CVE-2025-53770

Published Jul 20, 2025

Last updated 3 months ago

Exploit knownCVSS critical 9.8
Microsoft SharePoint
ToolShell

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-53770 involves a deserialization of untrusted data vulnerability within on-premises Microsoft SharePoint Server. This flaw allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for this vulnerability is currently in the wild. Microsoft is actively preparing and testing a comprehensive update to address CVE-2025-53770. In the meantime, it is recommended that organizations review and apply the mitigations specified in Microsoft's CVE documentation to protect against potential exploitation.

Description
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Source
secure@microsoft.com
NVD status
Modified
Products
sharepoint_server

Insights

Analysis from the Intruder Security Team
Published Jul 21, 2025 Updated Jul 23, 2025

This is a critical remote code execution vulnerability in Sharepoint when used on-prem - Sharepoint for Microsoft 365 is not affected. It is a variant of a previous bug which, in combination with CVE-2025-53771, allows an unauthenticated attacker to use a deserialization vulnerability to run code on the server.

If you host a Sharepoint instance you should immediately apply the security update and review the advice on this Microsoft page. Paying particular attention to the sections describing how to rotate your Machine Key and detect if you were already compromised.

As there was a lag time between information on this vulnerability being available to attackers and the availability of the patch, there has been active exploitation of Sharepoint instances during this period.

We have deployed an active check (11am 22nd July) and set off an Emerging Threat Scan for all of our Enterprise customers. In addition, we are committing this to the public Nuclei templates repository so that you can check your systems via Intruder - or for free via Nuclei as soon as the request is merged.

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
Exploit added on
Jul 20, 2025
Exploit action due
Jul 21, 2025
Required action
Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Weaknesses

secure@microsoft.com
CWE-502

Social media

Hype score
Not currently trending

  1. 【アーカイブ】 【アーカイブ】 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/EV97abmNUx #ブログ仲間と繋がりたい #Webライター

    @CyberNote_media

    23 Jan 2026

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Check out my latest article: CVE-2025-53770 Vulnerability https://t.co/vIps24QEFs via @LinkedIn

    @Mania4Pakistan

    20 Jan 2026

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 2025 has seen many great web security findings. Honored that @_l0gg's SharePoint ToolShell pre-auth RCE (CVE-2025-53770) is nominated for @PortSwigger Top 10 Web Hacking Techniques 2025. If you're in the community, your vote would mean a lot: https://t.co/amYMLrKrOv Thanks!

    @vcslab

    19 Jan 2026

    451 Impressions

    1 Retweet

    11 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. 【アーカイブ】 【アーカイブ】 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/NCC59MrmLD #ブログ仲間と繋がりたい #Webライター

    @Teeeda_worker

    17 Jan 2026

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 【アーカイブ】 【アーカイブ】 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/NCC59MrmLD #ブログ仲間と繋がりたい #Webライター

    @Teeeda_worker

    13 Jan 2026

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 【アーカイブ】 【アーカイブ】 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/NCC59MrmLD #ブログ仲間と繋がりたい #Webライター

    @Teeeda_worker

    8 Jan 2026

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. #RT @Binary_Defense: CVE-2025-53770 looks new. The behavior isn’t. Deserialization abuse, LOLBins, persistence. We have seen this cycle before and we will see it again. The lesson is not about the CVE. It is about detecting patterns, not payloads. Read t… https://t.co/pRpW0Sq

    @f1tym1

    7 Jan 2026

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-53770 looks new. The behavior isn’t. Deserialization abuse, LOLBins, persistence. We have seen this cycle before and we will see it again. The lesson is not about the CVE. It is about detecting patterns, not payloads. Read the blog. https://t.co/lrXeKPY9R7 https://t.co

