Microsoft has issued a warning about a critical zero-day vulnerability in SharePoint, identified as CVE-2025-53770 and rated 9.8 on the CVSS scale. The flaw, which is already being actively exploited, remains unpatched.
The vulnerability stems from improper deserialization of untrusted data in on-premises SharePoint Server. If exploited, an attacker can execute remote code over the network without prior authentication. Viettel Cyber Security, through Trend Micro’s Zero Day Initiative (ZDI), discovered the issue.
Microsoft confirmed that an exploit is circulating in the wild and urged administrators to apply the mitigation steps outlined in its CVE documentation while a comprehensive fix is being developed and tested. The company also recommends enabling AMSI integration and deploying Microsoft Defender across all SharePoint Server environments to minimize risk.
CVE-2025-53770 is considered a variant of a previously addressed spoofing bug, CVE-2025-49706, patched during the July 2025 Patch Tuesday. Notably, the vulnerability affects only on-premises versions of SharePoint Server, not SharePoint Online hosted in Microsoft 365.
Attackers are using the flaw to execute commands by exploiting object deserialization before authentication. They also leverage stolen machine keys to maintain persistence and navigate laterally, complicating detection without strong endpoint visibility.
Researchers from Eye Security and Palo Alto Networks have documented attacks chaining this vulnerability with others, such as CVE-2025-49706 and CVE-2025-49704, in an exploit sequence known as “ToolShell.” These chains allow hackers to bypass authentication and run code on vulnerable servers.
On July 18, 2025, Eye Security reported a widespread campaign leveraging this chain, with dozens of SharePoint systems compromised globally. Their team scanned more than 8,000 servers and urged organizations to patch and assess for compromise immediately.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
