An unauthenticated remote code execution (RCE) vulnerability, identified as CVE-2025-53770, has been discovered in on-premise Microsoft SharePoint Servers.

This critical zero-day flaw allows attackers to execute arbitrary code on a server without needing to authenticate, posing a significant security risk.

The vulnerability has been actively exploited in the wild, with researchers detecting an exploit chain as early as July 18, 2025.

What is CVE-2025-53770?

The vulnerability stems from insufficient validation of user-supplied data, which can be exploited by a specially crafted request to the server.

This allows a remote attacker to execute code with the permissions of the SharePoint application pool, leading to a full compromise of the server – meaning they could have access to sensitive data, install malware, and even have complete control over the system.

Which systems are affected?

This vulnerability impacts multiple versions of on-premise Microsoft SharePoint servers:

• SharePoint Server Subscription Edition (Versions earlier than KB5002768)
• SharePoint Server 2019 (Versions earlier than 16.0.10417.20027/KB5002754)
• SharePoint Server 2016 (Specific version numbers vary, but generally earlier than the latest security updates)
• SharePoint Server 2013 and 2010 (While these are end-of-life and no longer supported, Microsoft still lists them as being potentially affected)

How could attackers use this vulnerability?

Bad actors are actively exploiting CVE-2025-53770 to gain initial access to corporate networks. Since the vulnerability is unauthenticated, attackers can scan the internet for vulnerable SharePoint servers and execute their exploit without needing any user credentials.

Once exploited, they can deploy web shells to maintain persistent access, install ransomware, exfiltrate sensitive company data, or use the compromised server as a pivot point to move laterally within the network and attack other systems.

The fact that it’s easy to exploit and the high level of access it grants make this a particularly dangerous vulnerability for any organization with an on-premise SharePoint deployment.

How to protect your organization

To protect your organization from this critical vulnerability, you need to take immediate action:

Apply security patches

Microsoft has released security updates to address this vulnerability. It’s crucial to apply these patches to all affected SharePoint servers immediately.

Hunt for indicators of compromise (IoCs)

Since this vulnerability was a zero-day and exploited in the wild, it’s essential to check for signs of a breach.

Security teams should analyze SharePoint and web server logs for suspicious requests, particularly those involving unexpected file uploads or unusual processes being executed by the SharePoint application pool identity. Look for newly created .aspx or .ashx files in SharePoint directories that aren’t part of a standard installation.

Implement network segmentation

Restrict access to your SharePoint servers from the internet as much as possible. If external access is necessary, consider placing the server behind a web application firewall (WAF) with rules designed to block common web attack patterns.

Enhance monitoring

Increase monitoring of SharePoint servers for any anomalous behavior, such as unexpected outbound network connections, high CPU usage from SharePoint-related processes, or suspicious scheduled tasks being created.

Conclusion

In conclusion, CVE-2025-53770 represents a severe and immediate threat to organizations utilizing on-premise Microsoft SharePoint Servers.

As a critical, unauthenticated remote code execution vulnerability being actively exploited in the wild, it provides a direct gateway for attackers to achieve a full compromise of server integrity, leading to potential data breaches, ransomware deployment, and significant operational disruption.

Your response to this threat must be swift and comprehensive. Immediately applying Microsoft’s security patches is a critical first step to prevent exploitation.

However, due to its nature as a zero-day exploit, organizations must also assume possible compromise and proactively hunt for IoCs. Strengthening network segmentation and enhancing monitoring are vital secondary measures to protect against this and future threats.

Ultimately, a decisive and layered security response is essential to mitigate the substantial risks posed by this vulnerability.

Recommended content

To learn how to detect and exploit this vulnerability in a sandboxed environment, check out the following labs on the Immersive platform:

• Defensive: CVE-2025-53770 (ToolShell SharePoint RCE)
• Offensive: CVE-2025-53770 (ToolShell SharePoint RCE)

Share your thoughts

Have you seen this vulnerability being exploited in the wild? Have you patched your systems yet? Share your thoughts by commenting in the thread below.