CVE-2025-53770

Published Jul 20, 2025

Last updated 2 months ago

Microsoft SharePoint

ToolShell

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-53770 involves a deserialization of untrusted data vulnerability within on-premises Microsoft SharePoint Server. This flaw allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for this vulnerability is currently in the wild. Microsoft is actively preparing and testing a comprehensive update to address CVE-2025-53770. In the meantime, it is recommended that organizations review and apply the mitigations specified in Microsoft's CVE documentation to protect against potential exploitation.

Description: Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Source: secure@microsoft.com
NVD status: Modified
Products: sharepoint_server

Insights

Analysis from the Intruder Security Team

Published Jul 21, 2025 Updated Jul 23, 2025

This is a critical remote code execution vulnerability in Sharepoint when used on-prem - Sharepoint for Microsoft 365 is not affected. It is a variant of a previous bug which, in combination with CVE-2025-53771, allows an unauthenticated attacker to use a deserialization vulnerability to run code on the server.

If you host a Sharepoint instance you should immediately apply the security update and review the advice on this Microsoft page. Paying particular attention to the sections describing how to rotate your Machine Key and detect if you were already compromised.

As there was a lag time between information on this vulnerability being available to attackers and the availability of the patch, there has been active exploitation of Sharepoint instances during this period.

We have deployed an active check (11am 22nd July) and set off an Emerging Threat Scan for all of our Enterprise customers. In addition, we are committing this to the public Nuclei templates repository so that you can check your systems via Intruder - or for free via Nuclei as soon as the request is merged.

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Known exploits

Data from CISA

Vulnerability name: Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
Exploit added on: Jul 20, 2025
Exploit action due: Jul 21, 2025
Required action: Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Weaknesses

secure@microsoft.com: CWE-502

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E1677A89-14A2-496E-A2EB-387B1BFE876C",
            "versionEndExcluding": "16.0.18526.20508"
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F815EF1D-7B60-47BE-9AC2-2548F99F10E4"
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6122D014-5BF1-4AF4-8B4D-80205ED7785E"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.