Back to KEVs

CVE-2025-53770

Microsoft SharePoint Server Remote Code Execution Vulnerability

Basic Information

CVE State
PUBLISHED
Reserved Date
July 09, 2025
Published Date
July 20, 2025
Last Updated
July 28, 2025
Vendor
Microsoft
Product
Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition
Description
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Tags
microsoft nuclei_scanner cisa

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:C

EPSS Score

Score
16.73% (Percentile: 94.63%) as of 2025-07-28

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-07-20 10:15:32 UTC) Source

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770

Known Exploited Vulnerability Information

Source Added Date
TheHackerNews 2025-07-20 10:15:25 UTC

Recent Mentions

CVE-2025-53770

Source: Horizon3.ai Attack Research • Published: 2025-07-26 00:21:58 UTC

Microsoft SharePoint Remote Code Execution (ToolShell) Vulnerability

ZDI-25-653: (Pwn2Own) Microsoft SharePoint Deserialization of Untrusted Data Remote Code Execution Vulnerability

Source: Zero Day Initiative Published Advisories • Published: 2025-07-25 05:00:00 UTC

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft SharePoint Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-53770.

Analyzing Sharepoint Exploits (CVE-2025-53770, CVE-2025-53771), (Wed, Jul 23rd)

Source: SANS Internet Storm Center • Published: 2025-07-23 19:36:36 UTC

A few days after the exploit originally became widely known, there are now many different SharePoint exploit attempts in circulation. We do see some scans by researchers to identify vulnerable systems (or to scan for common artifacts of compromise), and a few variations of the "ToolPane.aspx" URL being hit. Even for our "random" honeypots, the number of hits has increased significantly without having to emulate SharePoint better.

CVE-2025-53770: SharePoint WebPart Injection Exploit Tool

Source: DarkWebInformer • Published: 2025-07-22 17:26:51 UTC

CVE-2025-53770: SharePoint WebPart Injection Exploit Tool
CVE-2025-53770 is currently being widely exploited by cybercriminals to deploy web shells. We have provided our customers with data allowing […]

CVE-2025-53770 & CVE-2025-53771

Source: ONYPHE Blog • Published: 2025-07-22 07:48:00 UTC

CVE-2025-53770, nicknamed “ToolShell”, is a critical zero-day vulnerability in Microsoft SharePoint Server that allows unauthenticated remote code execution (RCE). It’s […]

ToolShell: Details of CVEs affecting SharePoint servers

Source: Cisco Talos Blog • Published: 2025-07-21 20:33:02 UTC

Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019.

ToolShell: Details of CVEs Affecting SharePoint Servers

Source: Cisco Talos Blog • Published: 2025-07-21 20:33:02 UTC

Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019.
On July 19, 2025, Microsoft disclosed active exploitation of a zero-day vulnerability (CVE-2025-53770) affecting on-premises SharePoint Server instances. Originally, no patch was available for this vulnerability, but fixes were released late on the evening of July 20. CVE-2025-53770 is caused by the deserialization of untrusted data, allowing unauthenticated threat actors to execute code remotely over ... CVE-2025-53770: Widespread Exploitation of ToolShell RCE Vulnerability Observed in Microsoft SharePoint On-Premises

Microsoft Rushes Emergency Patch for Actively Exploited SharePoint 'ToolShell' Bug

Source: Dark Reading • Published: 2025-07-21 14:37:24 UTC

Malicious actors already have already pounced on the zero-day vulnerability, tracked as CVE-2025-53770, to compromise US government agencies and other businesses in ongoing and widespread attacks.

Microsoft Rushes Emergency Patch for Actively Exploited SharePoint ‘ToolShell’ Bug

Source: Dark Reading • Published: 2025-07-21 11:20:23 UTC

Malicious actors already have already pounced on the zero-day vulnerability, tracked as CVE-2025-53770, to compromise US government agencies and other businesses in ongoing and widespread attacks.

Microsoft releases emergency patches for SharePoint RCE flaws exploited in attacks

Source: BleepingComputer • Published: 2025-07-21 04:41:46 UTC

Microsoft has released emergency SharePoint security updates for two zero-day vulnerabilities tracked as CVE-2025-53770 and CVE-2025-53771 that have compromised services worldwide in "ToolShell" attacks. [...]

Critical SharePoint Zero-Day Exploited in the Wild, No Patch Yet Available

Source: CyberInsider • Published: 2025-07-20 23:46:10 UTC

A new zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, is being actively exploited in the wild, enabling attackers to achieve remote code execution on vulnerable systems without authentication. No official patch exists at this time, prompting urgent mitigation action from system administrators. The vulnerability, publicly disclosed yesterday, was identified by researchers at Eye … The post Critical SharePoint Zero-Day Exploited in the Wild, No Patch Yet Available appeared first on CyberInsider.

Infocon: green

Source: SANS Internet Storm Center • Published: 2025-07-20 18:30:03 UTC

Critical Sharepoint 0-Day Vulnerablity Exploited CVE-2025-53770 (ToolShell)

Critical Sharepoint 0-Day Vulnerablity Exploited CVE-2025-53770 (ToolShell), (Sun, Jul 20th)

Source: SANS Internet Storm Center • Published: 2025-07-20 17:32:07 UTC

Microsoft announced yesterday that a newly discovered critical remote code execution vulnerability in SharePoint is being exploited. There is no patch available. As a workaround, Microsoft suggests using Microsoft Defender to detect any attacks. To use Defender, you must first configure the AMSI integration to give Defender visibility into SharePoint. Recent versions of SharePoint have the AMSI integration enabled by default.

Microsoft SharePoint zero-day exploited in RCE attacks, no patch available

Source: BleepingComputer • Published: 2025-07-20 15:40:06 UTC

A critical zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, has been actively exploited since at least July 18th, with no patch available and at least 85 servers already compromised worldwide. [...]
A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an "active, large-scale" exploitation campaign. The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday

Critical Unpatched SharePoint Zero-Day Actively Exploited, Breaches 75+ Company Servers

Source: TheHackerNews • Published: 2025-07-20 09:52:00 UTC

A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an "active, large-scale" exploitation campaign. The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-53770.yaml 2025-07-23 17:30:22 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Nuclei