CVE-2025-53770: Microsoft SharePoint Deserialization of Untrusted Data

Microsoft SharePoint Deserialization of Untrusted Data Vulnerability. Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-53771. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704.

• CISA KEV-listed (remediation due 2025-07-21)
• used in ransomware campaigns
• EPSS 88.2% (99.5% percentile)

Detection rules

• Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create critical
• Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators high
• SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS medium
• Suspicious File Write to SharePoint Layouts Directory high

Browse the CVE database

Read the full analysis on IntelFusions