Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
The vulnerability results from unsafe deserialization of untrusted data (CWE-502) in Microsoft SharePoint Server. An attacker can send a specially crafted payload over the network to the vulnerable server without needing any credentials or user interaction. While processing the submitted data, the server deserializes it in an uncontrolled manner, leading to arbitrary code execution in the context of the server.
An unauthenticated attacker can remotely execute arbitrary code on the SharePoint server, which in practice means complete takeover of the server — violation of confidentiality, integrity, and availability of data.
A complete update is being prepared by Microsoft. Until its release, IMMEDIATELY apply the temporary mitigation measures described in the vendor documentation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 and https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/. Once the patch is published, deploy it without delay.
On-premises installations of Microsoft SharePoint Server — specific versions indicated in vendor references (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMicrosoft SharePoint Server
APPMicrosoft20162019< 16.0.18526.20508
CISA KEV — detailsi
- Vendori
- Microsoft ↗
- Producti
- SharePoint
- Added to KEVi
- July 20, 2025
- Remediation deadline (US Federal)i
- July 21, 2025(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-53771. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704.
Related vulnerabilities
RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server
Microsoft SharePoint Server Elevation of Privilege Vulnerability
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the sour...
Path traversal w Virto Bulk File Download dla SharePoint — pobieranie i usuwanie plików
Microsoft Word Remote Code Execution Vulnerability