CVE-2025-53770 in SharePoint Enterprise Server (ToolShell)info

Summary

by MITRE • 07/20/2025

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 08/15/2025

This vulnerability represents a critical deserialization flaw in Microsoft SharePoint Server that enables remote code execution through untrusted data processing. The vulnerability stems from insufficient validation of serialized data structures that SharePoint Server accepts from network sources, creating an attack surface where malicious actors can craft specially formatted payloads to trigger arbitrary code execution. The flaw specifically affects on-premises deployments where SharePoint Server processes serialized data without adequate sanitization measures, making it particularly dangerous in enterprise environments where such servers typically handle sensitive organizational data and user authentication.

The technical exploitation of CVE-2025-53770 leverages standard deserialization attack patterns that have been documented in cybersecurity literature for years, with this particular vulnerability mapping directly to CWE-502 which describes unsafe deserialization of untrusted data. Attackers can craft malicious serialized objects that, when processed by SharePoint Server, execute arbitrary commands on the target system with the privileges of the SharePoint service account. This type of vulnerability typically involves manipulation of object serialization formats such as .NET binary serialization, Java serialized objects, or other platform-specific serialization mechanisms that SharePoint Server may utilize. The attack vector operates over network protocols where SharePoint Server accepts serialized data inputs, potentially through web services, file upload mechanisms, or API endpoints that process user-supplied serialized content.

The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise and potential lateral movement within enterprise networks. Once an attacker successfully exploits this vulnerability, they gain the ability to execute commands on the SharePoint server with the privileges of the hosting service account, which often includes elevated permissions to access databases, file systems, and potentially other network resources. This represents a significant threat to organizational security posture as SharePoint servers frequently serve as central collaboration platforms containing sensitive business information, user credentials, and organizational data. The existence of active exploits in the wild means that organizations are not merely facing theoretical risks but are dealing with real, ongoing threats that require immediate attention and mitigation.

Organizations should implement immediate mitigations including network segmentation to restrict access to SharePoint Server components, disabling unnecessary web services and API endpoints that process external serialized data, and implementing robust input validation for all data sources. The Microsoft-provided update will address the root cause by strengthening deserialization validation and implementing proper data sanitization measures before processing any serialized content. Security teams should also monitor network traffic for suspicious deserialization patterns and implement intrusion detection systems to identify potential exploitation attempts. Additionally, organizations should consider implementing application whitelisting controls to restrict which applications can execute on SharePoint servers, and regularly audit SharePoint configurations to ensure that only necessary services are running. The vulnerability aligns with attack techniques described in the MITRE ATT&CK framework under the T1203 and T1059 tactics, which cover exploitation of software vulnerabilities and execution of malicious code respectively.

Responsible

Microsoft

Reservation

07/09/2025

Disclosure

07/20/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.99982

KEV

yes

Activities

very low

Campaigns

4 (confirmed)

Sources

Do you need the next level of professionalism?

Upgrade your account now!