Updated:
Status:
CVEs:
Fortra is actively researching a remote code execution vulnerability in Microsoft SharePoint Server that could allow an unauthenticated attacker to execute code on the affected server.
| CVE | Risk | Score |
|---|---|---|
| CVE-2025-53770 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:C | (9.8, Critical) |
This vulnerability only impacts on-premises versions of SharePoint Server and is caused by the deserialization of untrusted data. It could lead to code execution for an unauthenticated user and is currently being actively exploited.
Who is affected?
CVE-2025-53770 impacts the following versions of SharePoint Server:
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server Subscription Edition
What can I do?
To mitigate this vulnerability and protect themselves, customers should enable AMSI Integration.
The vendor has released the following updates to resolve this vulnerability:
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server Subscription Edition
Additional information can be found at:
- Vendor Guidance: Customer guidance for SharePoint Vulnerability CVE-2025-53770
- Vendor Advisory: Security Update Guide - Microsoft Security Response Center
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities.
- IP360: Tripwire released local scan coverage on July 23, 2025, to identify vulnerable instances. If vulnerabilities are detected, they will be flagged under vulnerability ID 748624 for CVE-2025-53770.
- Alert Logic: On July 24, 2025, mappings were added to authenticated scans and released in Fusion VM 4.69.1.
- IP360: Tripwire released remote scan coverage on July 30, 2025, to identify vulnerable instances. If vulnerabilities are detected, they will be flagged under vulnerability ID 748624 for CVE-2025-53770.
- Tripwire Enterprise: On August 11, 2025, Tripwire released Indicator of Compromise (IOC) detection for Tripwire Enterprise. This coverage is available in High Impact Vulnerabilities (Windows) version 2.3.0.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated as new information about it and related security coverage becomes available.
- 07/23/2025: Tripwire released local scan coverage for IP360.
- 07/24/2025: Mappings for authenticated scans added and released to Fusion VM.
- 07/30/2025: Tripwire released remote scan coverage for IP360.
- 8/11/2025: Tripwire released IOC detection for Tripwire Enterprise.
