Microsoft SharePoint Server Remote Code Execution Vulnerability

Fortra is actively researching a remote code execution vulnerability in Microsoft SharePoint Server that could allow an unauthenticated attacker to execute code on the affected server.

This vulnerability only impacts on-premises versions of SharePoint Server and is caused by the deserialization of untrusted data. It could lead to code execution for an unauthenticated user and is currently being actively exploited.

Who is affected?

CVE-2025-53770 impacts the following versions of SharePoint Server:

• Microsoft SharePoint Enterprise Server 2016
• Microsoft SharePoint Server 2019
• Microsoft SharePoint Server Subscription Edition

What can I do?

To mitigate this vulnerability and protect themselves, customers should enable AMSI Integration.

• Configure AMSI Integration with SharePoint Server

The vendor has released the following updates to resolve this vulnerability:

• Microsoft SharePoint Enterprise Server 2016
• Microsoft SharePoint Server 2019
• Microsoft SharePoint Server Subscription Edition

Additional information can be found at:

• Vendor Guidance: Customer guidance for SharePoint Vulnerability CVE-2025-53770
• Vendor Advisory: Security Update Guide - Microsoft Security Response Center

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities.

• Analytics: On July 10, 2025, Alert Logic deployed a log telemetry analytic to detect IIS Viewstate variable with YSOSerial Gadget ProcessStartInfo.
• Analytics: On July 10, 2025, Alert Logic deployed a log-telemetry analytic to detect suspicious command lines spawned from IIS.
• IDS: On July 22, 2025, Alert Logic deployed an IDS signature to detect CVE-2025-53770 SharePoint ViewState injection via unauthenticated requests via toolpane.aspx.
• IDS: On July 22, 2025, Alert Logic deployed an IDS signature to detect SharePoint edit requests containing no authentication to any URI.
• IP360: Tripwire released local scan coverage on July 23, 2025, to identify vulnerable instances. If vulnerabilities are detected, they will be flagged under vulnerability ID 748624 for CVE-2025-53770.
• Alert Logic: On July 24, 2025, mappings were added to authenticated scans and released in Fusion VM 4.69.1.
• IP360: Tripwire released remote scan coverage on July 30, 2025, to identify vulnerable instances. If vulnerabilities are detected, they will be flagged under vulnerability ID 748624 for CVE-2025-53770.
• Analytics: On August 1, 2025, Alert Logic deployed a log analytic to detect Powershell IoCs related to CVE-2025-53770.
• Tripwire Enterprise: On August 11, 2025, Tripwire released Indicator of Compromise (IOC) detection for Tripwire Enterprise. This coverage is available in High Impact Vulnerabilities (Windows) version 2.3.0.

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated as new information about it and related security coverage becomes available.

• 07/10/2025: Deployed log telemetry analytic to detect IIS Viewstate variable with YSOSerial Gadget ProcessStartInfo.
• 07/10/2025: Deployed log telemetry analytic to detect suspicious command lines spawned from IIS.
• 07/22/2025: Deployed IDS signature to detect CVE-2025-53770.
• 07/22/2025: Deployed IDS signature to detect SharePoint unauthenticated edit requests.
• 07/23/2025: Tripwire released local scan coverage for IP360.
• 07/24/2025: Mappings for authenticated scans added and released to Fusion VM.
• 07/30/2025: Tripwire released remote scan coverage for IP360.
• 08/01/2025: Deployed log analytic to detect Powershell IoCs.
• 08/11/2025: Tripwire released IOC detection for Tripwire Enterprise.