    @Binary_Defense

    7 Jan 2026

    1183 Impressions

    4 Retweets

    6 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  9. The Enterprise Nightmare (SharePoint RCE) The "ToolShell" exploit chain allows attackers to take control of SharePoint servers. CVE-2025-53770 Impact: Remote Code Execution Vector: Network Get the remediation details: https://t.co/4oAqqkual7 #Microsoft #SharePoint #SysAdmin

    @cvedatabase

    6 Jan 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 【アーカイブ】 【アーカイブ】 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/NCC59MrmLD #ブログ仲間と繋がりたい #Webライター

    @Teeeda_worker

    5 Jan 2026

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 2025年 実際に悪用された高リスク脆弱性 Top10 1 Langflow 未認証コード実行 CVE-2025-3248 2 Microsoft SharePoint Server RCE(ToolShell) CVE-2025-53770 / CVE-2025-53771 3 sudo 権限昇格(chroot処理不備) CVE-2025-32463 4 Docker Desktop コンテ

    @yousukezan

    1 Jan 2026

    1476 Impressions

    1 Retweet

    15 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  12. As 2025 draws to a close, this article wraps up the year's most devastating cybersecurity incident: the SharePoint CVE-2025-53770 zero-day that Chinese hackers exploited to breach America's nuclear infrastructure. SharePoint Backdoor to Doomsday reveals how legacy code became a h

    @DecodedIntel

    31 Dec 2025

    76 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 【アーカイブ】 【アーカイブ】 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/NCC59MrUBb #ブログ仲間と繋がりたい #Webライター

    @Teeeda_worker

    20 Dec 2025

    45 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 【アーカイブ】 【アーカイブ】 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/EV97abmNUx #ブログ仲間と繋がりたい #Webライター

    @CyberNote_media

    18 Dec 2025

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 【アーカイブ】 【アーカイブ】 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/NCC59MrmLD #ブログ仲間と繋がりたい #Webライター

    @Teeeda_worker

    12 Dec 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  16. 【アーカイブ】 【アーカイブ】 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/EV97abnlK5 #ブログ仲間と繋がりたい #Webライター

    @CyberNote_media

    8 Dec 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. Actor Exploiting ToolShell Vulnerability (SharePoint CVE-2025-53770) AS 213799 ( Conhost Bilgi Teknolojileri Veri Merkezi Hizmetleri Ve Danismanlik Limited Sirketi ) 🇹🇷 0/95 Detections on VT 🟢 Link 👇https://t.co/ZNsyU43lDp

    @DefusedCyber

    4 Dec 2025

    2040 Impressions

    8 Retweets

    28 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

  18. 【アーカイブ】 【アーカイブ】 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/EV97abnlK5 #ブログ仲間と繋がりたい #Webライター

    @CyberNote_media

    4 Dec 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. #DFIR #Blue_Team_Techniques #Purple_Team_Exercises 1⃣ Hunting for SharePoint In-Memory ToolShell Payloads (CVE-2025-53770, CVE-2025-53771) https://t.co/1H3yTQ1eGr // A walk-through showing how to analyze ToolShell payloads, starting with acquiring packets all the way to decodi

    @ksg93rd

    3 Dec 2025

    616 Impressions

    3 Retweets

    2 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  20. 新報告:SharePointのToolShell脆弱性 (CVE-2025-53770/53771) を狙い、Webシェルではなくインメモリ実行型ペイロードが使われている。ネットワークログ&PCAPでのハンティング必須。#SharePoint #ToolShell #SANSISC https://t.co/ch0

    @01ra66it

    2 Dec 2025

    533 Impressions

    1 Retweet

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  21. 【アーカイブ】 最新の脆弱性と対策を素早くキャッチ!ぜひ確認を。 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/NCC59MrmLD #cybernote #ブログ仲間と繋がり

    @Teeeda_worker

    17 Nov 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 【アーカイブ】 最新ゼロデイ脆弱性の詳細と対策法を徹底解説! SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/NCC59MrmLD #cybernote #ブログ仲間と繋がりたい #

