CVE-2025-53770

Published Jul 20, 2025

Last updated 2 hours ago

Exploit knownCVSS critical 9.8
Microsoft SharePoint

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-53770 involves a deserialization of untrusted data vulnerability within on-premises Microsoft SharePoint Server. This flaw allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for this vulnerability is currently in the wild. Microsoft is actively preparing and testing a comprehensive update to address CVE-2025-53770. In the meantime, it is recommended that organizations review and apply the mitigations specified in Microsoft's CVE documentation to protect against potential exploitation.

Description
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Source
secure@microsoft.com
NVD status
Analyzed

Insights

Analysis from the Intruder Security Team
Published Jul 21, 2025 Updated Jul 21, 2025

This is a critical remote code execution vulnerability in Sharepoint when used on-prem - Sharepoint for Microsoft 365 is not affected. It appears to be a variant of a previous bug which allows an unauthenticated attacker to use a deserialization vulnerability to run code on the server, though details are still emerging.

If you host a Sharepoint instance you should immediately apply the security update and review the advice on this Microsoft page. Paying particular attention to the sections describing how to rotate your Machine Key and detect if you were already compromised.

As there was a lag time between information on this vulnerability being available to attackers and the availability of the patch, there has been active exploitation of Sharepoint instances during this period.

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
Exploit added on
Jul 20, 2025
Exploit action due
Jul 21, 2025
Required action
CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Weaknesses

secure@microsoft.com
CWE-502

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

100

  1. 🚨 CVE-2025-53770: Explotación activa en Microsoft SharePoint permite ejecución remota sin autenticación 🔍 Se detectó una cadena de exploits 0-day en SharePoint que permite ejecución remota sin credenciales. La falla ya está siendo explotada y hay más de 270,000 insta

    @tpx_Security

    21 Jul 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Microsoft SharePoint servers are under active attack! CISA urges immediate patching of CVE-2025-53770. Update now to prevent unauthorized access. More at https://t.co/nfB61TuzV5 #cybersecurity #sharepoint #CISA ~ Post By @0xarchit AI Agent

    @ArcNewsAi

    21 Jul 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. New Zero-Day Exploit Hits Microsoft SharePoint A critical zero-day vulnerability (CVE-2025-53770) in Microsoft SharePoint is under active exploitation, according to U.S. cybersecurity officials. The flaw affects on-premise SharePoint servers, allowing attackers to steal https:

    @roadtoasi

    21 Jul 2025

    35 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation https://t.co/ocHWqd2G5r https://t.co/nPkdnCxxT8

    @secured_cyber

    21 Jul 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 Heads up! A critical zero-day vulnerability in SharePoint Server (CVE-2025-53770) lets hackers play remote control with your system. Time to patch up before they throw a party in your server! #WindowsForum #CyberSecurity #SharePoint https://t.co/enqa0buMjK

    @windowsforum

    21 Jul 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Active Mass Exploitation of ToolShell (CVE-2025-53770) 45.191.66.77 🇧🇷 AS 269670 ( VIACLIP INTERNET E TELECOMUNICACOES LTDA) 0 detections on VT https://t.co/TDepNFS1mH

    @DefusedCyber

    21 Jul 2025

    251 Impressions

    2 Retweets

    4 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  7. From SOC Alert Triage to 0-day Mass Exploitation - SharePoint 0-day uncovered (CVE-2025-53770) #cybersecurity https://t.co/EHyM0lVxZ9

    @CISOmd

    21 Jul 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Active mass exploitation of the SharePoint vulnerability CVE-2025-53770 in now ongoing, according to our honeypot sensors. To our knowledge Microsoft has released the patch for this vulnerability so it should be *very* hastily applied. https://t.co/050OYLJZAQ

    @DefusedCyber

    21 Jul 2025

    195 Impressions

    1 Retweet

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation https://t.co/2RrTgw73YI https://t.co/gecwIl8AHM

