PatchSiren cyber security CVE debrief
CVE-2025-53770 Microsoft CVE debrief
CVE-2025-53770 is a Microsoft SharePoint deserialization of untrusted data vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on 2025-07-20. CISA marked it as having known ransomware campaign use and set a remediation due date of 2025-07-21. The published guidance prioritizes disconnecting public-facing SharePoint Server versions that are end-of-life or end-of-service, and following vendor mitigations for supported versions.
- Vendor
- Microsoft
- Product
- SharePoint
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2025-07-20
- Original CVE updated
- 2025-07-20
- Advisory published
- 2025-07-20
- Advisory updated
- 2025-07-20
Who should care
Security teams responsible for Microsoft SharePoint, especially public-facing deployments, should treat this as urgent. Organizations running unsupported SharePoint Server versions, including SharePoint Server 2013 and earlier, are directly called out by CISA for disconnection.
Technical summary
The vulnerability is described at a high level as a deserialization of untrusted data issue in Microsoft SharePoint. The supplied corpus does not include deeper exploitation mechanics, affected build ranges, or a CVSS score, so the safest evidence-based summary is that CISA considers it actively exploited and important enough to add to KEV with a one-day remediation window.
Defensive priority
Immediate. The KEV listing, the one-day due date, and the known ransomware campaign use designation indicate a high operational risk and a need for rapid containment and remediation.
Recommended defensive actions
- Disconnect public-facing SharePoint Server deployments that are end-of-life or end-of-service, including SharePoint Server 2013 and earlier.
- For supported SharePoint versions, apply the mitigations and vendor instructions referenced by CISA and Microsoft.
- Review exposure of any internet-facing SharePoint instances and prioritize them for emergency response.
- Use the official CISA KEV entry and Microsoft guidance links to confirm the latest vendor-directed mitigation steps.
- If mitigations are not available for a deployment, discontinue use of the product as directed in the CISA guidance.
Evidence notes
The supplied source corpus is the CISA KEV feed entry for CVE-2025-53770. It records vendor Project Microsoft, product SharePoint, the vulnerability name, dateAdded 2025-07-20, dueDate 2025-07-21, and knownRansomwareCampaignUse as Known. The CISA metadata also includes the required action to disconnect public-facing SharePoint Server versions that are EOL/EOS, including SharePoint Server 2013 and earlier, and to follow CISA and vendor guidance for supported versions. Official reference links supplied with the record include the CVE.org entry, NVD detail page, CISA KEV catalog, the CISA alert URL, the Microsoft security blog URL, and the Microsoft Update Guide URL.
Official resources
-
CVE-2025-53770 CVE record
CVE.org
-
CVE-2025-53770 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the m
-
Source item URL
cisa_kev
CISA added CVE-2025-53770 to the Known Exploited Vulnerabilities catalog on 2025-07-20 and assigned a remediation due date of 2025-07-21. The record also marks known ransomware campaign use as Known.