Full Report
CISA has issued an urgent warning about a critical zero-day remote code execution vulnerability affecting Microsoft SharePoint Server on-premises installations that threat actors are actively exploiting in the wild. The vulnerability, tracked as CVE-2025-53770, poses a significant security risk to organizations running SharePoint infrastructure and has prompted immediate action requirements from federal agencies, as well […] The post CISA Warns of Microsoft SharePoint Server 0-Day RCE Vulnerability Exploited in Wild appeared first on Cyber Security News.
Analysis Summary
# Vulnerability: Microsoft SharePoint Server 0-Day RCE via Deserialization
## CVE Details
- CVE ID: CVE-2025-53770
- CVSS Score: Not explicitly provided, but noted as **Critical** due to active exploitation and RCE.
- CWE: CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- Products: Microsoft SharePoint Server (On-premises installations)
- Versions: Not specified beyond "SharePoint Server on-premises environments."
- Configurations: Systems with public-facing SharePoint deployments are at the highest risk.
## Vulnerability Description
This is a critical zero-day Remote Code Execution (RCE) vulnerability affecting Microsoft SharePoint Server on-premises installations. The flaw resides in the handling of serialized data, known specifically as Deserialization of Untrusted Data (CWE-502). This allows an unauthorized remote attacker to execute arbitrary code on the target server via a network connection by crafting malicious payloads that are improperly processed by the vulnerable system.
## Exploitation
- Status: **Exploited in the wild** (Added to CISA KEV catalog on July 20, 2025).
- Complexity: Implied **Low** or **Medium** given the ease of remote, unauthenticated execution reported for this class of bug.
- Attack Vector: Network
## Impact
- Confidentiality: High (Likely leads to full system compromise)
- Integrity: High (Allows arbitrary code execution and modification)
- Availability: High (Potential for system disruption or takeover)
## Remediation
### Patches
* **Note:** Specific patch versions are not listed in the source material, but immediate patching is implied by the CISA deadline.
### Workarounds
1. Enable **AMSI (Antimalware Scan Interface)** or **Microsoft Defender Antivirus** on SharePoint servers.
2. Immediately **disconnect public-facing SharePoint systems** from the network until remediation is complete.
## Detection
- **Indicators of Compromise (IOCs):** Not detailed in the provided text (Focus is on CISA's remediation deadline).
- **Detection Methods and Tools:** Organizations should monitor SharePoint server processes for anomalous activity indicative of code execution following deserialization attempts. Enforcement of AMSI/Defender AV is presented as a primary detection/prevention measure.
## References
- Vendor Advisories: Microsoft (Implied, but no specific advisory link provided)
- CISA: Added to KEV catalog on July 20, 2025, with July 21, 2025 remediation deadline.
- Relevant links:
- hxxps://cybersecuritynews.com/sharepoint-0-day-rce-vulnerability-exploited/
- hxxps://cybersecuritynews.com/microsoft-security-update-sharepoint-0-day/