CVE-2025-53770

ENISA EUVD: EUVD-2025-23309 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: Feb. 19, 2026 15 articles Published: 2025-07-20

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

90.64%

probability

This CVE has a 90.64% probability of being exploited in the next 30 days.

0% Top 99.6th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

9.8

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Temporal

Exploit Code Maturity

Functional

Remediation Level

Workaround

Report Confidence

Confirmed

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:C

Description

NVD

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

Affected Products

Microsoft

Microsoft SharePoint Enterprise Server 2016

16.0.0

Microsoft

Microsoft SharePoint Server 2019

16.0.0

Microsoft

Microsoft SharePoint Server Subscription Edition

16.0.0

microsoft

sharepoint server

Microsoft

Microsoft SharePoint Server 2019

16.0.0 <16.0.10417.20037

Microsoft

Microsoft SharePoint Enterprise Server 2016

16.0.0 <16.0.5513.1001

Microsoft

Microsoft SharePoint Server Subscription Edition

16.0.0 <16.0.18526.20508

Attack Intelligence

CWE-502 · Deserialization of Untrusted Data CWE-664 · Improper Control of a Resource Through its Lifetime CWE-913 · Improper Control of Dynamically-Managed Code Resources

Google Project Zero

Patched

July 19, 2025

Reported by

Viettel Cyber Security with Trend Zero Day Initiative

Root Cause Analysis

???

Exploits & PoC

soltanali0/CVE-2025-53770-Exploit

SharePoint WebPart Injection Exploit Tool

311 2025-11-28

MuhammadWaseem29/CVE-2025-53770

Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server (CVE-2025-53770)

56 2025-08-04

hazcod/CVE-2025-53770

Scanner for the SharePoint CVE-2025-53770 RCE zero day vulnerability.

44 2026-02-10

kaizensecurity/CVE-2025-53770

POC

43 2025-07-21

ZephrFish/CVE-2025-53770-Scanner

ToolShell scanner - CVE-2025-53770 and detection information

18 2025-12-07

3a7/CVE-2025-53770

CVE-2025-53770 Mass Scanner

14 2025-07-29

AdityaBhatt3010/CVE-2025-53770-SharePoint-Zero-Day-Variant-Exploited-for-Full-RCE

A critical zero-auth RCE vulnerability in SharePoint (CVE-2025-53770), now exploited in the wild, building directly on the spoofing flaw CVE-2025-4970

11 2025-07-22

exfil0/CVE-2025-53770

A sophisticated, wizard-driven Python exploit tool targeting CVE-2025-53770, a critical (CVSS 9.8) unauthenticated remote code execution (RCE) vulnera

5 2025-07-23

Immersive-Labs-Sec/SharePoint-CVE-2025-53770-POC

4 2025-07-29

saladin0x1/CVE-2025-53770

4 2025-09-04

Bluefire-Redteam-Cybersecurity/bluefire-sharepoint-cve-2025-53770

3 2025-07-21

Sec-Dan/CVE-2025-53770-Scanner

A Python-based reconnaissance scanner for safely identifying potential exposure to SharePoint vulnerability CVE-2025-53770.

2 2025-07-22

Rabbitbong/OurSharePoint-CVE-2025-53770

Do you really think SharePoint is safe?

2 2026-02-22

paolokappa/SharePointSecurityMonitor

A comprehensive PowerShell-based SharePoint security monitoring solution with CVE-2025-53770 protection, advanced DLL analysis, threat detection, and

1 2025-08-04

tripoloski1337/CVE-2025-53770-scanner

1 2025-07-22

imbas007/CVE-2025-53770-Vulnerable-Scanner

1 2025-07-22

Udyz/CVE-2025-53770-Exploit

1 2025-07-25

harryhaxor/CVE-2025-53770-SharePoint-Deserialization-RCE-PoC

A critical vulnerability in Microsoft SharePoint Server allows unauthenticated remote code execution via deserialization of untrusted data. Microsoft

1 2025-08-02

Cameloo1/sharepoint-toolshell-micro-postmortem

Reproducible incident micro-postmortem for on-prem Microsoft SharePoint “ToolShell” (CVE-2025-53770): ATT&CK snapshot, “logs that matter” table, three

1 2025-12-19

Zedocun/SharePoint-ToolShell-CVE-2025-53770-Incident-Analysis

Technical analysis of a SharePoint ToolShell (CVE-2025-53770) exploitation attempt involving RCE, webshell deployment, and MachineKey extraction.