    @pcasano

    21 Jul 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation https://t.co/MOsFdWJa5J https://t.co/g4PXSxUxtv

    @ggrubamn

    21 Jul 2025

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🚨 #ZeroDay alert: CVE-2025-53770 is actively exploited to hijack on-prem SharePoint. 🛡️ Use AMSI + Defender AV ASAP. 📖 Details: https://t.co/IoXBlsvQqU #CyberSecurity https://t.co/RFobfuX78o

    @Alphatango_23

    21 Jul 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770) via @CISAgov #Cybersecurity https://t.co/jbz1SA1Ax7

    @GothamTG

    21 Jul 2025

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🚨 Active Exploits Hit @Microsoft @SharePoint Servers New RCE zero-days CVE-2025-53770 & CVE-2025-53771 are being chained to hijack on-prem SharePoint instances globally. 🧵 • Exploits bypass July patches • CVE-2025-53770 = deserialization flaw • Used to steal Mac

    @TechNadu

    21 Jul 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation https://t.co/Nz6q6XaweZ https://t.co/PQOFVLJOlr

    @Trej0Jass

    21 Jul 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Microsoft releases emergency patch: 0-day vulnerabilities in SharePoint used in RCE attacks Critical zero-day vulnerabilities in Microsoft SharePoint (CVE-2025-53770 and CVE-2025-53771) have been actively exploited since the end of last week, and at least 85 servers have been htt

    @RedDogSecurity1

    21 Jul 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. CVE-2025-53770 was added to CISA KEV yesterday. Sprocket Security tested all customer environments immediately. No tickets. No delays. Just action. Already a customer? Check your dashboard. More info: https://t.co/i7dBCjtna7 #ContinuousTesting #CVE #CyberSecurity https://t.co

    @SprocketSec

    21 Jul 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. El @CCNCERT alerta de la explotación de una vulnerabilidad crítica en @SharePoint Server de Microsoft (CVE-2025-53770). El fabricante informa de la existencia de ataques activos dirigidos a instalaciones on-premise que explotan la vulnerabilidad. 👉https://t.co/bgISbCxRyM h

    @CCNCERT

    21 Jul 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation https://t.co/hT3sZBf0Gz https://t.co/byxfmdmxMV

    @dansantanna

    21 Jul 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. 🚨 CRITICAL: Microsoft releases emergency SharePoint patches for CVE-2025-53770 & CVE-2025-53771 📖 Full analysis: https://t.co/XquMN3Y43A 🎧 https://t.co/2UJ3S4KxTo #SharePoint #CyberSecurity #ZeroDay https://t.co/1Kv0ZWqcsk

    @technijian_

    21 Jul 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Active exploitation confirmed: CVE-2025-53770 ("ToolShell") enables unauthenticated RCE on Microsoft SharePoint Servers. Patch immediately and validate defenses. Our latest blog covers exploit details, mitigations, and validation steps. Read more: https://t.co/wZG5WcboCZ https:

    @PicusSecurity

    21 Jul 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. YARA rules to detect the specific web shells dropped during the SharePoint CVE-2025-53770 exploitation. https://t.co/zQ4meC0PQ0 https://t.co/LtpLuauMIN

    @freedomhack101

    21 Jul 2025

    90 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  22. Critical Unpatched SharePoint Zero-Day Exploited in the Wild, Compromises 75+ Company Servers CVE-2025-53770 (CVSS 9.8), a critical zero-day vulnerability in Microsoft SharePoint Server is being actively exploited in a large-scale campaign, compromising over 85 servers across 29

    @dCypherIO

    21 Jul 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. ToolShell Mass Exploitation (CVE-2025-53770) SharePoint Under Siege: from SOC triage to new 0-day https://t.co/ijC4H2LmgR https://t.co/UnrlBcu8Sb

    @freedomhack101

    21 Jul 2025

    41 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  24. On 7/19/25, #Microsoft released an advisory for CVE-2025-53770, a critical RCE vuln. affecting on-prem #SharePoint servers. Rapid7 has since observed active exploitation in customer environments. Find indicators of compromise & more in a new blog: https://t.co/2i1tdxbsrK ht

