SharePoint servers: Deserialization of untrusted data leading to remote code execution in on-premises Microsoft SharePoint Server (CVE-2025-53770) #shorts

Summary

Welcome to ThreatCast, your weekly breakdown of the latest cybersecurity alerts. Today we cover CVE-2025-53770, a critical zero-day in on-premises Microsoft SharePoint Server that’s under active exploitation. With no patch available yet, organizations must implement mitigation guidance and stay vigilant.

Product details

This vulnerability affects three SharePoint offerings: SharePoint Enterprise Server 2016 (all builds), SharePoint Server 2019 up to build 16.0.10417.20037, and SharePoint Server Subscription Edition up to build 16.0.18526.20508. If you run any of these on-premises, you are at risk until updates are released.

Vulnerability type summary

CVE-2025-53770 is classified as CWE-502: Deserialization of Untrusted Data. Attackers can craft malicious payloads that, when processed by the SharePoint deserializer, lead to remote code execution on the server.

Details of the vulnerability

Microsoft discovered that SharePoint’s object deserialization logic doesn’t properly validate data from untrusted sources. An unauthenticated attacker on the network can send a specially crafted request to a vulnerable server, triggering execution of arbitrary code with the same privileges as the SharePoint service. CISA has added this flaw to its Known Exploited Vulnerabilities Catalog and warns of active attacks in the wild. While Microsoft prepares a full patch, you should apply the documented mitigation—restrict inbound access to SharePoint management endpoints, enable Microsoft Defender for HTTP scanning, and monitor logs for suspicious object deserialization attempts.

Conclusion

CVE-2025-53770 is a serious zero-day impacting on-premises SharePoint installations with active exploitation reported. Until Microsoft’s update is released, follow CISA and Microsoft guidance: harden network access, deploy the provided mitigations, and use Defender’s web protection features. Stay tuned for our next episode when we’ll cover the patch release and post-mortem recommendations.

This chain involves the following actors

• Unauthorized Attacker: Exploits the deserialization flaw to gain code execution
• System Administrator: Implements mitigations and updates to defend against exploitation

This following systems are involved

• SharePoint Server Enterprise 2016 (On-premises collaboration platform): Hosts the vulnerable deserialization endpoint
• SharePoint Server 2019 (On-premises collaboration platform): Hosts the vulnerable deserialization endpoint
• SharePoint Server Subscription Edition (On-premises collaboration platform): Hosts the vulnerable deserialization endpoint

Attack entry point

• Deserialization Interface: An endpoint in the SharePoint web application that accepts serialized objects over HTTP and recreates objects without validation

Remediation actions

Exploitation actions

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
• [2025-07-21] Microsoft SharePoint servers are under attack via a zero-day vulnerability with no available patch.
• [2025-07-21] CISA adds a new vulnerability, CVE-2025-53770, to its Known Exploited Vulnerabilities Catalog due to active exploitation.
• [2025-07-20] Microsoft announced a critical SharePoint vulnerability being exploited, with no patch available; suggests using Microsoft Defender as a workaround.
• [2025-07-21] Microsoft SharePoint vulnerability CVE-2025-53770 allows deserialization of untrusted data, CISA recommends mitigations.
• [2025-07-20] CISA warns of active exploitation of SharePoint vulnerability CVE-2025-53770, recommends actions to mitigate risks.