    @Teeeda_worker

    15 Nov 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. 【アーカイブ】 最新のSharePoint脆弱性とその対策を詳しく解説! SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/NCC59MrmLD #cybernote #ブログ仲間と繋がりたい #We

    @Teeeda_worker

    14 Nov 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. 【アーカイブ】 注目のSharePoint脆弱性と対策法を解説! SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/EV97abnlK5 #cybernote #ブログ仲間と繋がりたい #Webライタ

    @CyberNote_media

    11 Nov 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. 🚨 Back in July, our team detected and blocked widespread exploitation of an MS SharePoint zero-day chain (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, & CVE-2025-53771) targeting multiple sectors. 🔗 Get full details and mitigation guidance: https://t.co/FJO0hXZQjF h

    @FortiGuardLabs

    10 Nov 2025

    241 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  26. 【アーカイブ】 SharePointの脆弱性対策を確認しましょう! SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/EV97abnlK5 #cybernote #ブログ仲間と繋がりたい #Webライ

    @CyberNote_media

    9 Nov 2025

    35 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  27. 【アーカイブ】 SharePoint脆弱性の対策を詳しく解説!企業必見です。 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/EV97abmNUx #cybernote #ブログ仲間と繋がりた

    @CyberNote_media

    8 Nov 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. 【アーカイブ】 最新ゼロデイ脆弱性への対策を詳しく解説!企業必見です。 SharePointの最新ゼロデイ脆弱性とは?CVE-2025-53770/53771の概要と企業が取るべき対策を解説 https://t.co/EV97abmNUx #cybernote #ブログ仲間と

    @CyberNote_media

    7 Nov 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. Actively exploited CVE : CVE-2025-53770

    @transilienceai

    4 Nov 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  30. Actively exploited CVE : CVE-2025-53770

    @transilienceai

    3 Nov 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  31. Actively exploited CVE : CVE-2025-53770

    @transilienceai

    2 Nov 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  32. Actively exploited CVE : CVE-2025-53770

    @transilienceai

    1 Nov 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  33. 🚨 Grupos chinos explotan CVE-2025-53770 en SharePoint semanas después del parche. 🔐 Espionaje, robo de credenciales y persistencia encubierta. ✔ Parchea y audita servicios expuestos. #Ciberseguridad #SharePoint #CVE202553770 https://t.co/wlIQlU2rAq

    @trustlock_sec

    30 Oct 2025

    65 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Chinese threat actors swiftly exploited the ToolShell SharePoint vulnerability (CVE-2025-53770), targeting a Middle East telecoms firm and government agencies with Zingdoor backdoor, ShadowPad Trojan, and KrustyLoader malware. Act fast: patch SharePoint, watch for #CyberSecurity

    @bigmacd16684

    29 Oct 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. Actively exploited CVE : CVE-2025-53770

    @transilienceai

    26 Oct 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  36. Warlock ransomware, associated with Chinese threat actors, is exploiting a zero-day in Microsoft SharePoint (vulnerability (CVE-2025-53770)) to deploy ransomware across diverse sectors, exposing organizations to data encryption and exfiltration. This sophisticated attack

    @cybernewslive

    25 Oct 2025

    94 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. Hackearon una planta de armas nucleares de EE. UU. a través de vulnerabilidades en Microsoft SharePoint  Los atacante se cree que están asociados con China han aprovechado la vulnerabilidad ToolShell ( CVE-2025-53770 ) https://t.co/zFnkxtaFIN

    @elhackernet

    25 Oct 2025

    9711 Impressions

    62 Retweets

    210 Likes

    49 Bookmarks

    2 Replies

    2 Quotes

  38. 🚨 Warlock ransomware hits via SharePoint 0-day (CVE-2025-53770). Storm-2603 link, uses BYOVD + DLL sideload to evade EDR. Files → .x2anylock (Anylock/LockBit mix). #SharePoint #APT #Darkweb #Deepweb More darkweb and cybersecurity updates here: https://t.co/ZF7G3lwjoe https:

