Cyber Resilience

CVE-2025-53770

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 20 July 2025

Published
20 July 2025
Modified
27 October 2025
KEV Added
20 July 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8818 99.5th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53770 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-53770 is a deserialization of untrusted data vulnerability (CWE-502) affecting on-premises Microsoft SharePoint Server. The flaw permits remote code execution over a network and carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated attacker can send specially crafted serialized data to an exposed SharePoint server and achieve arbitrary code execution, resulting in full confidentiality, integrity, and availability impact on the affected system. Microsoft has confirmed that working exploits for this issue are already present in the wild.

Microsoft is preparing a comprehensive security update but currently directs customers to apply the mitigation steps documented in the CVE advisory until the patch is released. Guidance is available on the Microsoft Security Response Center pages for CVE-2025-53770 and the associated customer blog post.

Public reporting indicates active exploitation across multiple organizations, consistent with the vulnerability’s high EPSS scores (current 0.8818, peak 0.9105).

EU & UK References

Vulnerability details

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update…

more

to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

CWE(s)
KEV Date Added
20 July 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE on public-facing SharePoint Server via deserialization flaw matches T1190 exploitation vector for initial access and full compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20963Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2026-26114Same product: Microsoft Sharepoint Server
CVE-2025-59237Same product: Microsoft Sharepoint Server
CVE-2025-54897Same product: Microsoft Sharepoint Server
CVE-2026-35439Same product: Microsoft Sharepoint Server
CVE-2026-32201Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2026-40357Same product: Microsoft Sharepoint Server
CVE-2025-49704Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2026-33112Same product: Microsoft Sharepoint Server
CVE-2026-40368Same product: Microsoft Sharepoint Server

Affected Assets

microsoft
sharepoint server
2016, 2019 · ≤ 16.0.18526.20508

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of system flaws, including application of Microsoft-provided mitigations for this actively exploited deserialization vulnerability.

prevent

Enforces information flow controls at system boundaries to block unauthorized network access required for remote code execution via deserialization.

prevent

Validates untrusted network inputs to prevent processing of malicious serialized data that triggers arbitrary code execution in SharePoint Server.

References