Critical SharePoint RCE: CVE-2025-53770 and the Perils of Deserialization
Active exploitation, unauthenticated remote code execution, and no patch yet available—CVE-2025-53770 is a wake-up call for every organization running on-premises SharePoint Server.
Introduction
Attackers are actively breaching enterprise SharePoint deployments, gaining remote code execution with no credentials required. This is not a theoretical risk—CVE-2025-53770 is being exploited in the wild, and Microsoft has yet to release a patch. The vulnerability exposes the core of SharePoint’s data processing to deserialization attacks, allowing adversaries to hijack servers, deploy webshells, and move laterally across networks.
Technical Information
CVE-2025-53770 is a classic but devastating case of unsafe deserialization of untrusted data (CWE-502) in on-premises Microsoft SharePoint Server. The flaw is rooted in SharePoint’s handling of serialized .NET objects—specifically, its failure to properly validate or sanitize serialized input received via network requests.
Vulnerability Mechanism
- Attack Vector: Remote, unauthenticated attackers send crafted HTTP POST requests to SharePoint endpoints (such as
/_api/web/lists) containing malicious serialized .NET payloads. - Trigger: SharePoint processes the serialized input using legacy .NET deserialization mechanisms (e.g.,
BinaryFormatter), which are inherently insecure and can execute arbitrary code embedded in the payload. - Impact: The attacker’s code runs in the context of the SharePoint application pool, enabling full system compromise, webshell deployment, and further lateral movement.
Exploitation Flow
- No authentication required: The vulnerability can be exploited remotely by unauthenticated users, dramatically increasing risk for any exposed SharePoint instance.
- Common payloads: Attackers typically deploy webshells (malicious
.aspxfiles) or execute system commands to establish persistence and expand access.
Root Cause
The core issue is SharePoint’s reliance on insecure deserialization routines for processing user-supplied data. This is a well-documented anti-pattern in .NET applications, especially when using BinaryFormatter or similar APIs. The absence of input validation or type restrictions allows attackers to supply arbitrary objects that, when deserialized, trigger code execution.
Affected Systems and Versions
- Microsoft SharePoint Server Subscription Edition (prior to 16.0.18526.20286)
- Microsoft SharePoint Server 2019 (all versions prior to the forthcoming patch)
- Microsoft SharePoint Server 2016 Enterprise Edition (all versions prior to the forthcoming patch)
All on-premises deployments processing serialized data via exposed endpoints are at risk. Cloud-hosted SharePoint Online is not affected.
Vendor Security History
Microsoft SharePoint has a recurring history of deserialization vulnerabilities:
- CVE-2025-30382: Deserialization RCE, exploited in the wild.
- CVE-2025-30384: Similar vector, patched in 2025.
- CVE-2024-38094: Prior critical deserialization flaw.
Despite Microsoft’s regular patch cadence, unsafe deserialization remains a persistent challenge in SharePoint’s legacy codebase.
References
- Microsoft Security Response Center Advisory
- NVD Entry for CVE-2025-53770
- Official CVE Entry
- Zeropath: SharePoint Deserialization RCE Analysis
- OWASP: Deserialization of Untrusted Data
- Waratek: Best Practices for Unsafe Deserialization
Security teams must act now: Restrict network access, monitor for suspicious POST requests, and follow Microsoft’s mitigation guidance until a patch is released. This is a critical, actively exploited vulnerability—do not delay.
Source: This report was created using AI
If you have suggestions for improvement or feedback, please reach out to us at [email protected]