{
  "name": "CVE-2025-53770 and CVE-2025-53771: Actively Exploited SharePoint Vulnerabilities",
  "slug": "cve-2025-53770-and-cve-2025-53771-actively-exploited-sharepoint-vulnerabilities",
  "description": "Two critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771, are affecting Microsoft SharePoint Servers, enabling attackers to upload malicious files and extract cryptographic secrets. These flaws are evolutions of previously patched vulnerabilities, CVE-2025-49704 and CVE-2025-49706, which were incompletely remediated. Exploit attempts have been observed across various industries, including finance, education, energy, and healthcare. Microsoft has released patches for SharePoint Subscription Edition and Server 2019, with a patch for Server 2016 pending. The vulnerabilities allow for unauthenticated remote code execution through advanced deserialization techniques and ViewState abuse. Active exploitation in the wild has been confirmed, compromising on-premises SharePoint environments globally.",
  "published": "2025-07-22T07:04:10+00:00",
  "created_at": "2025-07-22T07:04:10+00:00",
  "modified_at": "2025-07-22T07:29:32+00:00",
  "created_at_opencti": "2025-07-22T07:04:10+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-07-22",
    "CVE-2025-49704",
    "CVE-2025-49706",
    "CVE-2025-53770",
    "CVE-2025-53771",
    "deserialization",
    "microsoft sharepoint",
    "remote code execution",
    "unauthenticated attacks",
    "viewstate abuse"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "96.9.125.147"
      },
      {
        "id": "",
        "name": "104.238.159.149"
      },
      {
        "id": "",
        "name": "107.191.58.76"
      },
      {
        "id": "",
        "name": "103.186.30.186"
      },
      {
        "id": "",
        "name": "b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93"
      },
      {
        "id": "",
        "name": "27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014"
      },
      {
        "id": "",
        "name": "92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"
      },
      {
        "id": "",
        "name": "8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2"
      }
    ],
    "attack_patterns": [
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-53771"
      },
      {
        "id": "",
        "name": "CVE-2025-53770"
      },
      {
        "id": "",
        "name": "CVE-2025-49706"
      },
      {
        "id": "",
        "name": "CVE-2025-49704"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Healthcare"
      },
      {
        "id": "",
        "name": "Energy"
      },
      {
        "id": "",
        "name": "Education"
      },
      {
        "id": "",
        "name": "Finance"
      }
    ]
  },
  "external_refs": [
    "https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html",
    "https://otx.alienvault.com/pulse/687f540a2b7d8ca9da74c8fe"
  ]
}