile)
KEV Listed Yes — added 2025-07-20
CWE CWE-502: Deserialization of Untrusted Data
Affected Product Microsoft SharePoint Server (on-premises)

Summary

A critical deserialization-of-untrusted-data vulnerability in on-premises Microsoft SharePoint Server enables unauthenticated remote code execution over the network. Microsoft has confirmed that exploits exist in the wild and that a comprehensive security update is still under preparation.

Background

In July 2025, security researchers and Microsoft identified active exploitation of a zero-day vulnerability in on-premises SharePoint Server deployments. The flaw resides in how SharePoint handles deserialization of attacker-controlled data, a historically high-impact vulnerability class in .NET-based enterprise applications. Because SharePoint is commonly exposed to internal networks and often to the internet for hybrid collaboration, the attack surface is significant.

Root Cause

The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. SharePoint Server improperly deserializes data from untrusted sources without adequate validation or sandboxing. In .NET environments, unsafe deserialization can allow attackers to instantiate arbitrary object types, chain gadget methods, and ultimately execute operating-system commands with the privileges of the SharePoint application pool — typically NT AUTHORITY\SYSTEM or an equivalent high-privilege account on Windows Server.

Impact

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a base score of 9.8 (CRITICAL):

  • Attack Vector: Network — exploitable remotely without local access.
  • Attack Complexity: Low — no special conditions or race conditions required.
  • Privileges Required: None — unauthenticated exploitation is possible.
  • User Interaction: None — fully automated attacks are viable.
  • Scope: Unchanged — the vulnerable component is the SharePoint server itself.
  • Confidentiality, Integrity, Availability: All rated HIGH.

The near-certain probability of exploitation is underscored by an EPSS of 0.99982 (99.98th percentile), and CISA added the CVE to the Known Exploited Vulnerabilities catalog on the same day it was published.

Exploitation Walkthrough

Ethics caveat: The following description is provided for defensive awareness only. No weaponized exploit code is included. Security professionals should use this knowledge to improve detection and hardening, not to attack systems without authorization.

The attack likely proceeds as follows:

  1. Reconnaissance: The attacker identifies an on-premises SharePoint Server instance reachable over TCP/443 (or the configured alternate port).
  2. Payload crafting: The attacker constructs a serialized .NET object payload designed to trigger a gadget chain during deserialization. The specific entry point is a SharePoint endpoint or service that accepts serialized objects without cryptographic signatures or type whitelisting.
  3. Delivery: The payload is transmitted over HTTP(S) to the vulnerable endpoint. Because no authentication or user interaction is required, the request can be sent directly by the attacker.
  4. Execution: SharePoint deserializes the payload, the gadget chain executes within the application worker process, and the attacker gains remote code execution with the privileges of the SharePoint service account.

Defenders should monitor for anomalous serialized object traffic, unexpected process spawning from the SharePoint worker process (w3wp.exe), and outbound network connections originating from the SharePoint server.

Affected and Patched Versions

Affected products (per CPE data):

  • Microsoft SharePoint Server — Subscription Edition
  • Microsoft SharePoint Server 2016 (Enterprise)
  • Microsoft SharePoint Server 2019

Patched versions: As of the last-modified date (2026-06-17), Microsoft has not released a comprehensive security patch. Microsoft has stated that a mitigation is available and a full update is under preparation. Administrators should consult the official Microsoft Security Response Center guidance for the latest patch status.

Remediation

  1. Apply Microsoft's interim mitigation immediately. Follow the guidance published in the MSRC blog post and CISA alert referenced below.
  2. Network segmentation: Restrict SharePoint management and farm-tier traffic to dedicated VLANs. Do not expose on-premises SharePoint directly to the internet unless strictly required.
  3. Web Application Firewall (WAF): Deploy a WAF with rules tuned to detect anomalous serialized object payloads and block requests matching known exploit signatures.
  4. Least privilege: Ensure the SharePoint application pool identity runs with the minimum privileges necessary. Avoid NT AUTHORITY\SYSTEM or domain-administrator accounts for application pools.
  5. Monitor for exploitation: Enable process-creation and PowerShell logging on SharePoint servers. Alert on unexpected child processes spawned by w3wp.exe.
  6. Patch immediately when Microsoft releases the comprehensive update. Given the active exploitation and 9.8 CVSS score, this should be treated as a P0 change-window item.

Detection

  • Network: Inspect HTTP(S) traffic to SharePoint for unusually large POST bodies or Content-Type headers associated with binary serialization formats (e.g., application/octet-stream carrying .NET serialized data).
  • Endpoint: Monitor Windows Event ID 4688 (process creation) for suspicious child processes of w3wp.exe, such as cmd.exe, powershell.exe, or mshta.exe.
  • EDR/XDR: Look for anomalous in-memory activity in the SharePoint worker process, including reflective DLL injection or suspicious .NET assembly loads.
  • Threat-intelligence feeds: Correlate SharePoint server IPs against known exploit-server indicators shared by CISA and Shadowserver.

Assessment

With an EPSS of 0.99982 and confirmed KEV status, CVE-2025-53770 is not a theoretical risk — it is a near-certain exposure for any reachable, unpatched on-premises SharePoint Server. The absence of a permanent patch at the time of writing makes interim mitigation and detection the only viable defensive layers.

Key lessons:

  1. Deserialization is a critical attack surface in enterprise .NET applications. Frameworks and products that accept serialized objects from untrusted sources must implement strict type whitelisting or move to safer data formats such as JSON with schema validation.
  2. Zero-day response velocity matters. The gap between disclosure and patch availability is a window of guaranteed exploitation for high-value enterprise software. Organizations should have pre-approved emergency change processes and network-isolation playbooks ready for such scenarios.

References

Frequently asked questions

What is CVE-2025-53770?
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
How severe is CVE-2025-53770?
CVE-2025-53770 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2025-53770 being actively exploited?
Yes. CVE-2025-53770 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-07-20, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2025-53770?
CVE-2025-53770 primarily affects Microsoft Sharepoint Server. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2025-53770?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2025-53770 have an EU (EUVD) identifier?
Yes. CVE-2025-53770 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-23309. It is also flagged as exploited in the EUVD (since 2025-07-20).
When was CVE-2025-53770 published?
CVE-2025-53770 was published on 2025-07-20 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Microsoft Sharepoint Server

All CVEs affecting Microsoft Sharepoint Server →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →