Microsoft’s SharePoint Server Remote Code Execution has been identified as containing a zero-day vulnerability. A zero-day is a vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigating it.
This arose when a threat actor has observed exploiting CVE-2025-53770 and CVE-2025-53771 leading to remote code execution. CVE-2025-53770 is a critical Remote Code Execution (RCE) Zero-Day vulnerability in on-premises Microsoft SharePoint Servers.
This stems from the deserialization of untrusted data (CWE-502) and can be exploited remotely without authentication or user interaction, earning a CVSS score of 9.8. Microsoft has confirmed active exploitation in the wild, making this a high-priority issue for all affected organisations.
Research suggests that the risk of cyberattack increases if the vulnerability is made publicly known or a patch is released.
CVE-2025-53771 is a high-severity file write vulnerability found in on-premises Microsoft SharePoint Servers. This vulnerability arises from improper input validation, which can lead to a malicious dropping of a web shell (CWE-22, CWE-20). It can be exploited without any user interaction and has received a CVSS score of 7.1. Microsoft has confirmed that this vulnerability is actively being exploited in the wild, making it a high-priority issue for all affected organizations.
Further details about how CVE-2025-53770 and CVE-2025-53771 work have been sent to Digital Journal by Ronen Ahdut, Head of CyOps MDR at Cynet Security:
- CVE-2025-53770 is a critical, unauthenticated vulnerability with low complexity and high impact, enabling remote code execution in on-premises Microsoft SharePoint Server. This vulnerability is already being utilized in real-world attacks.
- CVE-2025-53770 allows an unauthenticated threat actor to execute remote code by exploiting a deserialization vulnerability in the __VIEWSTATE field.
- This vulnerability has been observed in the wild alongside CVE-2025-53771, which has been exploited in ways that provide complementary information to successfully exploit CVE-2025-53770.
- CVE-2025-53771 is also an unauthenticated vulnerability with low complexity and high impact. It permits a threat actor to place a web shell in a web-accessible folder within the SharePoint server.
- It is crucial to emphasize that threat actors are actively exploiting both vulnerabilities in the wild.
Ahdut says that Microsoft and CISA issues, potentially impacted by the vulnerability, can be remediated by:
- Monitor Microsoft’s Update Guide for ongoing patches, especially SharePoint 2016.
- Apply July 2025 Security Updates for all supported on-prem SharePoint versions immediately.
- Enable AMSI integration with Microsoft Defender across all SharePoint servers. This blocks the exploit path and provides active detection.
- Disconnect SharePoint servers from the internet if AMSI cannot be enabled.
In terms of scale,Ahdut says that Microsoft 365 SharePoint Online are not impacted.
