CVE-2025-53770— Microsoft SharePoint Server Remote Code Execution Vulnerability
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-53770
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Microsoft SharePoint Server Remote Code Execution Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
Microsoft SharePoint Server 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Microsoft SharePoint Server是美国微软(Microsoft)公司的一款协作平台。 Microsoft SharePoint Server存在安全漏洞,该漏洞源于反序列化不受信任数据,可能导致远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Microsoft | Microsoft SharePoint Enterprise Server 2016 | 16.0.0 ~ 16.0.5513.1001 | - | |
| Microsoft | Microsoft SharePoint Server 2019 | 16.0.0 ~ 16.0.10417.20037 | - | |
| Microsoft | Microsoft SharePoint Server Subscription Edition | 16.0.0 ~ 16.0.18526.20508 | - |
II. Public POCs for CVE-2025-53770
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-53770.yaml | POC Details |
| 2 | Detects a persistent webshell named 'spinstall0.aspx' deployed on Microsoft SharePoint servers. This file exposes sensitive cryptographic machineKey values from the SharePoint configuration, indicating the presence of a ToolShell backdoor implant. This implant is linked to targeted post-auth RCE campaigns exploiting CVE-2025-53770. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/backdoor/sharepoint-toolshell-backdoor.yaml | POC Details |
| 3 | CVE-2025-53770 | https://github.com/B1ack4sh/Blackash-CVE-2025-53770 | POC Details |
| 4 | A critical zero-day vulnerability CVE‑2025‑53770 has been actively exploited in the wild against on-premises Microsoft SharePoint Server. Dubbed "ToolShell," this exploit leverages a deserialization flaw (variant of CVE‑2025‑49706, CVSS: 6.3). | https://github.com/RukshanaAlikhan/CVE-2025-53770 | POC Details |
| 5 | None | https://github.com/Bluefire-Redteam-Cybersecurity/bluefire-sharepoint-cve-2025-53770 | POC Details |
| 6 | This PowerShell script detects indicators of compromise for CVE-2025-53770 — a critical RCE vulnerability in Microsoft SharePoint. Created by @n1chr0x and @BlackRazer67 | https://github.com/n1chr0x/ZeroPoint | POC Details |
| 7 | POC | https://github.com/kaizensecurity/CVE-2025-53770 | POC Details |
| 8 | A comprehensive security monitoring solution for SharePoint Server with specific protection against CVE-2025-53770 and other threats | https://github.com/paolokappa/SharePointSecurityMonitor | POC Details |
| 9 | SharePoint WebPart Injection Exploit Tool | https://github.com/soltanali0/CVE-2025-53770-Exploit | POC Details |
| 10 | Scanner for the SharePoint CVE-2025-53770 RCE zero day vulnerability. | https://github.com/hazcod/CVE-2025-53770 | POC Details |
| 11 | ToolShell scanner - CVE-2025-53770 and detection information | https://github.com/ZephrFish/CVE-2025-53770-Scanner | POC Details |
| 12 | Hunting for Critical SharePoint Vulnerability CVE-2025-53770 | https://github.com/siag-itsec/CVE-2025-53770-Hunting | POC Details |
| 13 | Comprueba si un servidor SharePoint on-premises es vulnerable a CVE-2025-53770 | https://github.com/grupooruss/CVE-2025-53770-Checker | POC Details |
| 14 | None | https://github.com/tripoloski1337/CVE-2025-53770-scanner | POC Details |
| 15 | A critical zero-auth RCE vulnerability in SharePoint (CVE-2025-53770), now exploited in the wild, building directly on the spoofing flaw CVE-2025-49706. | https://github.com/AdityaBhatt3010/CVE-2025-53770-SharePoint-Zero-Day-Variant-Exploited-for-Full-RCE | POC Details |
| 16 | CVE-2025-53770 – Vulnerability Research & Exploitation | https://github.com/b33b0y/CVE-2025-53770 | POC Details |
| 17 | None | https://github.com/GreenForceNetwork/Toolshell_CVE-2025-53770 | POC Details |
| 18 | None | https://github.com/imbas007/CVE-2025-53770-Vulnerable-Scanner | POC Details |
| 19 | A Python-based reconnaissance scanner for safely identifying potential exposure to SharePoint vulnerability CVE-2025-53770. | https://github.com/Sec-Dan/CVE-2025-53770-Scanner | POC Details |
