CVE-2025-53770: Microsoft SharePoint Server Remote Code Execution Vulnerability

Overview

Severity

Critical (CVSS 9.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:C

Category

Remote Code Execution

Exploit Status

Actively Exploited

Exploitation Likelihood

Detected

Patch Tuesday

2025-Jul

Released

2025-07-19

Last Updated

2025-08-06

EPSS Score

89.99% (percentile: 99.6%)

CISA KEV

Listed — due 2025-07-21

Description

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

FAQ

7/20/2025 Update: Updates are now available for Microsoft SharePoint Server Subscription Edition and Microsoft SharePoint Server 2019. Why are there no links to the update to protect from this vulnerability? Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. This page will be updated when an update is available. Is there anything else that I can do to protect from exploitation? If enabling AMSI is not an option, you should remove access to the internet from the SharePoint server. These two options protect from unauthenticated attacks. Does this affect Microsoft 365 SharePoint Online? No, Microsoft 365 SharePoint Online is not vulnerable to this issue. Is there more information about this? Yes, please see Customer guidance for SharePoint vulnerability CVE-2025-53770 for more information. Are the two new CVEs that were released related to the two SharePoint vulnerabilities that were documented by CVE-2025-49704 and CVE-2025-49706? Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.

Known Exploits (25)

• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2026-02-11T19:56:27Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-09-13T09:31:27Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-09-04T19:12:13Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-08-14T08:57:39Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-08-12T13:05:09Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-08-07T15:14:31Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-08-02T08:00:43Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-29T14:24:47Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-28T22:41:05Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-28T03:39:57Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-27T20:55:09Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-25T22:58:03Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-25T20:43:13Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-25T06:34:28Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-24T17:59:48Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-23T21:02:14Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-23T18:21:28Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-23T00:08:32Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-22T22:33:13Z
• Microsoft SharePoint Deserialization of Untrusted Data Vulnerability — added 2025-07-22T19:20:23Z

Detection & Weaponization (5 sources)

Maturity: Detection

• Metasploit modules: Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)
• Nuclei templates: Microsoft SharePoint Server - Remote Code Execution (ToolShell)
• Sigma rules: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create, Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators, SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
• YARA rules: SIGNATURE_BASE_WEBSHELL_ASPX_Sharepoint_Drop_CVE_2025_53770_Jul25, SIGNATURE_BASE_WEBSHELL_ASPX_Compiled_Sharepoint_Drop_CVE_2025_53770_Jul25_2, SIGNATURE_BASE_APT_EXPL_Sharepoint_CVE_2025_53770_Forensicartefact_Jul25_1, SIGNATURE_BASE_APT_EXPL_Sharepoint_CVE_2025_53770_Forensicartefact_Jul25_2
• GitHub PoC: 44 repositories

Affected Products (3)

Microsoft Office

• Microsoft SharePoint Enterprise Server 2016
• Microsoft SharePoint Server 2019
• Microsoft SharePoint Server Subscription Edition

Security Updates (5)

• 5002760
• 5002759
• 5002754
• 5002753
• 5002768

Acknowledgments

Viettel Cyber Security with Trend Zero Day Initiative, <a href="https://twitter.com/_l0gg">khoadha</a> with <a href="https://viettelsecurity.com/">vcslab of Viettel Cyber Security</a>, fb8a5048b1d8827e8ae96f410d40bf00cc313e3cc307da0df9e18099c9398b51

Revision History

• 2025-07-19: Information published.
• 2025-07-19: Updated acknowledgment. This is an informational change only.
• 2025-07-20: The security update is available for Microsoft SharePoint Server Subscription Edition. Microsoft strongly encourages customers running this version of SharePoint to install this update as soon as possible.
• 2025-07-20: The security update is available for Microsoft SharePoint Server 2019. Microsoft strongly encourages customers running this version of SharePoint to install this update as soon as possible.
• 2025-07-21: Added an FAQ and updated the CVSS score. This is an informational change only.
• 2025-08-06: Acknowledgement added. This is an informational change only.