Urgent: SharePoint Zero-Day Vulnerability CVE-2025-53770 Under Active Exploitation

TL;DR

A critical zero-day vulnerability, CVE-2025-53770, in Microsoft SharePoint is actively being exploited. This flaw, which allows unauthorized attackers to execute code over a network, has a high CVSS score of 9.8 and is a variant of a previously addressed spoofing flaw, CVE-2025-49706. Microsoft is yet to release a comprehensive patch, but recommends enabling AMSI integration and deploying Microsoft Defender for protection.

Microsoft Warns of Active Exploitation of SharePoint Zero-Day Vulnerability CVE-2025-53770

Microsoft has issued a warning regarding the active exploitation of a critical zero-day vulnerability in SharePoint, tracked as CVE-2025-53770. This vulnerability, which has a CVSS score of 9.8, involves the deserialization of untrusted data in on-premises Microsoft SharePoint Server. If exploited, it allows unauthorized attackers to execute code over a network. The flaw was discovered by Viettel Cyber Security via Trend Micro’s Zero Day Initiative (ZDI).

Vulnerability Details

The vulnerability is a deserialization of untrusted data in on-premises Microsoft SharePoint Server. This flaw can be exploited by an unauthorized attacker to execute code over a network. The issue was identified by Viettel Cyber Security through Trend Micro’s ZDI.

“Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild.” ¹

Mitigation Steps

Microsoft advises customers to enable AMSI integration and deploy Microsoft Defender across all SharePoint Server farms to protect against this vulnerability. These measures help mitigate the risk while a comprehensive patch is being developed.

Relation to Previous Vulnerabilities

CVE-2025-53770 is a variant of a previously addressed spoofing flaw, CVE-2025-49706 (CVSS score: 6.3), which was patched in the July 2025 Patch Tuesday updates. Microsoft has confirmed that this new vulnerability only affects on-premises SharePoint servers and not SharePoint Online in Microsoft 365.

“Microsoft is aware of active attacks targeting on-premises SharePoint Server customers. The attacks are exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770.” ²

Attack Methods

Attackers are exploiting the SharePoint flaw to run commands pre-authentication by abusing object deserialization. They use stolen machine keys to persist and move laterally, making detection difficult without deep endpoint visibility.

Security Research Findings

Security researchers from Eye Security and Palo Alto Networks have warned of attacks combining two SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, in a chain called “ToolShell.” These bugs allow attackers to bypass authentication and run code remotely on vulnerable SharePoint servers. Given that CVE-2025-53770 is a variant of CVE-2025-49706, the attacks are likely related.

“On the evening of July 18, 2025, Eye Security identified active, large-scale exploitation of a new SharePoint remote code execution (RCE) vulnerability chain, dubbed ToolShell.” ³

Conclusion

The active exploitation of CVE-2025-53770 highlights the urgent need for organizations to implement the recommended mitigations until a comprehensive patch is released. Staying vigilant and proactive in applying security updates is crucial to protect against such critical vulnerabilities.

Additional Resources

For further insights, check:

• Microsoft Security Response Center
• Eye Security Analysis
• Palo Alto Networks Report

References

1. Microsoft Security Response Center (2025). “Advisory for CVE-2025-53770”. Microsoft. Retrieved 2025-07-21. ↩︎

2. Microsoft (2025). “Customer Guidance for SharePoint Vulnerability CVE-2025-53770”. Microsoft. Retrieved 2025-07-21. ↩︎

3. Eye Security (2025). “SharePoint Under Siege”. Eye Security. Retrieved 2025-07-21. ↩︎