| 20 | Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server (CVE-2025-53770) | https://github.com/MuhammadWaseem29/CVE-2025-53770 | POC Details |
| 21 | Exploit tool for SharePoint WebPart Injection via ToolPane.aspx, enabling .NET deserialization and remote code execution. 🛠️🔍 Secure your SharePoint now! | https://github.com/bijikutu/CVE-2025-53770-Exploit | POC Details |
| 22 | Explore the Microsoft SharePoint CVE-2025-53770 proof of concept. Learn about this vulnerability and its implications. 🐙💻 | https://github.com/Lapesha/CVE-2025-53770 | POC Details |
| 23 | Scanner for CVE-2025-53770, a SharePoint vulnerability. Check if your server is vulnerable and extract version info. 🛠️🔍 | https://github.com/Hassanopop/CVE-2025-53770 | POC Details |
| 24 | Identify exposure to the critical SharePoint vulnerability CVE-2025-53770 with this effective scanner tool. Secure your systems today! 🛡️🔍 | https://github.com/m4r1x/CVE-2025-53770-Scanner | POC Details |
| 25 | Exploit & research for CVE‑2025‑53770 – a zero‑day remote code execution vulnerability in Microsoft SharePoint (on‑premises). | https://github.com/Kamal-Hegazi/CVE-2025-53770-SharePoint-RCE | POC Details |
| 26 | A sophisticated, wizard-driven Python exploit tool targeting CVE-2025-53770, a critical (CVSS 9.8) unauthenticated remote code execution (RCE) vulnerability in on-premises Microsoft SharePoint Server (2016, 2019, Subscription Edition) | https://github.com/exfil0/CVE-2025-53770 | POC Details |
| 27 | Scans Windows IIS logs for signs of CVE-2025-53770 & CVE-2025-53771 | https://github.com/zach115th/ToolShellFinder | POC Details |
| 28 | Detection rules for CVE-2025-53770 | https://github.com/nisargsuthar/suricata-rule-CVE-2025-53770 | POC Details |
| 29 | None | https://github.com/bharath-cyber-root/sharepoint-toolshell-cve-2025-53770 | POC Details |
| 30 | Do you really think SharePoint is safe? | https://github.com/Rabbitbong/OurSharePoint-CVE-2025-53770 | POC Details |
| 31 | None | https://github.com/Udyz/CVE-2025-53770-Exploit | POC Details |
| 32 | Honeypot for CVE-2025-53770 aka ToolShell | https://github.com/a-hydrae/ToolShell-Honeypot | POC Details |
| 33 | Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server (CVE-2025-53770) | https://github.com/0xray5c68616e37/cve-2025-53770 | POC Details |
| 34 | None | https://github.com/BirdsAreFlyingCameras/CVE-2025-53770_Raw-HTTP-Request-Generator | POC Details |
| 35 | An activity to train analysis skills and reporting | https://github.com/bossnick98/-SOC342---CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-and-RCE | POC Details |
| 36 | CVE-2025-53770 Mass Scanner | https://github.com/3a7/CVE-2025-53770 | POC Details |
| 37 | None | https://github.com/r3xbugbounty/CVE-2025-53770 | POC Details |
| 38 | None | https://github.com/daryllundy/CVE-2025-53770 | POC Details |
| 39 | 🎯 Vulnerability scanner for SharePoint servers affected by CVE-2025-53770. Detects unsafe deserialization using ToolPane.aspx with a crafted base64+gzip payload. 🛡️ Developed by Ahmed Tamer. | https://github.com/0x-crypt/CVE-2025-53770-Scanner | POC Details |
| 40 | None | https://github.com/Immersive-Labs-Sec/SharePoint-CVE-2025-53770-POC | POC Details |
| 41 | A critical vulnerability in Microsoft SharePoint Server allows unauthenticated remote code execution via deserialization of untrusted data. Microsoft is aware of active exploitation; apply CVE mitigations immediately. Severity: Critical. | https://github.com/harryhaxor/CVE-2025-53770-SharePoint-Deserialization-RCE-PoC | POC Details |
| 42 | None | https://github.com/SDX442/CVE-2025-53770 | POC Details |
| 43 | None | https://github.com/Agampreet-Singh/CVE-2025-53770 | POC Details |
| 44 | None | https://github.com/GreenForceNetworks/Toolshell_CVE-2025-53770 | POC Details |