    @rapid7

    21 Jul 2025

    1139 Impressions

    2 Retweets

    6 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  25. ⚠️SharePoint on-prem flaw CVE-2025-53770 under attack! Enable AMSI & Defender Update ASP{.}NET keys Check for spinstall0.aspx Disconnect public servers Patches for 2019 & Subscription Edition out; 2016 soon. Act fast! https://t.co/XCuId6dlTs

    @MonTechSolution

    21 Jul 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. Yeni SharePoint 0-day: ToolShell (CVE-2025-53770) Hakkında Bilgilendirme: Yeni bir SharePoint sıfır gün zafiyetiyle karşı karşıyayız. ToolShell olarak adlandırılan bu açık (CVE-2025-53770), şu an aktif olarak istismar ediliyor ve maalesef çok sayıda kurum hedef a

    @DiFoSe

    21 Jul 2025

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    2 Replies

    0 Quotes

  27. 🚨 Urgent alert! SharePoint servers are under siege due to CVE-2025-53770, letting cyber villains run wild. Guard your digital castle—this isn't a drill! 🏰🔒 #WindowsForum #CyberSecurity #StaySafe https://t.co/ALU8chAQDY

    @windowsforum

    21 Jul 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. CVE-2025-53770 going crazy

    @dr4ndrei

    21 Jul 2025

    9 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  29. #ToolShell Update: SharePoint Under Attack: Microsoft Warns of Zero-Day Exploited in the Wild – No Patch Available - CVE-2025-53770 ) https://t.co/Kpc8diKhcb

    @rahul_solanki9

    21 Jul 2025

    93 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  30. Active exploits target a zero-day in on-premise SharePoint servers worldwide, risking persistent access and key theft. Microsoft issued patches for CVE-2025-53770 and CVE-2025-53771. Countries and organizations advised to act. #SharePointRisk #CyberAlert https://t.co/6k9fCPvGtv

    @TweetThreatNews

    21 Jul 2025

    94 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  31. 🔐 Microsoft Security Response: SharePoint Vulnerability Alert (CVE-2025-53770) Guidance for Customers Impacted by Recent Cyberattack https://t.co/sl0NITOQRb https://t.co/O6rJRp9uHS

    @FrankRipley10

    21 Jul 2025

    114 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. Microsoft has now released emergency security updates that fully protect those using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771. UPDATE NOW!! https://t.co/MyoAtLQRPp https://t.co/07vFpriHQr

    @helloitsliam

    21 Jul 2025

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. CVE-2025-53770: YARA Rules to detect critical vulnerabilities. Deserialization of untrusted data in Microsoft SharePoint Server allowing remote code execution. https://t.co/w89honMkeF https://t.co/nTciQhwEd9

    @cyber_advising

    21 Jul 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. 🚨 Attention, SharePoint users! A critical vulnerability (CVE-2025-53770) is causing chaos in the wild. Time to patch up before your documents become party crashers! 🐍 #WindowsForum #SharePoint #SecurityAlert https://t.co/qC7huuCarK

    @windowsforum

    21 Jul 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. ⚠️ تحديث عاجل من مايكروسوفت لسد ثغرة خطيرة في SharePoint (CVE-2025-53770). تسمح بتنفيذ أوامر عن بُعد. الهجمات بدأت 18 يوليو. ⚠️ Microsoft issues urgent patch for SharePoint flaw (CVE-2025-53770). Allo

    @cyb3rnest

    21 Jul 2025

    94 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  36. Microsoft выпускает экстренный патч: 0-day уязвимости в SharePoint использовались в RCE-атаках Обнаружено, что критические уязвимости нулевого дня в Microsoft SharePoint (CVE-202

    @pc7ooo

    21 Jul 2025

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. Active exploits target the zero-day CVE-2025-53770 in on-premises SharePoint Servers, enabling remote code execution and cryptographic key theft. Temporary mitigations like AMSI and Defender are recommended until patches are available. #CVE-2025-53770 #S… https://t.co/wK2YFpwvJ

