CVE-2025-53770

July 21, 2025, 3 p.m.

9.8
Critical

Description

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

Product(s) Impacted

Vendor Product Versions
Microsoft
  • Sharepoint Server
  • *, 2016, 2019

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a microsoft sharepoint_server / / / / subscription / / /
a microsoft sharepoint_server 2016 / / / enterprise / / /
a microsoft sharepoint_server 2019 / / / / / / /

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
https://github.com/kaizensecurity/CVE-2025-53770
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
https://research.eye.security/sharepoint-under-siege/
https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globally
https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/
https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
https://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/
https://x.com/Shadowserver/status/1946900837306868163

Tags

CWE-502
secure@microsoft.com
2025-07-20
CVE-2025-53770

CVSS Score

9.8 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: July 20, 2025, 1:15 a.m.
Last Modified: July 21, 2025, 3 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

secure@microsoft.com

Relations

Here is the list of observables linked to the vulnerability CVE-2025-53770 using threat intelligence.

Linked Attack Reports

Large-scale exploitation of new SharePoint RCE vulnerability chain identified

A new SharePoint remote code execution vulnerability chain, later named CVE-2025-53770 and CVE-2025-53771 by Microsoft, was discovered being exploited in the wild. The exploitation affected on-premise SharePoint Servers globally, with dozens of systems compromised during two attack waves on July 18…
exploit
vulnerability
sharepoint
rce
CVE-2025-53770
CVE-2025-53771
2025-07-21
on-premise
Published: July 21, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1)
Downloadable IOCs: 4

SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers

A zero-day vulnerability dubbed 'ToolShell' targeting on-premises Microsoft SharePoint Servers has been actively exploited. The flaw, identified as CVE-2025-53770 with an accompanying bypass CVE-2025-53771, allows unauthenticated remote code execution. Three distinct attack clusters have been obser…
vulnerability
zero-day
webshell
remote code execution
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
2025-07-22
CVE-2025-49704
CVE-2025-49706
Published: July 22, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-49704
Downloadable IOCs: 3

CVE-2025-53770 and CVE-2025-53771: Actively Exploited SharePoint Vulnerabilities

Two critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771, are affecting Microsoft SharePoint Servers, enabling attackers to upload malicious files and extract cryptographic secrets. These flaws are evolutions of previously patched vulnerabilities, CVE-2025-49704 and CVE-2025-49706, which wer…
remote code execution
CVE-2025-53770
CVE-2025-53771
2025-07-22
CVE-2025-49704
CVE-2025-49706
microsoft sharepoint
viewstate abuse
deserialization
unauthenticated attacks
Published: July 22, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 8

Active Exploitation of Microsoft SharePoint Vulnerabilities

Unit 42 is tracking ongoing threat activity targeting on-premises Microsoft SharePoint servers, particularly within government, schools, healthcare, and large enterprises. Multiple vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) allow unauthenticated attackers to ac…
vulnerability
government
healthcare
exploitation
education
cve
CVE-2025-53770
CVE-2025-53771
2025-07-22
CVE-2025-49704
CVE-2025-49706
microsoft sharepoint
on-premises
Published: July 22, 2025
Linked vulnerabilities : CVE-2024-1182 (CVSS 7.0), CVE-2024-7587 (CVSS 7.8), CVE-2024-0012 (CVSS 9.8), CVE-2024-9474 (CVSS 7.2), CVE-2024-8299 (CVSS 7.8), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-53870 (CVSS 3.3), CVE-2025-31324 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 24

SharePoint Vulnerabilities (CVE-2025-53770 & CVE-2025-53771): Everything You Need to Know

Two critical zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, are actively exploited in on-premises Microsoft SharePoint servers. These flaws enable unauthenticated remote code execution through an exploit chain dubbed ToolShell. CVE-2025-53770 is a critical RCE vulnerability caused by …
zero-day
spoofing
sharepoint
rce
authentication bypass
patch
CVE-2025-53770
CVE-2025-53771
2025-07-21
toolshell
deserialization
on-premises
Published: July 21, 2025
Linked vulnerabilities : CVE-2025-23266 (CVSS 9.0), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 3

Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode

The Arctic Wolf Labs team has uncovered a new cyber-espionage campaign by the Dropping Elephant APT group targeting Turkish defense contractors. The attack leverages a five-stage execution chain delivered via malicious LNK files disguised as conference invitations. It uses legitimate binaries like …
apt
powershell
shellcode
dll side-loading
cyber-espionage
turkey
defense industry
2025-07-23
vlc player
dropping elephant rat
Published: July 23, 2025
Linked vulnerabilities : CVE-2025-5777 (CVSS 9.3), CVE-2025-20337 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8)
Downloadable IOCs: 10

