CVE-2025-53770: Critical Remote Code Execution Vulnerability in Microsoft SharePoint Server
CVE-2025-53770 is a critical deserialization vulnerability in Microsoft SharePoint Server (CVSS 9.8) exploited in the wild, acting as a patch bypass for CVE-2025-49704.
FREQUENTLY ASKED
What is CVE-2025-53770 and why does it matter?
CVE-2025-53770 is a critical Deserialization of Untrusted Data vulnerability (CWE-502) in Microsoft SharePoint Server. It allows an unauthorized attacker to execute arbitrary code over a network with a CVSS score of 9.8. This matters because the vulnerability is currently being exploited in the wild and represents a significant risk to organizational data integrity and server availability.
Which versions of SharePoint are affected by CVE-2025-53770?
The vulnerability affects on-premises Microsoft SharePoint Server installations. Specifically, the source data identifies versions 16.0.0 as impacted. Additionally, the advisory emphasizes that all public-facing versions that have reached End-of-Life (EOL) or End-of-Service (EOS), including SharePoint Server 2013 and earlier, are at extreme risk and should be disconnected immediately.
Has a patch been released for CVE-2025-53770?
Microsoft is currently preparing and testing a comprehensive update to address this vulnerability. While a final patch is being finalized, Microsoft and CISA have provided specific mitigation guidance and instructions that must be implemented immediately to protect against active exploitation. Users are advised to monitor the official Microsoft MSRC update guide for the final patch release.
What is the remediation deadline for CVE-2025-53770 and what does it mean?
The remediation deadline is set for 2025-07-21. For federal agencies and organizations following CISA's BOD 22-01, this means that mitigations or disconnection must be completed by this date. Failing to act by this deadline leaves the infrastructure exposed to known active exploits and may lead to non-compliance with federal cybersecurity mandates.
How can I check if my SharePoint deployment is affected?
Organizations should inventory their on-premises SharePoint Server instances and check the version numbers against the affected 16.0.0 series. Additionally, any SharePoint Server 2013 or older installations are considered vulnerable. Administrators should review their network logs for suspicious activity and verify that CISA-recommended mitigations are in place for all supported on-premises versions.
CVE-2025-53770 represents a critical security failure in on-premises Microsoft SharePoint Server environments. Rated with a CVSS score of 9.8, this vulnerability allows unauthorized, unauthenticated attackers to execute arbitrary code across a network by exploiting flawed deserialization logic. Microsoft and CISA have confirmed that this vulnerability is actively being exploited in the wild, making immediate remediation a top priority for global security teams. Notably, this CVE serves as a patch bypass for a previous vulnerability (CVE-2025-49704) and is frequently observed being chained with CVE-2025-53771 to achieve full system compromise.
Technical Deep Dive into CWE-502 and SharePoint Deserialization
At the core of CVE-2025-53770 lies CWE-502: Deserialization of Untrusted Data. To understand the severity, one must understand how modern applications manage state. Serialization is the process of converting complex data structures—like objects in memory—into a format (like JSON, XML, or binary data) that can be easily stored or transmitted across a network. Deserialization is the reverse: taking that stream of data and rebuilding the object in the application's memory.
The vulnerability occurs when SharePoint Server accepts serialized data from a network-based attacker without sufficient validation. Because the deserialization process often involves the automatic execution of underlying methods (like constructors or destructors) to rebuild the object, an attacker can craft a "malicious payload" that triggers unintended code execution during the reconstruction phase.
The Attack Chain and Patch Bypass Mechanics
This specific vulnerability is particularly dangerous because it is a patch bypass for CVE-2025-49704. In many cases, developers attempt to fix deserialization issues by "blacklisting" certain dangerous classes. However, attackers often find alternative "gadget chains" (sequences of legitimate code within the application that can be combined to perform malicious actions) that were not covered by the initial blacklist. CVE-2025-53770 represents a more robust exploitation technique that circumvents the previous protections.
Furthermore, attackers are observed chaining CVE-2025-53770 with CVE-2025-53771. In a typical attack chain, the first vulnerability might provide an entry point or escalate privileges, while the second provides the final Remote Code Execution (RCE) primitive. With a CVSS score of 9.8 and an EPSS score in the 99.5th percentile, the technical impact is total: compromising confidentiality, integrity, and availability (C:H/I:H/A:H).
Identifying Affected Systems and Compliance Requirements
The impact of CVE-2025-53770 is focused on on-premises SharePoint Server deployments. While cloud-based SharePoint (Microsoft 365) is generally managed and patched by Microsoft, organizations maintaining their own infrastructure remain highly vulnerable.
CISA BOD 22-01 and Federal Compliance
Under CISA's Binding Operational Directive (BOD) 22-01, this vulnerability has been added to the Known Exploited Vulnerabilities (KEV) catalog. The remediation deadline of July 21, 2025, is exceptionally aggressive, reflecting the "Active" exploitation status. Federal agencies and organizations that follow CISA guidelines must ensure that all public-facing SharePoint instances are either fully mitigated or disconnected by this date. For systems that have reached End-of-Life (EOL), such as SharePoint Server 2013 and earlier, the instruction is clear: they must be disconnected from the public internet immediately, as no further security updates will be provided.
Official Remediation and Mitigation Steps
Due to the active exploitation and the critical nature of the flaw, Microsoft is working on a comprehensive update. In the interim, organizations must follow these steps:
Inventory and Audit: Identify all on-premises SharePoint Server instances. Check the version numbers to confirm if they fall within the affected 16.0.0 branch.
Disconnect EOL Products: Immediately shut down or disconnect public access to SharePoint Server 2013 and any other versions that are no longer supported by Microsoft.
Review CISA Guidance: Follow the supplemental instructions provided by CISA regarding BOD 22-01 compliance.
Monitor for Indicators of Compromise (IoCs): Check server logs for unusual serial objects or unexpected network traffic originating from the SharePoint application pool accounts. The SSVC status "Active" and "Total" technical impact suggest that if an instance is reachable, it is likely being targeted.
Strategic Security Best Practices
Beyond the immediate patch, addressing deserialization vulnerabilities requires a defense-in-depth approach:
Implement Strict Type Validation: Use a "whitelist" approach for deserialization. Only allow specifically approved classes to be reconstructed from untrusted input.
Principle of Least Privilege: Ensure that the service accounts running SharePoint have the minimum necessary permissions. This limits the "blast radius" if an attacker achieves RCE.
Network Segmentation: Isolate SharePoint servers from the broader internal network. Use Web Application Firewalls (WAFs) to inspect incoming traffic for known deserialization gadget patterns.
Avoid Serializing Sensitive Data: Wherever possible, use simpler data formats like JSON with strict schema validation instead of native binary serialization formats.
Egress Filtering: Restrict the ability of the SharePoint server to initiate outbound connections to the internet, which can prevent attackers from downloading second-stage malware or establishing command-and-control (C2) channels.
Log and Alert on Deserialization Failures: Many deserialization attacks produce specific errors. Monitoring for an uptick in these errors can provide early warning of an ongoing attack.