Brand ClaimErleben, was verbindet

Advisory 2025-1473 - Microsoft SharePoint (On-premises): Multiple Vulnerabilities

Achtung: You can now also find information from the Vulnerability Advisory Service in the CTI portal!
The CTI portal is available at the following address: https://cti-portal.telekom.net/advisories/2025-1473
Notice: This advisory is by exception shown completely public. You will regularly receive details on vulnerability information as a customer via your login or through our daily advisory e-mail.
5
Attack probability
high
4
Potential damage
medium-high
remote anonymous attackerremote authenticated attackerUser interaction requiredExploit available
Date
2025-07-21
Release
2025-07-21

Operating System

  • Sonstiges
  • Windows

Software

  • Microsoft SharePoint Subscription Edition < KB5002768
  • Microsoft SharePoint Server 2016
  • Microsoft SharePoint Server 2016 < KB5002744 Build 16.0.5508.1000
  • Microsoft SharePoint Server 2019 < KB5002741 Build 16.0.10417.20027
  • Microsoft SharePoint Server 2019 < KB5002754

Attack

A remote anonymous or authenticated attacker can exploit multiple vulnerabilities in Microsoft SharePoint Server 2019, Microsoft SharePoint Subscription Edition and Microsoft SharePoint Server 2016 in order to execute arbitrary code and to perform spoofing attacks.

Description

Microsoft SharePoint is a browser-based collaboration and document management platform. It can be used to host web sites that access shared workspaces and documents, as well as specialized applications like wikis and blogs from a browser. Microsoft SharePoint is a browser-based collaboration and document management platform. It can be used to host web sites that access shared workspaces and documents, as well as specialized applications like wikis and blogs from a browser.

CVE-2025-53770

A vulnerability exists that only affects local Microsoft SharePoint deployments: SharePoint Server 2019, 2016, and Subscription Edition. The vulnerability escalated from a problem initially classified as a spoofing vulnerability (CVE-2025-49706) into a more critical security flaw. The cause is the insecure deserialization of untrusted data, allowing attackers to inject a backdoor. This backdoor can then be used to read the ASP.NET MachineKeys. This enables manipulation and falsification of __VIEWSTATE payloads with a valid signature. As a result, a remote, unauthenticated attacker can execute arbitrary code in the context of the SharePoint server and potentially gain persistent access to the system.

CVSSv2 Base Score: 10.0 / Temporal Score: 8.7
AV:N/AC:L/AU:N/C:C/I:C/A:C/E:H/RL:OF/RC:ND
CVSSv3.1 Base Score: 9.8 / Temporal Score: 9.4
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:X

CVE-2025-53771

There is a vulnerability in Microsoft SharePoint Server 2016 and Microsoft SharePoint Server 2019. The flaw arises from the improper limitation of a pathname to a restricted directory, which allows for a path traversal issue. A remote authenticated attacker can exploit this vulnerability to perform spoofing attacks. Successful exploitation requires a user interaction.

CVSSv2 Base Score: 7.0 / Temporal Score: 6.1
AV:N/AC:M/AU:S/C:C/I:P/A:N/E:H/RL:OF/RC:ND
CVSSv3.1 Base Score: 6.3 / Temporal Score: 6.0
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:H/RL:O/RC:X

Microsoft has confirmed that the CVE-2025-53770 and CVE-2025-53771 vulnerabilities are already being exploited in the wild.

Recommendation

Microsoft provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

There is currently no update or patch available to fix this vulnerability.
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

Information

Microsoft Update Guide CVE-2025-53770 dated 2025-07-20
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770

Microsoft Customer guidance for SharePoint vulnerability CVE-2025-53770 dated 2025-07-20
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

Canadian Centre for Cyber Security - Alert AL25-009 dated 2025-07-20
https://cyber.gc.ca/en/alerts-advisories/al25-009-vulnerability-impacting-microsoft-sharepoint-server-cve-2025-53770

Microsoft Update Guide CVE-2025-53771 dated 2025-07-20
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771

References

CVE:CVE-2025-53770
CVE:CVE-2025-53771
EUVD:EUVD-2025-21981
EUVD:EUVD-2025-22040
VULNAME:TOOLSHELL

Disclaimer

*The probability of an attack is determined by the attacker's motivation, the necessary expend and the possibilities for an attack. The damage probability is determined by the expend needed to resolute the attack and probable indirect consequences of an attack for business processes. Telekom Security assumes worst case scenarios.

Copyright © 1999-2025 Deutsche Telekom Security GmbH. All rights reserved. Reproduction and distribution of this publication in any form - even in parts - without prior written permission is forbidden.

The information contained herein has been obtained from sources believed to be reliable and trusted or have been verified. Telekom Security can take liability for completeness, accuracy and correctness only in so far, as gross negligence or intention create liability. Any liability beyond it, in particular possible damages resulting from using or non-usability of the information contained herein, is excluded.