CVE-2025-53770 — Microsoft SharePoint Server Remote Code Execution Vulnerability

Executive Summary

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

Overview

9.8

CVSS CRITICAL

Critical

MS Severity

Exploited

MS Exploit Status

Exploitation Detected

MS Exploit Likelihood

Category Remote Code Execution

Released Jul 8 2025

Last Updated Jul 8 2025

Publicly Disclosed No

CISA KEV Not Listed

Known Exploits None Known

EPSS Score 0.99982 — 0.99981 percentile

NVD CVSS 9.8 CRITICAL — matches MSRC

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:C

ATTACK VECTOR

Network

ATTACK COMPLEXITY

Low

PRIVILEGES REQUIRED

None

USER INTERACTION

None

SCOPE

Unchanged

CONFIDENTIALITY

High

INTEGRITY

High

AVAILABILITY

High

EXPLOIT CODE MATURITY

Functional

REMEDIATION LEVEL

Workaround

REPORT CONFIDENCE

Confirmed

Temporal Score: 9.3

EPSS Score

0.99982

probability of exploitation in the next 30 days

0.99981 percentile - updated 2026-06-21

View on FIRST.org

Affected Products

1 affected product

Product	KB Article	Severity	Impact	Restart Required
Microsoft SharePoint Enterprise Server 2016 5002760 (Security Update) 5002759 (Security Update) Critical Remote Code Execution 5002743 Base: 9.8 Temporal: 9.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:C 16.0.5513.1001 Maybe None Microsoft SharePoint Server 2019 5002754 (Security Update) 5002753 (Security Update) Critical Remote Code Execution 5002739 Base: 9.8 Temporal: 9.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:C 16.0.10417.20037 Maybe None Microsoft SharePoint Server Subscription Edition	`5002768 (Security Update)`	Critical	Remote Code Execution	Maybe

Patches

1 patch

Article	Type	Restart
`5002768`	Security Update	Maybe

Known Exploits

No known exploits have been linked for this CVE yet. When available, exploit references will be sourced from public repositories and may be unverified, incomplete, or non-functional. Always review code carefully before use in any environment.

Acknowledgments

Viettel Cyber Security with Trend Zero Day Initiative, khoadha

References

MSRC Advisory MITRE NVD