TR-95 - Critical vulnerability - Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. CVE-2025-53770 - CVE-2025-53771

TR-95 - Critical vulnerability - Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. CVE-2025-53770 - CVE-2025-53771

Back to Publications and Presentations

  1. Recommendations
  2. Impact
  3. Exploitation
  4. Detection
  5. Affected Systems
  6. Credits
  7. References
  8. Timeline
  9. Classification of this document
  10. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation. For more details about CVE-2025-53770 and CVE-2025-53771.

These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.

CIRCL advises initiating an incident response procedure, reviewing all logs, and especially scrutinizing any potential compromise to other internal infrastructure in addition to the Microsoft SharePoint Server.

Recommendations

  • Review the Microsoft Customer guidance for SharePoint vulnerability CVE-2025-53770
  • Assume the system has been compromised, because large‑scale exploitation occurred before the patch was released.
  • Trigger an incident response procedure, reviewing all logs, and especially scrutinizing any potential compromise to other internal infrastructure in addition to the Microsoft SharePoint Server.

Impact

It can result in the full compromise of the Microsoft SharePoint Server.

Exploitation

Exploitation has been confirmed and has been seen worldwide including Luxembourg.

Detection

Monitor and search logs for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit which is the trigger for the known payload.

Review the Microsoft SharePoint Server for the presence of the spinstall0.aspx file.

There is a scanning approach was proposed by https://research.eye.security/sharepoint-under-siege/ and available as a bash script.

In addition, a set of indicators are available on the original article https://research.eye.security/sharepoint-under-siege/.

A MISP event with the indicators is also available with the following UUID: d9da16a2-8444-45cb-8bb4-d27abf23a261.

Affected Systems

  • Microsoft - Microsoft SharePoint Enterprise Server 2016 - Version: N/A
  • Microsoft - Microsoft SharePoint Server 2019 - Version: 16.0.0 < 16.0.10417.20037
  • Microsoft - Microsoft SharePoint Server Subscription Edition - Version: 16.0.0 < 16.0.18526.20508

Credits

  • Thanks to https://research.eye.security for the discovery.

References

Timeline

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.1 - TLP:CLEAR - Second version including updates and new scanning script - 21st July 2025
  • Version 1.0 - TLP:CLEAR - First version - 20th July 2025