πŸ”΄ CVE-2025-53770

Critical deserialization vulnerability in on-premises SharePoint Server allowing unauthenticated remote code execution over the network. Actively exploited in the wild with public exploits available.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 β€” Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
Yes (+209d)
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-07-20

Added to CISA KEV: 2025-07-20 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2025-09-06)

Here's what is known about the CVE-2025-53770 vulnerability, focusing on the aspects you've specified:

  • Affected Applications/Services:
* CVE-2025-53770 affects on-premises Microsoft SharePoint Servers [1][2]. It does not impact SharePoint Online in Microsoft 365 [2]. Microsoft Defender External Attack Surface Management (Defender EASM) can provide visibility into exposed, internet-facing SharePoint instances [3].
  • Active Exploitation:
* Microsoft is aware of active attacks exploiting this vulnerability in on-premises SharePoint Servers [2]. It is being actively exploited in the wild [4][5].
  • Attack Vectors and Exploitation Methods:
* The vulnerability is due to deserialization of untrusted data, allowing an unauthorized attacker to execute code over a network [6]. * It allows unauthenticated remote code execution through advanced deserialization and ViewState abuse [1][7]. * This vulnerability is part of the "ToolShell" exploit chain [8].
  • Targeted Attacks:
* A China-based threat actor, tracked as Storm-2603, has been observed exploiting this vulnerability to deploy ransomware [3].
  • CISA Known Exploited Vulnerabilities (KEV) Status:
* CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog [9][10]. This was done on July 20, 2025 [9][10].
  • Technical Details and Internet Exploitability:
* The vulnerability allows attackers to execute code over a network [6]. * Successful exploitation could expose MachineKey configuration details from a vulnerable SharePoint Server [7][11]. This can ultimately enable unauthenticated remote code execution [7][11]. * Attackers can exploit this vulnerability to upload malicious files and extract cryptographic secrets [12].

Sources

  1. Proactive Security Insights for SharePoint Attacks (CVE-2025-53770 ...

    Accelerate your learning with Trend Campus, an easy-to-use education platform that offers personalized technical guidance…

  2. Customer guidance for SharePoint vulnerability CVE-2025-53770

    Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the ...

  3. Disrupting active exploitation of on-premises SharePoint ... - Microsoft

    Microsoft has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and ...

  4. Critical SharePoint RCE: CVE-2025-53770 and the Perils of ...

    A critical deserialization flaw (CVE-2025-53770) in Microsoft SharePoint Server is being actively exploited, enabling remote code execution by unauthenticated attackers. This post dissects the technical root cause, affected versions, and exploitation vectors for security teams.

  5. cve-2025-53770 sharepoint rce vulnerability exposed

    CVE-2025-53770 is a critical sharepoint rce flaw actively exploited. Learn about risks, attack vectors, iocs, and patching strategies now.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed