CVE-2025-53770 -- CVSS 9.8 Vulnerability Briefing

CVE-2025-53770 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2025-53770 is a critical deserialization of untrusted data vulnerability in on-premises Microsoft SharePoint Server that allows an unauthenticated remote attacker to execute arbitrary code over the network.

Technical Detail

The flaw resides in SharePoint Server's handling of serialized data, where the application fails to properly validate or sanitize attacker-supplied input before deserializing it. An unauthenticated attacker can send a specially crafted request over the network to trigger the deserialization routine, resulting in remote code execution (RCE) in the context of the SharePoint application. Successful exploitation could grant an attacker full control of the affected server, including access to SharePoint content, credentials, and any systems reachable from the compromised host.

Exploitation Status

Microsoft has confirmed that an exploit for this vulnerability exists in the wild. The exploit maturity is assessed as proof-of-concept available, though Microsoft's own advisory language indicates active in-the-wild exploitation is occurring. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog. A comprehensive patch has not yet been released; Microsoft has stated it is preparing and testing a full update.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given the critical severity, unauthenticated attack vector, and confirmed in-the-wild exploitation, opportunistic actors as well as more targeted intrusion sets with interest in enterprise collaboration platforms should be considered plausible. No specific sectors have been identified as targeted in available reporting.

What To Do

A full patch is not yet available as of this writing. Organizations running on-premises Microsoft SharePoint Server should immediately apply the mitigations documented in Microsoft's official CVE-2025-53770 advisory, which Microsoft has indicated are sufficient to block exploitation pending the full update. Administrators should restrict external network access to SharePoint Server where operationally feasible, monitor SharePoint application logs for anomalous deserialization activity or unexpected process spawning from SharePoint worker processes, and prioritize patch deployment as soon as Microsoft releases the comprehensive update. Given confirmed in-the-wild exploitation, treating this as an emergency response priority is warranted regardless of KEV listing status.