CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2025-53770

CVSS 9.8v3.1pub. 2025-07-20upd. 2025-10-27

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

🤖 AI Analysis
How it works

The vulnerability results from unsafe deserialization of untrusted data (CWE-502) in Microsoft SharePoint Server. An attacker can send a specially crafted payload over the network to the vulnerable server without needing any credentials or user interaction. While processing the submitted data, the server deserializes it in an uncontrolled manner, leading to arbitrary code execution in the context of the server.

Impact

An unauthenticated attacker can remotely execute arbitrary code on the SharePoint server, which in practice means complete takeover of the server — violation of confidentiality, integrity, and availability of data.

Mitigation & patch

A complete update is being prepared by Microsoft. Until its release, IMMEDIATELY apply the temporary mitigation measures described in the vendor documentation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 and https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/. Once the patch is published, deploy it without delay.

Who is affected

On-premises installations of Microsoft SharePoint Server — specific versions indicated in vendor references (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Microsoft SharePoint Server

    APP
    Microsoft
    20162019< 16.0.18526.20508

CISA KEV — detailsi

Vendori
Microsoft
Producti
SharePoint
Added to KEVi
July 20, 2025
Remediation deadline (US Federal)i
July 21, 2025(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

CISA descriptioni

Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-53771. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 21 lipca 2025
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam produkt

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2023-29357CRITICAL9.8⚠ KEVten sam produkt

Microsoft SharePoint Server Elevation of Privilege Vulnerability

CVE-2019-0604CRITICAL9.8⚠ KEVten sam produkt

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the sour...

CVE-2024-33879CRITICAL9.8PL ✓ten sam produkt

Path traversal w Virto Bulk File Download dla SharePoint — pobieranie i usuwanie plików

CVE-2023-21716CRITICAL9.8ten sam produkt

Microsoft Word Remote Code Execution Vulnerability