PT-2025-30160 · Microsoft · Sharepoint Server
Published
2025-07-19
·
Updated
2025-10-30
·
CVE-2025-53770
CVSS v3.1
10
10
Critical
| Base vector | Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Vulnerability Summary
Name of the Vulnerable Software and Affected Versions: Microsoft SharePoint Server (affected versions not specified)
Description
A critical zero-day remote code execution (RCE) vulnerability (CVE-2025-53770, also known as “ToolShell”) exists in on-premises Microsoft SharePoint Server. This vulnerability allows unauthenticated attackers to execute arbitrary code, potentially leading to full system compromise, data theft, and the installation of backdoors. The vulnerability stems from a deserialization flaw. Active exploitation has been observed globally, with over 100 organizations reportedly compromised, including government agencies and critical infrastructure providers. Attackers are leveraging this vulnerability to steal cryptographic keys and maintain persistent access. While a patch has been released for some versions, the vulnerability remains a significant threat, particularly for unpatched systems.
Recommendations
- Apply the latest security updates released by Microsoft for SharePoint Server.
- Implement the mitigation strategies provided by Microsoft and CISA.
- Monitor systems for indicators of compromise (IOCs) related to the ToolShell exploit.
- Consider isolating vulnerable systems if patching is not immediately feasible.
- Enable AMSI and ensure EDR visibility.
- Enforce multi-factor authentication (MFA).
- Rotate cryptographic keys.
- Review and audit SharePoint configurations for potential vulnerabilities.
Exploit
Fix
RCE
LPE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com
Weakness Enumeration
Related Identifiers
BDU:2025-08714
CVE-2025-53770
ZDI-25-653
Affected Products
Sharepoint Server
References · 1202
- 🔥 https://github.com/soltanali0/CVE-2025-53770-Exploit⭐ 26 🔗 3 · Exploit
- 🔥 https://github.com/kaizensecurity/CVE-2025-53770⭐ 9 🔗 7 · Exploit
- 🔥 https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe · Exploit
- 🔥 https://research.eye.security/sharepoint-under-siege · Exploit
- https://safe-surf.ru/specialists/bulletins-nkcki/723277 · Security Note
- https://zerodayinitiative.com/advisories/ZDI-25-653 · Security Note
- https://nvd.nist.gov/vuln/detail/CVE-2025-53770 · Security Note
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53770 · Security Note
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770 · Vendor Advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 · Vendor Advisory
- https://bdu.fstec.ru/vul/2025-08714 · Security Note
- https://github.com/n1chr0x/Zeropoint 🔗 1 · Note
- https://t.me/vxunderground/6712 · Telegram Post
- https://twitter.com/StealthEntry/status/1981078502859317548 · Twitter Post
- https://twitter.com/itsmalware/status/1950179901237060029 · Twitter Post