Jul 2025: Microsoft SharePoint Server Remote Code Execution Vulnerability: CVE-2025-53770 July 2025

Microsoft SharePoint Server Remote Code Execution Vulnerability
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

Known Exploited Vulnerability

This Microsoft SharePoint Deserialization of Untrusted Data Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network.

The following remediation steps are recommended / required by July 21, 2025: CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until offic

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2025-53770 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.

Products Associated with CVE-2025-53770

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-53770 are published in these products:

Affected Versions

Exploit Probability

EPSS

90.95%

Percentile

99.62%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.