External risk intelligence

SharePoint Server Network Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2025-53770

On-premises Microsoft SharePoint Server is affected by a vulnerability allowing remote code execution. This poses a significant business risk by potentially compromising affected systems and data. Microsoft is aware of active exploitation and is preparing an update.

4Halo Surface Signal

Deserialization

Microsoft Sharepoint Server

before 16.0.18526.2050820162019

External exposure likelihood

Halo Surface Signal score for CVE-2025-53770

Microsoft SharePoint Server is a widely deployed enterprise web application platform frequently exposed to the internet to facilitate remote collaboration, document management, and portal services for employees and external partners.

Horizon Alert

Summary of the vulnerability and why it matters

On-premises Microsoft SharePoint Server is vulnerable to an issue that allows unauthorized attackers to execute code remotely. This flaw stems from the server's handling of untrusted data, potentially impacting the confidentiality, integrity, and availability of systems and data. The business risk associated with this vulnerability is significant, as it can lead to a compromise of the entire server.

Vulnerable SharePoint Server
Untrusted data deserialization
Remote code execution impact

Attack Path

How an attacker could exploit the issue

A deserialization vulnerability in on-premises SharePoint Server allows an attacker to execute code remotely. An attacker can exploit this by sending specially crafted data to an exposed SharePoint server. This could lead to unauthorized code execution and compromise of affected systems.

Unauthenticated network access
Attacker sends malicious data
Remote code execution achieved

Live Threat

Current exploitation, exposure, and threat context

Microsoft SharePoint Server is experiencing active exploitation of a critical vulnerability that allows unauthorized attackers to execute code remotely. Exploitation is occurring over a network without requiring prior access or authentication. Given that an exploit is in the wild and Microsoft is aware of its use, organizations should consider this a high-priority threat.

Attacker skill: Low
Access needed: None
Business risk: Urgent

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for this vulnerability exists in the wild and is actively preparing a comprehensive update. Organizations should take immediate steps to identify and protect exposed assets.

Find exposed SharePoint assets.
Implement provided mitigations.
Apply vendor fix and verify.
Monitor for related activity.

Frequently asked questions

What is the primary vulnerability in Microsoft SharePoint Server that allows remote code execution?

The vulnerability in Microsoft SharePoint Server is related to the deserialization of untrusted data. This weakness allows an unauthorized attacker to execute arbitrary code over a network by sending specially crafted data to an exposed server. This is classified as CWE-502.

How can an attacker exploit the SharePoint Server vulnerability?

An attacker can exploit this vulnerability by sending specially crafted, untrusted data to an exposed Microsoft SharePoint Server over the network. This process does not require any prior authentication or access, leading to remote code execution.

What is the current threat status of the SharePoint Server vulnerability (CVE-2025-53770)?

Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild and is actively being exploited. This indicates a high-priority threat for organizations using on-premises SharePoint Server, as exploitation can occur without authentication.

What is the relevance of CVE-2025-53770 given its critical severity and active exploitation?

The relevance of CVE-2025-53770 is high due to its critical severity (CVSS 9.8) and the confirmed in-the-wild exploitation. Microsoft SharePoint Server is a widely used platform for collaboration, making its compromise a significant business risk. The vulnerability allows unauthorized remote code execution, potentially impacting confidentiality, integrity, and availability.

What immediate actions should be taken to respond to the SharePoint Server vulnerability?

Organizations should prioritize identifying all exposed on-premises SharePoint Server assets. Implement any provided mitigations immediately, monitor for related malicious activity, and prepare to apply the comprehensive update from Microsoft once it is fully tested and available. Disconnecting end-of-life or end-of-service versions of SharePoint Server is also recommended.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.