CVE-2025-53770:
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows remote code execution.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Jul 20, 2025
- CISA KEV Date:Jul 20, 2025
- Industries Affected:20
Threat Predictions
- EPSS Score:89.9
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows remote code execution.
Overview
CVE-2025-53770 represents a critical remote code execution risk arising from deserialization of untrusted data in on-premises SharePoint Server deployments. Affected products include SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, with specific vulnerable version ranges defined by the advisory. The issue is classified under CWE-502, Deserialization of Untrusted Data. Microsoft confirms that exploits are present in the wild and that a fix is forthcoming; the advisory emphasizes immediate mitigations to protect affected systems. The vulnerability has a CVSS v3.1 base score of 9.8, indicating a high-severity impact with network attack potential and no required user interaction.
Remediation
- Apply the fixes and mitigations provided by Microsoft as soon as they are available, upgrading to non-vulnerable builds: for SharePoint Enterprise Server 2016, version 16.0.5513.1001 or newer; for SharePoint Server 2019, version 16.0.10417.20037 or newer; and for SharePoint Server Subscription Edition, version 16.0.18526.20508 or newer. In addition to patching, implement the mitigation guidance in the advisory to reduce exposure, limit network access to affected servers, deploy network segmentation or firewall protections, monitor for indicators of compromise, and verify patch deployment across environments. Consider protective measures such as web application firewall rules and enhanced monitoring to detect deserialization activity until patches are fully in place.
References
- 1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
- 2. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770
- 3. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- 4. https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
- 5. https://research.eye.security/sharepoint-under-siege/
- 6. https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/
- 7. https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/
- 8. https://x.com/Shadowserver/status/1946900837306868163
- 9. https://github.com/kaizensecurity/CVE-2025-53770
- 10. https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally
- 11. https://news.ycombinator.com/item?id=44629710
- 12. https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/
- 13. https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw
- 14. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770&filters=%7B%22type%22%3A%22VULNERABILITY%22%7D
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
