Two critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771, are affecting Microsoft SharePoint Servers, enabling attackers to upload malicious files and extract cryptographic secrets. These flaws are evolutions of previously patched vulnerabilities, CVE-2025-49704 and CVE-2025-49706, which were incompletely remediated. Exploit attempts have been observed across various industries, including finance, education, energy, and healthcare. Microsoft has released patches for SharePoint Subscription Edition and Server 2019, with a patch for Server 2016 pending. The vulnerabilities allow for unauthenticated remote code execution through advanced deserialization techniques and ViewState abuse. Active exploitation in the wild has been confirmed, compromising on-premises SharePoint environments globally. Author: AlienVault
Related Tags:
viewstate abuse
deserialization
microsoft sharepoint
cve-2025-49706
cve-2025-49704
cve-2025-53770
cve-2025-53771
T1550.002
remote code execution
Associated Indicators:
8D3D3F3A17D233BC8562765E61F7314CA7A08130AC0FB153FFD091612920B0F2
F5B60A8EAD96703080E73A1F79C3E70FF44DF271
76746B48A78A3828B64924F4AEDCA2E4C49B6735
02B4571470D83163D103112F07F1C434
C4CBF79C7121E72888B56A670AC297E2