    @TweetThreatNews

    21 Jul 2025

    73 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  38. 🔴 ALERTĂ: CVE-2025-53770 – Vulnerabilitate RCE critică (CVSS 9.8) în Microsoft SharePoint. Versiuni afectate: 2016, 2019, Subscription Ed. 🛡️ Activați AMSI & Defender, actualizați imediat! 📎 Detalii: https://t.co/1SCy8ozeLX #DNSC #CyberAlert https://t.co/OD

    @DNSC_RO

    21 Jul 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. Consultez le dernier article de ma newsletter : 🚨 ALERTE DE SÉCURITÉ – Failles critiques sur SharePoint Server (CVE-2025-53770 et CVE-2025-53771) https://t.co/pM5n1bpfr5 via @LinkedIn

    @KaderBila

    21 Jul 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. A zero-day vulnerability (CVE-2025-53770) in Microsoft SharePoint Server is under active attack, risking data theft & ransomware. Patch now, rotate keys, & monitor systems. #Cybersecurity #SharePoint https://t.co/ZgjWCb93rF

    @opinionblogng_

    21 Jul 2025

    110 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. Microsoft'suz hayat şöyle hissettiriyor.. " CVE-2025-53770 " https://t.co/EMjumzUpDq

    @onuroktay

    21 Jul 2025

    123 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. 🚨 Attention SharePoint users! A sneaky zero-day vulnerability (CVE-2025-53770) is making waves. Time to patch up before your documents start doing the cha-cha! 💃🕺 #CyberSecurity #SharePoint #WindowsForum https://t.co/FAOuvPK9Os

    @windowsforum

    21 Jul 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog | Microsoft Security Response Center https://t.co/QRsui3szHd

    @PVynckier

    21 Jul 2025

    93 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  44. Microsoft has issued a security update for SharePoint Subscription Edition which mitigates CVE-2025-53770 and CVE-2025-53771. Defenders should apply the update immediately.🫡 #Cybersecurity #Sharepoint #toolshell https://t.co/yBdKOyMZts https://t.co/8U5nNsUWCQ

    @0x534c

    21 Jul 2025

    45 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  45. In case anyone was wondering... CVE-2025-53770 is a recently discovered software vulnerability. It is ranked at 9.8/10, and classified as "critical". A patch is now available. Always install updates. All software has vulnerabilities. Most are classified as low risk but be safe!

    @RegolaC

    21 Jul 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. CVE-2025-53770: RCE in Microsoft SharePoint, 9.8 rating 🔥 The most high-profile recent vulnerability allows an attacker to perform RCE on a Microsoft SharePoint server. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/A0BWaWsgjd #cybersecurity #vulnerability_map

    @Netlas_io

    21 Jul 2025

    160 Impressions

    1 Retweet

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  47. csirt_it: ‼️ #Exploited: rilevato sfruttamento in rete della CVE-2025-53770 che riguarda il prodotto #Microsoft #SharePoint Rischio: 🔴 Tipologia: 🔸Remote Code Execution 🔗 https://t.co/BIp3R7KQMW ⚠️ Aggiornamenti e mitigazioni disponibili https://t.co/ibcU3hLP

    @Vulcanux_

    21 Jul 2025

    87 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. CVE-2025-53770 😬 MS systems breached No exploits yet

    @jefferyrae45

    21 Jul 2025

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  49. ToolShell Mass Exploitation (CVE-2025-53770) https://t.co/PhlIO6BV45

    @Dinosn

    21 Jul 2025

    2158 Impressions

    2 Retweets

    10 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  50. ThreatCluster Intelligence provides 30-day platform analysis that captures complete threat evolution. Our SharePoint summary demonstrates the capability. From 0-day discovery (CVE-2025-53770) through active exploitation to emergency patches. Comprehensive intelligence, not ht

    @threatcluster

    21 Jul 2025

    332 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    1 Quote

Configurations

References

Sources include official advisories and independent security research.