1 2026-04-01

RukshanaAlikhan/CVE-2025-53770

A critical zero-day vulnerability CVE‑2025‑53770 has been actively exploited in the wild against on-premises Microsoft SharePoint Server. Dubbed "Too

0 2025-07-21

yosasasutsut/Blackash-CVE-2025-53770

CVE-2025-53770

0 2025-07-20

gmh5225/ZeroPoint

This PowerShell script detects indicators of compromise for CVE-2025-53770 — a critical RCE vulnerability in Microsoft SharePoint. Created by @n1chr0

0 2025-07-21

siag-itsec/CVE-2025-53770-Hunting

Hunting for Critical SharePoint Vulnerability CVE-2025-53770

0 2025-07-21

grupooruss/CVE-2025-53770-Checker

Comprueba si un servidor SharePoint on-premises es vulnerable a CVE-2025-53770

0 2025-07-21

GreenForceNetworks/Toolshell_CVE-2025-53770

0 2025-07-22

0xray5c68616e37/cve-2025-53770

Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server (CVE-2025-53770)

0 2025-07-22

zach115th/ToolShellFinder

Scans Windows IIS logs for signs of CVE-2025-53770 & CVE-2025-53771

0 2025-12-08

nisargsuthar/suricata-rule-CVE-2025-53770

Detection rules for CVE-2025-53770

0 2025-07-24

bharath-cyber-root/sharepoint-toolshell-cve-2025-53770

0 2025-07-24

bitsalv/ToolShell-Honeypot

Honeypot for CVE-2025-53770 aka ToolShell

0 2025-07-29

BirdsAreFlyingCameras/CVE-2025-53770_Raw-HTTP-Request-Generator

Just a quick script I cooked up to exploit CVE-2025-53770

0 2025-07-25

bossnick98/-SOC342---CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-and-RCE

An activity to train analysis skills and reporting

0 2025-07-27

r3xbugbounty/CVE-2025-53770

0 2025-07-28

daryllundy/CVE-2025-53770

Tools for detecting and assessing systems vulnerable to CVE-2025-53770 (CWE-502: Deserialization of Untrusted Data).

0 2025-09-16

0xisfet/CVE-2025-53770-Scanner

🎯 Vulnerability scanner for SharePoint servers affected by CVE-2025-53770. Detects unsafe deserialization using ToolPane.aspx with a crafted base64+gz

0 2025-07-28

Agampreet-Singh/CVE-2025-53770

0 2025-08-07

CyprianAtsyor/ToolShell-CVE-2025-53770-SharePoint-Exploit-Lab-LetsDefend

0 2025-08-13

ghostn4444/CVE-2025-53770

CVE-2025-53770 - SharePoint

0 2025-08-14

Michaael01/LetsDefend--SOC-342-CVE-2025-53770-SharePoint-Exploit-ToolShell

0 2025-09-24

victormbogu1/LetsDefend-SOC342-CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-andRCE-EventID-320

0 2025-10-04

rbctee/CVE-2025-53770

Scanner for the SharePoint CVE-2025-53770 RCE zero day vulnerability (fork from hazcod/CVE-2025-53770)

0 2026-02-11

J4ck3LSyN-Gen2/CVE-2025-53770

Lab & PoC

0 2026-03-21

43 repos — triés par ⭐ Rechercher sur GitHub ↗

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770

vendor-advisory patch

Signal Intelligence

Confidenceⓘ

95%

EPSS 90.64%

CVSS v3.1 9.8

Mentions 15

Last Seen May 08, 2026

CNA Information

CNA Assigner

microsoft

CNA Title

Microsoft SharePoint Server Remote Code Execution Vulnerability

Analyst Note

CVE-2025-53770 is confirmed as actively exploited in the wild with a critical CVSS score of 9.8, documented exploitation by state-sponsored actors (Chinese hackers), and reported attacks against high-value targets including US nuclear weapons facilities. The vulnerability involves remote code execution through unsafe deserialization in SharePoint on-premises, with multiple credible news sources corroborating active exploitation and Microsoft acknowledging the threat.