| 45 | None | https://github.com/CyprianAtsyor/ToolShell-CVE-2025-53770-SharePoint-Exploit-Lab-LetsDefend | POC Details |
| 46 | CVE-2025-53770 - SharePoint | https://github.com/ghostn4444/CVE-2025-53770 | POC Details |
| 47 | None | https://github.com/saladin0x1/CVE-2025-53770 | POC Details |
| 48 | CVE-2025-53770 实验环境 | https://github.com/go-bi/sharepoint-CVE-2025-53770 | POC Details |
| 49 | 🔍 Explore Microsoft SharePoint CVE-2025-53770 with this proof of concept for educational use, emphasizing security insights in authorized environments. | https://github.com/taqiaferdianshah/CVE-2025-53770 | POC Details |
| 50 | 🛠️ Exploit Microsoft SharePoint WebPart Injection vulnerabilities for .NET deserialization and remote code execution using ToolPane.aspx. | https://github.com/yashz0007/CVE-2025-53770-Exploit | POC Details |
| 51 | None | https://github.com/fentnttntnt/CVE-2025-53770 | POC Details |
| 52 | 🔍 Scan for potential exposure to the critical SharePoint vulnerability CVE-2025-53770 with this simple and effective tool for authorized testing. | https://github.com/ziisenpai/CVE-2025-53770-Scanner | POC Details |
| 53 | None | https://github.com/Michaael01/LetsDefend--SOC-342-CVE-2025-53770-SharePoint-Exploit-ToolShell | POC Details |
| 54 | Exploit & research for CVE‑2025‑53770 – a zero‑day remote code execution vulnerability in Microsoft SharePoint (on‑premises). | https://github.com/0xh3g4z1/CVE-2025-53770-SharePoint-RCE | POC Details |
| 55 | None | https://github.com/victormbogu1/LetsDefend-SOC342-CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-andRCE-EventID-320 | POC Details |
| 56 | Honeypot for CVE-2025-53770 aka ToolShell | https://github.com/bitsalv/ToolShell-Honeypot | POC Details |
| 57 | Reproducible incident micro-postmortem for on-prem Microsoft SharePoint “ToolShell” (CVE-2025-53770): ATT&CK snapshot, “logs that matter” table, three hunts (KQL/SPL/Sigma), first-4-hours comms, sample data, and figures. Built for fast triage; no org data; SharePoint Online out of scope. | https://github.com/Cameloo1/sharepoint-toolshell-micro-postmortem | POC Details |
| 58 | CVE-2025-53770 | https://github.com/Ashwesker/Blackash-CVE-2025-53770 | POC Details |
| 59 | CVE-2025-53770 | https://github.com/Ashwesker/Ashwesker-CVE-2025-53770 | POC Details |
| 60 | None | https://github.com/anwakub/CVE-2025-53770 | POC Details |
| 61 | CVE-2025-53770 | https://github.com/yosasasutsut/Blackash-CVE-2025-53770 | POC Details |
| 62 | Scanner for the SharePoint CVE-2025-53770 RCE zero day vulnerability (fork from hazcod/CVE-2025-53770) | https://github.com/rbctee/CVE-2025-53770 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-53770
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: Microsoft SharePoint Enterprise Server 2016
- CVE-2026-32201
Microsoft SharePoint Server Spoofing Vulnerability - CVE-2026-20945
Microsoft SharePoint Server Spoofing Vulnerability - CVE-2026-26106
Microsoft SharePoint Server Remote Code Execution Vulnerabil - CVE-2026-26114
Microsoft SharePoint Server Remote Code Execution Vulnerabil - CVE-2026-26105
Microsoft SharePoint Server Spoofing Vulnerability
Same vendor: Microsoft
- CVE-2026-42826
Azure DevOps Information Disclosure Vulnerability - CVE-2026-35428
Azure Cloud Shell Spoofing Vulnerability - CVE-2026-35435
Azure AI Foundry Elevation of Privilege Vulnerability - CVE-2026-34327
Microsoft Partner Center Spoofing Vulnerability - CVE-2026-33844
Azure Managed Instance for Apache Cassandra Remote Code Exec
Same weakness: CWE-502
- CVE-2026-44126
Insecure deserialization - CVE-2026-5127
User Frontend: AI Powered Frontend Posting, User Directory, - CVE-2026-41586
ObjectInputStream.readObject() without ObjectInputFilter in - CVE-2026-34084
PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFac - CVE-2026-7712
MindsDB Pickle pickle.loads deserialization
V. Comments for CVE-2025-53770
No comments yet