⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.. Due date: 2025-07-21.

CVE-2025-53770

CWE-502Deserialization of Untrusted Data47 documents25 sources
Severity
9.8CRITICAL
EPSS
88.7%
top 0.49%
CISA KEV
KEVRansomware
Added 2025-07-20
Due 2025-07-21
Exploit
PoC available
Public exploit / PoC exists
Affected products
4
Microsoft Microsoft Sharepoint Enterprise Server 2016Microsoft Microsoft Sharepoint Server 2019Microsoft Microsoft Sharepoint Server Subscription Edition+1 more
Timeline
PublishedJul 20
KEV addedJul 20
KEV dueJul 21
Latest updateDec 3
CISA Required Action: Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Description

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

NVDmicrosoft/sharepoint_server< 16.0.18526.20508+2
CVEListV5microsoft/microsoft_sharepoint_server_201916.0.016.0.10417.20037
CVEListV5microsoft/microsoft_sharepoint_enterprise_server_201616.0.016.0.5513.1001
CVEListV5microsoft/microsoft_sharepoint_server_subscription_edition16.0.016.0.18526.20508

🔴Vulnerability Details

3
CVEList
Microsoft SharePoint Server Remote Code Execution Vulnerability2025-07-20
GHSA
GHSA-xcrc-8vqv-vc8r: Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network2025-07-20
VulnCheck
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability2025

💥Exploits & PoCs

4
Exploit-DB
Microsoft SharePoint Server 2019 (16.0.10383.20020) - Remote Code Execution (RCE)2025-08-11
Nuclei
SharePoint Webshell - ToolShell
Metasploit
Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)
Nuclei
Microsoft SharePoint Server - Remote Code Execution (ToolShell)

🔍Detection Rules

2
Elastic
Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)
Sigma
Suspicious File Write to SharePoint Layouts Directory

📋Vendor Advisories

2
CISA
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability2025-07-20
Microsoft
Microsoft SharePoint Server Remote Code Execution Vulnerability2025-07-08

🕵️Threat Intelligence

31
Securelist
Exploits and vulnerabilities in Q3 20252025-12-03
Bleepingcomputer
Sharepoint ToolShell attacks targeted orgs across four continents2025-10-22
Unit42
Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks2025-08-05
Unit42
Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12)2025-07-31
Unit42
Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12)2025-07-31

📐Framework References

1
ATT&CK
SharePoint ToolShell Exploitation