Pausing for a "Sanctuary Moon" marathon

This newsletter discusses the debut of the 'Humans of Talos' series, which highlights the people behind Cisco Talos' research and operations. It draws parallels between sci-fi characters and cybersecurity professionals, emphasizing the importance of human creativity and insight in advanced technolo…
chaos
machine learning
CVE-2025-53770
2025-07-24
sharepoint vulnerability
Published: July 24, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8)
Downloadable IOCs: 7

Religious symbols weaponized, group uses Microsoft SharePoint RCE vulnerability to deliver 4L4MD4r ransomware

A serious remote code execution vulnerability in Microsoft SharePoint servers was exploited by hackers, affecting tens of thousands of servers globally. The mimo attack group, a financially motivated threat actor, utilized this vulnerability to deliver the 4L4MD4r ransomware, written in Golang and …
ransomware
microsoft
golang
sharepoint
rce
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
2025-08-01
4l4md4r
religious symbols
Published: August 1, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 2

Exploring Storm-2603's Previous Ransomware Operations

A focused analysis of Storm-2603, a threat actor linked to recent ToolShell exploitations alongside other Chinese APT groups, reveals their use of a custom malware C2 framework called 'ak47c2'. This framework includes HTTP and DNS-based clients. The group likely targeted organizations in Latin Amer…
ransomware
windows
lockbit
lockbit black
microsoft
april
virustotal
sharepoint
psexec
iocs
toolshell
2025-08-01
storm2603
io control
dllhijacking
warlock
Published: August 1, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 25

Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks

Unit 42 has identified significant overlaps between Microsoft's reported ToolShell activity and a threat cluster they track as CL-CRI-1040. This cluster utilizes a tool set called Project AK47, which includes a multi-protocol backdoor, custom ransomware, and loaders. The activity is linked to the e…
backdoor
ransomware
lockbit
lockbit 3.0
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
warlock
2025-08-06
warlock client
ak47 ransomware
x2anylock
project ak47
ak47c2
Published: August 6, 2025
Linked vulnerabilities : CVE-2024-1182 (CVSS 7.0), CVE-2024-7587 (CVSS 7.8), CVE-2024-8299 (CVSS 7.8), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-53870 (CVSS 3.3), CVE-2025-31324 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 27

Echoes in the Shell: Legacy Tooling Behind Ongoing SharePoint 'ToolShell' Exploitation

Chinese nation-state actors are exploiting vulnerabilities in Microsoft SharePoint on-premises infrastructure. The attacks chain together multiple recently disclosed vulnerabilities, collectively known as 'ToolShell', to perform unauthenticated code execution, extract cryptographic keys, and deploy…
valleyrat
china chopper
sharepoint
antsword
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
2025-08-11
requestrepo
Published: August 11, 2025
Linked vulnerabilities : CVE-2019-0604, CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 1

ToolShell Exploit: Critical SharePoint Zero-Day Threatens Global Enterprises

A zero-day exploit chain named 'ToolShell' is actively targeting on-premises Microsoft SharePoint servers worldwide, potentially affecting thousands of organizations. The attack leverages two critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution and steal cry…
zero-day
chinese threat actors
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
exploit chain
2025-08-14
in-memory payload
cryptographic keys
Published: August 14, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 8

Warlock operation joins busy ransomware landscape

GOLD SALEM, also known as Warlock Group, has emerged as a significant player in the ransomware landscape since March 2025. The group has compromised networks across North America, Europe, and South America, targeting a range of organizations from small entities to large corporations. GOLD SALEM ope…
ransomware
credential theft
lateral movement
CVE-2024-51324
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
warlock
dedicated leak site
2025-09-17
edr bypass
sharepoint exploitation
warlock group
Published: September 17, 2025
Linked vulnerabilities : CVE-2024-51324 (CVSS 3.8), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 2

Dragons in Thunder

This report details the activities of two hacker groups, QuietCrabs and Thor, targeting Russian companies. QuietCrabs exploited RCE vulnerabilities in Microsoft SharePoint and Ivanti Endpoint Manager Mobile, using KrustyLoader and Sliver malware. Thor employed more common tools and techniques, atta…
lockbit
ivanti
sliver
babuk
sharepoint
krustyloader
CVE-2025-4427
CVE-2025-4428
russian targets
CVE-2025-53770
2025-11-28
rce vulnerabilities
thor
cyberspionage
Published: November 28, 2025
Linked vulnerabilities : CVE-2021-27065, CVE-2025-4428, CVE-2025-4427, CVE-2025-53770 (CVSS 9.8)
Downloadable IOCs: 75

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.