TLP: CLEAR
CanSSOC Threat Assessment ^[*]: HIGH

1. Overview
2. Summary
3. Details
4. Recommendations
5. Support
6. References

We have received the following advisory from CanSSOC regarding a high-severity vulnerability with SharePoint. These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted. This vulnerability is being actively exploited, so Microsoft has released emergency patches to address this, which we recommend be installed as soon as possible. If you have, or can enable AMSI integration feature and use Microsoft Defender across your SharePoint Server farm(s) this can protect you from this vulnerability as well. We are assuming SentinelOne will work in place of Defender, but we are working to confirm this.

The Canadian Centre for Cybersecurity, released an alert regarding an active exploitation of CVE-2025-53770 [1], a deserialization of untrusted data vulnerability affecting SharePoint Server versions 2016, 2019 and Subscription Edition. Successful exploitation allows threat actors to execute arbitrary code over the network. At the time of the alert, no patch had been released by Microsoft.

On July 20, 2025, Microsoft patched CVE-2025-53770, for SharePoint Server 2019 (via KB5002754) and Subscription Edition (via KB5002768) [2-3]. No patch is currently available for SharePoint Server 2016.

IOCs have been released by several news outlets and have been uploaded to MISP [4-6] and distributed via the CanSSOC Threat Feed.

We are asking institutions that have the resources to investigate activity related to the shared vulnerability to do so and report the information back to CanSSOC via your institutional Slack channel or via security@canssoc.canarie.ca.

• CVE: CVE-2025-53770
  • CVSSv3: 9.8
• Affected versions:
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft Sharepoint Enterprise Server 2019
  • Sharepoint Enterprise Server Subscription Edition
• Patched versions:
  • Microsoft Sharepoint Enterprise Server 2019 (via KB5002754)
  • Sharepoint Enterprise Server Subscription Edition (via KB5002768)
• Active exploitation: The Canadian Cyber Centre is aware of ongoing exploitation of this vulnerability happening in Canada.

• Review CCCS Alert for mitigation strategies if you are unable to patch [1].
• Review the Microsoft Guidance and Patch using the recently released KB by Microsoft [2-3].
• Review IOCs from MISP [6].

1. Vulnerability impacting Microsoft SharePoint Server (CVE-2025-53770) | Government of Canada
2. Customer guidance for SharePoint vulnerability CVE-2025-53770 | Microsoft Security Response Center
3. Microsoft SharePoint Server remote code execution vulnerability | Microsoft Security Response Center
4. Microsoft releases emergency patches for SharePoint RCE flaws exploited in attacks | Bleeping Computer
5. SharePoint under attack: Microsoft warns of zero-day exploited in the wild – no patch available | Security Week
6. MISP Threat Sharing

As always, please let us know if you have any questions or concerns or see unusual activity on your systems that you believe might be associated with this or any other vulnerability. Please send these communications to security.response@utoronto.ca.

[*] The CanSSOC Threat Assessment has the following four scores: LOW, MEDIUM, HIGH, SEVERE.