Search
On this page ▾
CVE-2025-53770 — Microsoft SharePoint Deserialization of Untrusted Data Vulnerability

CVE-2025-53770

Microsoft SharePoint — ToolShell: Pre-Auth Deserialization RCE (Chinese APTs Linen Typhoon, Violet Typhoon; Ransomware)
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is Microsoft SharePoint?

Microsoft SharePoint Server is a widely deployed on-premises collaboration and content management platform used by enterprises and government agencies for document management, intranet portals, and team collaboration. SharePoint stores sensitive corporate documents, emails, project files, and configuration data. On-premises SharePoint Server (as distinct from SharePoint Online / Microsoft 365) is commonly internet-facing for remote access — exposing it to unauthenticated attacks. Compromising SharePoint provides access to all stored content and, through post-exploitation, a trusted foothold for lateral movement through the network.

Overview

CVE-2025-53770 is a critical deserialization vulnerability (CWE-502) in Microsoft SharePoint Server and is the centerpiece of the ToolShell campaign (MITRE ATT&CK C0058). It is a patch bypass for the earlier CVE-2025-49704 — attackers reverse-engineered Microsoft's July 2025 Patch Tuesday fix and discovered a remaining exploitable deserialization path. An unauthenticated remote attacker achieves full RCE with no credentials required. Two Chinese nation-state threat actors (Linen Typhoon and Violet Typhoon) and a ransomware actor (Storm-2603) exploited this as a zero-day from 17 July 2025. CISA issued a 1-day federal remediation deadline — the shortest in KEV history — and flagged ransomwareUse: true.

Affected Versions

Product Vulnerable Fixed
SharePoint Server Subscription Edition All builds before Jul 19, 2025 OOB patch Emergency out-of-band patch (Jul 19–20, 2025)
SharePoint Server 2019 All builds before Jul 19, 2025 OOB patch Emergency out-of-band patch (Jul 19–20, 2025)
SharePoint Server 2016 All builds before subsequent patch Subsequent emergency patch
SharePoint Server 2013 and earlier All versions (EoL) Disconnect immediately (no patch)
SharePoint Online / Microsoft 365 Not affected

Technical Details

The vulnerability (CWE-502: Deserialization of Untrusted Data) is a patch bypass for CVE-2025-49704. Microsoft's July 2025 Patch Tuesday addressed the original deserialization path, but the fix was incomplete — attackers reverse-engineered the patch and identified a second deserialization code path that remained exploitable without authentication.

The ToolShell attack chain combines two companion vulnerabilities:

  • CVE-2025-53770 (this CVE): unauthenticated RCE via deserialization — provides initial code execution and webshell deployment.
  • CVE-2025-53771: a patch bypass for CVE-2025-49706 — enables forging of valid authentication tokens by extracting cryptographic signing keys from the compromised SharePoint server, providing persistent authenticated access even after password rotations.

Together, the chain allows: webshell deployment via CVE-2025-53770 → key extraction → token forgery via CVE-2025-53771 → persistent privileged access. Post-exploitation activity included credential harvesting, Active Directory reconnaissance, and ransomware staging.

Discovery

Exploitation was first captured at 08:40 UTC on 17 July 2025 — predating Microsoft's disclosure by approximately 3 days, confirming zero-day status. The campaign was named ToolShell by Microsoft.

Exploitation Context

Three distinct threat actors exploited CVE-2025-53770 in the ToolShell campaign (MITRE ATT&CK C0058):

  • Linen Typhoon (Chinese nation-state, PRC-linked): targeted government and enterprise SharePoint servers for espionage and intelligence collection.
  • Violet Typhoon (Chinese nation-state, PRC-linked): conducted targeted campaigns against defense, critical infrastructure, and technology sector organizations.
  • Storm-2603 (China-based actor): deployed ransomware against targeted organizations, resulting in the ransomwareUse: true CISA classification.

CISA issued a 1-day federal remediation deadline on 20 July 2025 — reflecting the severity and active exploitation at the time of disclosure. The 1-day deadline is one of the most aggressive in KEV history. CISA also published a dedicated alert with mitigation guidance for organizations unable to immediately patch.

Remediation

  1. Apply Microsoft's emergency out-of-band patches immediately for SharePoint Server Subscription Edition, 2019, and 2016 — download from the MSRC update guide.
  2. Apply patches for both CVE-2025-53770 AND CVE-2025-53771 — both are required to fully close the ToolShell attack chain.
  3. Disconnect SharePoint Server 2013 and earlier (EoL) from the internet immediately — no patch is available; these versions must be isolated or decommissioned.
  4. Hunt for webshells: search the SharePoint IIS root directories and _layouts folders for unexpected .aspx files. Use Microsoft's webshell detection scripts (published in the ToolShell campaign blog post).
  5. Check for token forgery indicators: review SharePoint ULS logs and IIS logs for unexpected authenticated sessions that did not correspond to legitimate user logins.
  6. Restrict internet access to SharePoint Server: apply network firewall rules to limit HTTPS access from the internet; use a WAF or reverse proxy with IP allowlisting where possible.
  7. Rotate SharePoint service account credentials and certificate signing keys if compromise is suspected.
  8. Consult CISA's alert at https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 for additional mitigation steps.

Key Details

PropertyValue
CVE ID CVE-2025-53770
Vendor / Product Microsoft — SharePoint
NVD Published2025-07-20
NVD Last Modified2025-10-27
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-502 find similar ↗
CISA KEV Added2025-07-20
CISA KEV Deadline2025-07-21
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2025-07-21. Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Timeline

DateEvent
2025-07-17Exploitation first captured at 08:40 UTC — zero-day attacks on internet-facing SharePoint servers
2025-07-19Microsoft releases emergency out-of-band patches for SharePoint Server Subscription Edition and 2019
2025-07-20CVE published; CISA adds to KEV catalog with 1-day remediation deadline; CISA publishes alert
2025-07-21CISA BOD 22-01 remediation deadline (1-day — one of the shortest in KEV history)
2025-07-22Microsoft publishes ToolShell campaign analysis attributing to Linen Typhoon, Violet Typhoon, and Storm-2603

References

ResourceType
Microsoft Security Response Center — CVE-2025-53770 Vendor Advisory
Microsoft Security Blog — Disrupting Active Exploitation of SharePoint Vulnerabilities Vendor Advisory
CISA Alert — Microsoft Releases Guidance on SharePoint Exploitation US Government
NVD — CVE-2025-53770 Vulnerability Database
CISA KEV Catalog Entry US Government
MITRE ATT&CK — Campaign C0058 (ToolShell) Security Research
Palo Alto Unit 42 — SharePoint Exploitation Analysis Security Research
Rapid7 — Zero-Day Exploitation of Microsoft SharePoint Servers Security Research
Wiz — SharePoint CVE-2025-53770 / CVE-2025-53771 Analysis Security Research

Last updated: 2026-05-17

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML