Microsoft SharePoint CVE-2025-53770: Actively Exploited Remote Code Execution via Insecure Deserialization

Microsoft recently disclosed a critical remote code execution (RCE) vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770. This flaw has been actively exploited in the wild, making it a high-priority concern for enterprises relying on SharePoint for content management and collaboration.

In this blog, we’ll unpack the technical root of the vulnerability, how exploitation works, the risks posed, mitigation steps, and what to do if you think you may be impacted.

CVE-2025-53770 Overview

CVE ID: CVE-2025-53770
Severity: Critical (CVSS 9.8)
Impact: Remote Code Execution
Affected Products: Microsoft SharePoint Server 2016, 2019, Subscription Edition (on-prem only)
Attack Vector: Network
Authentication Required: No

This vulnerability is caused by insecure deserialization of untrusted input in a .NET component used by SharePoint’s workflow or search indexing subsystems. A remote, unauthenticated attacker can craft a specially formatted payload, send it to a vulnerable endpoint, and achieve arbitrary code execution on the SharePoint server with SYSTEM privileges.

CVE-2025-53770 Exploitation Details

The root cause is a lack of input validation during deserialization of user-controlled data. In affected SharePoint components, certain API endpoints (notably internal workflow handlers and legacy SOAP interfaces) deserialize serialized .NET objects without verifying their type, origin, or structure.

Attackers exploit this by:

1. Creating a malicious binary payload: This uses BinaryFormatter or NetDataContractSerializer to generate serialized .NET gadgets that execute arbitrary commands during object instantiation.
2. Sending the payload to vulnerable endpoints: For instance, through HTTP POST requests to workflow-related URLs like: bashCopyEditPOST /_layouts/15/workflow.aspx Content-Type: application/octet-stream
3. Triggering deserialization: Once the object is deserialized on the server, it invokes malicious method chains like: csharpCopyEditnew ProcessStartInfo("cmd.exe", "/c powershell -EncodedCommand ...")
4. Achieving RCE: The payload is executed under the SharePoint application pool identity, often with SYSTEM or high-privilege access in on-prem deployments.

Indicators of compromise include suspicious PowerShell process launches, modified registry keys, or outbound C2 (command and control) connections initiated by w3wp.exe.

Potential Impact

The risk is severe:

• Complete takeover of the server: Once exploited, attackers can deploy backdoors, exfiltrate SharePoint content, harvest credentials, or move laterally across the network.
• Active exploitation observed: Microsoft has confirmed that threat actors are exploiting this vulnerability in real-world attacks, especially targeting unpatched SharePoint instances accessible over the internet.
• Ransomware deployment: Some APT groups are leveraging CVE-2025-53770 for initial access before deploying data encryption and exfiltration payloads.

Organizations with hybrid or purely on-prem deployments are particularly at risk if they’ve exposed SharePoint to external access or haven’t enforced strict firewall segmentation.

Mitigation and Remediation

🔒 Temporary Mitigation (Until Patch Is Available)

Microsoft has released interim mitigation steps while a full patch is being validated:

Block vulnerable endpoints:

Modify your SharePoint Web.config to block serialized object streams:

xmlCopyEdit<system.web>
  <httpRuntime requestValidationMode="4.5" />
  <requestFiltering>
    <requestLimits maxAllowedContentLength="100000" />
    <hiddenSegments>
      <add segment="workflow.aspx"/>
    </hiddenSegments>
  </requestFiltering>
</system.web>

Use Web Application Firewall (WAF):

Block POST requests with binary Content-Type: application/octet-stream or abnormal headers:

bashCopyEditSecRule REQUEST_HEADERS:Content-Type "application/octet-stream" "id:1001,deny,status:403,msg:'Blocked suspicious binary content upload'"

Disable legacy workflows:

If not required, disable legacy workflows via PowerShell:

powershellCopyEditDisable-SPFeature -Identity "Workflows" -Url http://<your-site-collection>

---

✅ Permanent Solution: Patch When Available

Microsoft is currently testing a comprehensive security update. Once released, apply it immediately through:

• Windows Update
• WSUS
• Manual patching via Microsoft Security Portal

Subscribe to Microsoft’s Security Update Guide for real-time notifications.

---

Detection and Threat Hunting

To detect signs of exploitation, monitor the following:

• Process creation logs (Event ID 4688): Unusual executions from w3wp.exe or OWSTIMER.exe
• Application logs: Deserialize exceptions, access to workflow endpoints
• Network logs: Suspicious POST requests with binary content

Sample YARA rule:

yaraCopyEditrule SharePoint_Deserialization_Exploit
{
  meta:
    description = "Detects binary deserialization payloads for CVE-2025-53770"
  strings:
    $magic = "BinaryFormatter" ascii
    $net = "System.Runtime.Serialization" ascii
  condition:
    $magic and $net
}

Am I Impacted by CVE-2025-53770?

A critical vulnerability, CVE-2025-53770, affects on-premises deployments of Microsoft SharePoint Server. The flaw stems from insecure deserialization of untrusted data, allowing unauthorized attackers to remotely execute arbitrary code over the network. Microsoft has confirmed that this vulnerability is actively being exploited in the wild. While a comprehensive security update is undergoing testing, Microsoft has issued interim mitigation guidance to reduce exposure. IONIX urges organizations to apply these mitigations immediately to protect vulnerable SharePoint instances from exploitation.

References

• CVE-2025-53770 – NVD
• Microsoft SharePoint Security Updates

IONIX empowers security teams to surface and respond to vulnerabilities like CVE-2025-53770 before they become a breach.