CVE-2025-53770
Published: 20 July 2025
Summary
CVE-2025-53770 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of system flaws, including application of Microsoft-provided mitigations for this actively exploited deserialization vulnerability.
Enforces information flow controls at system boundaries to block unauthorized network access required for remote code execution via deserialization.
Validates untrusted network inputs to prevent processing of malicious serialized data that triggers arbitrary code execution in SharePoint Server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE on public-facing SharePoint Server via deserialization flaw matches T1190 exploitation vector for initial access and full compromise.
NVD Description
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update…
more
to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Deeper analysisAI
CVE-2025-53770 is a critical deserialization of untrusted data vulnerability (CWE-502) affecting on-premises Microsoft SharePoint Server. It enables an unauthorized attacker to execute arbitrary code over a network, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) due to its high impact on confidentiality, integrity, and availability.
The vulnerability can be exploited by any unauthenticated attacker with network access to a vulnerable SharePoint Server instance, requiring no user interaction or privileges. Successful exploitation allows remote code execution, potentially leading to full server compromise, data theft, or lateral movement within the environment.
Microsoft advisories indicate that a comprehensive update is under preparation and testing, but no patch is immediately available. In the interim, security teams must implement the mitigation detailed in the CVE documentation on the MSRC update guide to protect against attacks.
Microsoft has confirmed active exploitation of CVE-2025-53770 in the wild, underscoring the urgency for immediate mitigation application across affected on-premises SharePoint deployments.
Details
- CWE(s)
- KEV Date Added
- 20 July 2025