CVE-2025-53770 – CVE-2025-53770 is a critical deserialization vu... (How to Fix)

Q: What is the severity of CVE-2025-53770?

CVE-2025-53770 has a CVSS score of 9.8 (CRITICAL). CVE-2025-53770 is a critical deserialization vulnerability in on-premises Microsoft SharePoint Server that allows unauthenticated attackers to execute arbitrary code remotely. This affects organizations running vulnerable SharePoint Server instances, particularly those exposed to untrusted networks. Microsoft has confirmed active exploitation in the wild.

📋 TL;DR

CVE-2025-53770 is a critical deserialization vulnerability in on-premises Microsoft SharePoint Server that allows unauthenticated attackers to execute arbitrary code remotely. This affects organizations running vulnerable SharePoint Server instances, particularly those exposed to untrusted networks. Microsoft has confirmed active exploitation in the wild.

💻 Affected Systems

Products:

Microsoft SharePoint Server

Versions: Specific versions not yet detailed in public advisories, but all on-premises SharePoint Server versions are presumed vulnerable until patched.

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects on-premises SharePoint Server installations. SharePoint Online (Microsoft 365) is not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the SharePoint server leading to domain takeover, data exfiltration, ransomware deployment, and lateral movement across the network.

🟠

Likely Case

Unauthorized remote code execution leading to data theft, credential harvesting, and installation of backdoors or malware.

🟢

If Mitigated

Limited impact with proper network segmentation, application controls, and monitoring in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH - Internet-facing SharePoint servers are directly exploitable by unauthenticated attackers without any user interaction.

🏢 Internal Only: HIGH - Internal SharePoint servers are vulnerable to any attacker who gains network access, including compromised endpoints or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Microsoft confirms active exploitation in the wild. Public proof-of-concept code is available on GitHub, making exploitation trivial for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not yet released

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770

Restart Required: Yes

Instructions:

1. Monitor Microsoft Security Response Center for patch release. 2. Test patch in non-production environment. 3. Apply patch to all affected SharePoint servers during maintenance window. 4. Restart servers as required.

🔧 Temporary Workarounds

Block SharePoint web services

windows

Temporarily block access to SharePoint web services endpoints that handle deserialization to prevent exploitation.

Use firewall rules to block inbound traffic to SharePoint web services ports (typically 443 for HTTPS)

Implement network segmentation

all

Isolate SharePoint servers from untrusted networks and restrict access to authorized IP addresses only.

Configure firewall ACLs to allow only trusted IP ranges to SharePoint servers

🧯 If You Can't Patch

Immediately isolate SharePoint servers from internet and untrusted networks using firewall rules
Implement application control to block execution of unauthorized binaries and scripts on SharePoint servers

🔍 How to Verify

Check if Vulnerable:

Check if running on-premises SharePoint Server. If yes, assume vulnerable until patched.

Check Version:

Get-SPFarm | Select BuildVersion (PowerShell on SharePoint server)

Verify Fix Applied:

After patch installation, verify SharePoint Server version matches patched version from Microsoft advisory.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation events from w3wp.exe (SharePoint worker process)
Suspicious deserialization errors in SharePoint ULS logs
Failed authentication attempts followed by successful requests

Network Indicators:

Unusual outbound connections from SharePoint servers
HTTP requests to SharePoint web services from unexpected source IPs
Traffic patterns indicating data exfiltration

SIEM Query:

source="SharePoint" AND (event_id=5002 OR event_id=6398 OR "Deserialization" OR "w3wp.exe" AND process_create)

📊 Metadata

CVE ID: CVE-2025-53770

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 89.2% exploit probability (99.5th percentile)

CISA KEV: Actively Exploited added Jul 20, 2025

Published: July 20, 2025

Last Updated: October 27, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 Vendor Advisory
https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/ Exploit,Press/Media Coverage
https://github.com/kaizensecurity/CVE-2025-53770 Exploit
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ Mitigation,Vendor Advisory
https://news.ycombinator.com/item?id=44629710 Issue Tracking
https://research.eye.security/sharepoint-under-siege/ Exploit,Mitigation,Third Party Advisory
https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally Press/Media Coverage
https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/ Press/Media Coverage
https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 Mailing List,Third Party Advisory,US Government Resource
https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw Press/Media Coverage
https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/ Press/Media Coverage
https://x.com/Shadowserver/status/1946900837306868163 Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53770, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Sharepoint Server by Microsoft

Sharepoint Server by Microsoft

Sharepoint Server by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Block SharePoint web services

Implement network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities