Ctrl + K
/ news / CVE
CVEPublished 2025-07-201 article on news6 live referencesNVD data

CVE-2025-53770

Vulnerability data via CVEDB (Shodan)

CISA KEVKnown exploited in the wild.Used in ransomware
CISA action: Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-53771. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704.
CVSS v3.1
9.8
CRITICAL
EPSS percentile
100
Exploit Prediction Scoring System · top 0% of all CVEs
Description

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

Timeline
Published 2025-07-20

External references

NVDMITREExploit-DBSploitustrickest/cveVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag14,342 hosts
vuln:CVE-2025-53770
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product
product:"Microsoft Sharepoint Server"
All exposed Microsoft Sharepoint Server instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Sharepoint Server"
HTTP body or banner mentions "Sharepoint Server" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2025-53770
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2025-53770
Censys host search filtered to this CVE id.
grep.app
CVE-2025-53770
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2025-53770
GitHub code search for direct mentions.
Google dork
"CVE-2025-53770" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (8)

CVE-2025-537708 repos
0xMarcio/cvePython
Latest CVEs with their Proof of Concept exploits.
★ 1,322·updated today
GhostTroops/TOPShell
TOP All bugbounty pentesting CVE-2023- POC Exp RCE example payload Things
★ 732·updated today
Ostorlab/KEVunknown
Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.
★ 612·updated 3mo ago
peiqiF4ck/WebFrameworkTools-5.5-enhanceC#
本软件首先集成危害性较大框架和部分主流cms的rce(无需登录,或者登录绕过执行rce)和反序列化(利用链简单)。傻瓜式导入url即可实现批量getshell。批量自动化测试。例如:Thinkphp,Struts2,weblogic。出现的最新漏洞进行实时跟踪并且更新例如:log4jRCE,向日葵 禅道RCE 瑞友天翼应用虚拟化系统sql注入导致RCE大华智…
★ 347·updated 6mo ago
soltanali0/CVE-2025-53770-ExploitPython
SharePoint WebPart Injection Exploit Tool
★ 310·updated 6mo ago
Threekiii/CVEunknown
一个 CVE 漏洞预警知识库,无 exp/poc,部分包含修复方案。A knowledge base of CVE security vulnerability, no PoCs/exploits.
★ 172·updated 2d ago
MuhammadWaseem29/CVE-2025-53770unknown
Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server (CVE-2025-53770)
★ 58·updated 10mo ago
hazcod/CVE-2025-53770Go
Scanner for the SharePoint CVE-2025-53770 RCE zero day vulnerability.
★ 45·updated 4mo ago
Articles on news mentioning CVE-2025-53770