    @godeepweb

    25 Oct 2025

    108 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. Actively exploited CVE : CVE-2025-53770

    @transilienceai

    25 Oct 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  40. 中国系ハッカーがMicrosoft SharePointのToolShell脆弱性(CVE-2025-53770)を悪用、世界規模で政府機関・企業を攻撃 https://t.co/MKVHpRsaxR

    @torinome_navi

    25 Oct 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. 🇺🇸 🚨 Warlock exploiting Microsoft SharePoint "ToolShell" zero-day (CVE-2025-53770), discovered 19 Jul 2025 — deploying ransomware across multiple organizations, including U.S. entities. Severity 8.0/10. https://t.co/d3KMmHocXw #Cybersecurity #OSINT

    @STRATINT_AI

    24 Oct 2025

    90 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. Actively exploited CVE : CVE-2025-53770

    @transilienceai

    24 Oct 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  43. Chinese-linked hackers exploited the ToolShell SharePoint vulnerability (CVE-2025-53770) shortly after Microsoft’s patch, targeting telecoms in the Middle East and beyond using loaders like Zingdoor and KrustyLoader. #ToolShell #MiddleEast https://t.co/UZ6v5n6Gn9

    @TweetThreatNews

    24 Oct 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. Sharepoint ToolShell attacks targeted orgs across four continents. The ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint in attacks targeting government agencies, universities, telecommunication service providers, and finance organizations. https://t.co/dJeSmDfLk5

    @riskigy

    23 Oct 2025

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. اگر sharepoint دارید حتما آسیب پذیری با کد شناسایی CVE-2025-53770 را پچ کنید . باج افزاری به نام Warlock از این آسیب پذیری برای گرفتن دسترسی ، استفاده می کند. https://t.co/vlBgMReIh7

    @EthicalSafe

    23 Oct 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. 中国の攻撃者がSharePointのToolShell脆弱性(CVE-2025-53770)を用いてアフリカや南米の政府機関、大学や電気通信事業者への攻撃を行っている。シマンテック及びVMware報告。アクセス後はZingdoor, ShadowPad, KrustyLoader等中

    @__kokumoto

    22 Oct 2025

    877 Impressions

    2 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. 🔥 𝐒𝐡𝐚𝐫𝐞𝐩𝐨𝐢𝐧𝐭 𝐓𝐨𝐨𝐥𝐒𝐡𝐞𝐥𝐥 𝐚𝐭𝐭𝐚𝐜𝐤𝐬 𝐭𝐚𝐫𝐠𝐞𝐭𝐞𝐝 𝐨𝐫𝐠𝐬 𝐚𝐜𝐫𝐨𝐬𝐬 𝐟𝐨𝐮𝐫 𝐜𝐨𝐧𝐭𝐢𝐧𝐞𝐧𝐭𝐬 • Hackers exploited ToolShell v

    @PurpleOps_io

    22 Oct 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. 🕵️‍♂️ Security | China-Linked Attacks 🌐 ToolShell vulnerability (CVE-2025-53770) exploited in SharePoint attacks hitting govs, universities & telecoms worldwide. #SharePoint #China #CyberEspionage #Vulnerability https://t.co/YGZVyGLzLw

    @Strivehawk

    22 Oct 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. Chinese Hackers Exploit SharePoint Flaw Weeks After Patch Chinese threat actors exploited the patched CVE-2025-53770 in SharePoint to breach multiple targets, including telecom, government, and a university. The zero-day, weaponized by groups like Linen and Violet Typhoon, https

    @Secwiserapp

    22 Oct 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. 中国関与が疑われるハッカー集団が、Microsoft SharePointのゼロデイ脆弱性「ToolShell」(CVE-2025-53770)を悪用し、政府機関、大学、通信、金融分野を標的に攻撃を展開していることが明らかになった。

    @yousukezan

    22 Oct 2025

    4667 Impressions

    14 Retweets

    33 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.