Full Report
Multiple Vulnerabilities have been discovered in Microsoft SharePoint Server, which could allow for remote code execution. Microsoft SharePoint Server is a web-based collaborative platform that integrates with Microsoft Office. Successful exploitation of these vulnerabilities allows for unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network
Analysis Summary
# Vulnerability: Remote Code Execution in Microsoft SharePoint Server (ToolShell)
## CVE Details
- **CVE ID:** CVE-2025-53770, CVE-2025-53771
- **CVSS Score:** Not explicitly provided in summary, but context implies Critical/High risk due to unauthenticated RCE.
- **CWE:** CWE-502 (Deserialization of Untrusted Data - for CVE-2025-53770); CWE-22 (Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' - for CVE-2025-53771)
## Affected Systems
- **Products:** Microsoft SharePoint Server (Subscription Edition, 2019 Core, 2019 Language Pack, 2016 Enterprise, 2016 Language Pack)
- **Versions:**
* SharePoint Server Subscription Edition prior to security update **KB5002768**.
* SharePoint Server 2019 Core prior to security update **KB5002754**.
* SharePoint Server 2019 Language Pack prior to security update **KB5002753**.
* SharePoint Enterprise Server 2016 prior to security update **KB5002760**.
* SharePoint Enterprise Server 2016 Language Pack prior to security update **KB5002759**.
- **Configurations:** On-premises Microsoft SharePoint Server installations. A path traversal issue (CVE-2025-53771) requires an *authorized* attacker, while the RCE via deserialization (CVE-2025-53770) leads to *unauthenticated* access.
## Vulnerability Description
Multiple vulnerabilities exist in Microsoft SharePoint Server, which are noted as evolutions of previously patched flaws (CVE-2025-49704 and CVE-2025-49706) where initial vendor remediation was incomplete.
1. **CVE-2025-53770 (RCE):** Involves Deserialization of untrusted data in on-premises SharePoint Server, allowing an unauthorized attacker to execute arbitrary code over the network.
2. **CVE-2025-53771 (Path Traversal):** Involves Improper limitation of a pathname to a restricted directory (path traversal), allowing an authorized attacker to perform spoofing over a network.
Successful exploitation grants unauthenticated actors full access to SharePoint content, file systems, internal configurations, and the ability to execute code remotely.
## Exploitation
- **Status:** **Exploited in the wild** (Publicly reported as "ToolShell" activity).
- **Complexity:** Low (Based on the description emphasizing unauthenticated RCE and active exploitation).
- **Attack Vector:** Network (Initial Access via Exploit Public-Facing Application).
## Impact
- **Confidentiality:** Complete compromise (Access to SharePoint content, internal configurations).
- **Integrity:** Complete compromise (Ability to execute code).
- **Availability:** Complete compromise (Ability to execute code).
## Remediation
### Patches
Apply the following Microsoft security updates immediately after testing:
* For SharePoint Server Subscription Edition: **KB5002768**
* For SharePoint Server 2019 Core: **KB5002754**
* For SharePoint Server 2019 Language Pack: **KB5002753**
* For SharePoint Enterprise Server 2016: **KB5002760**
* For SharePoint Enterprise Server 2016 Language Pack: **KB5002759**
### Workarounds
No specific immediate workarounds were detailed in the provided advisory, emphasizing immediate patching (M1051: Update Software).
## Detection
- **Indicators of Compromise:** Activity associated with the "ToolShell" exploit campaign targeting SharePoint RCE.
- **Detection Methods and Tools:** Implement robust vulnerability management processes (Safeguard 7.1, 7.4) and perform frequent authenticated and unauthenticated vulnerability scans (Safeguard 7.5). Monitoring network traffic for suspicious deserialization attempts or unusual code execution originating from SharePoint application processes should be prioritized.
## References
- CVE Link: hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53770
- CVE Link: hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53771
- Vendor Advisory (Microsoft): hXXps://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- Threat Intelligence (TrendMicro): hXXps://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html
- Threat Intelligence (Unit42): hXXps://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/