CVE-2025-53770
Microsoft SharePoint Server Remote Code Execution Vulnerability
In short
Microsoft SharePoint Server has a critical flaw where it processes untrusted data in a way that allows attackers to run malicious code remotely without authorization. This is a severe security issue because it can be exploited over the internet to take full control of affected servers.
Technical detail
CVE-2025-53770 is an unsafe deserialization vulnerability (CWE-502) in on-premises Microsoft SharePoint Server that permits unauthenticated remote code execution. Attackers can exploit this by sending specially crafted network requests containing malicious serialized objects; the server deserializes untrusted input without proper validation, leading to arbitrary code execution with server privileges. Active exploitation has been reported in the wild.
Summary generated and translated by AI from the official description.
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.
Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild.
Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:C
Affected products
Microsoft · Microsoft SharePoint Enterprise Server 2016Microsoft · Microsoft SharePoint Server 2019Microsoft · Microsoft SharePoint Server Subscription Editionpublic PoCs found — 45
githubgithub.com/soltanali0/CVE-2025-53770-Exploit★ 310githubgithub.com/MuhammadWaseem29/CVE-2025-53770★ 58githubgithub.com/hazcod/CVE-2025-53770★ 45githubgithub.com/kaizensecurity/CVE-2025-53770★ 43githubgithub.com/ZephrFish/CVE-2025-53770-Scanner★ 18githubgithub.com/3a7/CVE-2025-53770★ 15githubgithub.com/AdityaBhatt3010/CVE-2025-53770-SharePoint-Zero-Day-Variant-Exploited-for-Full-RCE★ 11githubgithub.com/exfil0/CVE-2025-53770★ 5githubgithub.com/Immersive-Labs-Sec/SharePoint-CVE-2025-53770-POC★ 4githubgithub.com/saladin0x1/CVE-2025-53770★ 4githubgithub.com/Bluefire-Redteam-Cybersecurity/bluefire-sharepoint-cve-2025-53770★ 3githubgithub.com/Sec-Dan/CVE-2025-53770-Scanner★ 2githubgithub.com/Rabbitbong/OurSharePoint-CVE-2025-53770★ 2githubgithub.com/harryhaxor/CVE-2025-53770-SharePoint-Deserialization-RCE-PoC★ 1githubgithub.com/imbas007/CVE-2025-53770-Vulnerable-Scanner★ 1githubgithub.com/paolokappa/SharePointSecurityMonitor★ 1githubgithub.com/Cameloo1/sharepoint-toolshell-micro-postmortem★ 1githubgithub.com/tripoloski1337/CVE-2025-53770-scanner★ 1githubgithub.com/grupooruss/CVE-2025-53770-Checker★ 1githubgithub.com/Zedocun/SharePoint-ToolShell-CVE-2025-53770-Incident-Analysis★ 1githubgithub.com/Udyz/CVE-2025-53770-Exploit★ 1githubgithub.com/J4ck3LSyN-Gen2/CVE-2025-53770★ 0githubgithub.com/doerrdan/it-sec-toolshell★ 0githubgithub.com/CyprianAtsyor/ToolShell-CVE-2025-53770-SharePoint-Exploit-Lab-LetsDefend★ 0githubgithub.com/RukshanaAlikhan/CVE-2025-53770★ 0githubgithub.com/yosasasutsut/Blackash-CVE-2025-53770★ 0githubgithub.com/gmh5225/ZeroPoint★ 0githubgithub.com/siag-itsec/CVE-2025-53770-Hunting★ 0githubgithub.com/GreenForceNetworks/Toolshell_CVE-2025-53770★ 0githubgithub.com/0xray5c68616e37/cve-2025-53770★ 0githubgithub.com/zach115th/ToolShellFinder★ 0githubgithub.com/nisargsuthar/suricata-rule-CVE-2025-53770★ 0githubgithub.com/bharath-cyber-root/sharepoint-toolshell-cve-2025-53770★ 0githubgithub.com/bitsalv/ToolShell-Honeypot★ 0githubgithub.com/BirdsAreFlyingCameras/CVE-2025-53770_Raw-HTTP-Request-Generator★ 0githubgithub.com/bossnick98/-SOC342---CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-and-RCE★ 0githubgithub.com/r3xbugbounty/CVE-2025-53770★ 0githubgithub.com/daryllundy/CVE-2025-53770★ 0githubgithub.com/0xisfet/CVE-2025-53770-Scanner★ 0githubgithub.com/Agampreet-Singh/CVE-2025-53770★ 0githubgithub.com/ghostn4444/CVE-2025-53770★ 0githubgithub.com/Michaael01/LetsDefend--SOC-342-CVE-2025-53770-SharePoint-Exploit-ToolShell★ 0githubgithub.com/victormbogu1/LetsDefend-SOC342-CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-andRCE-EventID-320★ 0githubgithub.com/rbctee/CVE-2025-53770★ 0exploitdbwww.exploit-db.com/exploits/52405unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/https://github.com/kaizensecurity/CVE-2025-53770https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770https://news.ycombinator.com/item?id=44629710https://research.eye.security/sharepoint-under-siege/https://therecord.media/microsoft-sharepoint-zero-day-vulnerability-exploited-globallyhttps://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flawhttps://www.forbes.com/sites/daveywinder/2025/07/20/microsoft-confirms-ongoing-mass-sharepoint-attack---no-patch-available/