FAQ on SharePoint Zero-Day Vulnerability Exploitation (CVE-2025-53770)

On July 19, researchers at Eye Security identified active exploitation in Microsoft SharePoint Server. Originally, this exploitation was believed to have been linked to a pair of flaws (CVE-2025-49704, CVE-2025-49706) dubbed “ToolShell” that was disclosed at Pwn2Own Berlin and patched in Microsoft’s July 2025 Patch Tuesday release, Microsoft published its own blog post stating that the flaw was actually a zero-day.

CVE	Description	CVSSv3
CVE-2025-53770	Microsoft SharePoint Server Remote Code Execution Vulnerability	9.8

Microsoft confirmed that CVE-2025-53770 is a “variant” of CVE-2025-49706. As of July 20 at 2PM PST, CVE-2025-53770 remains unpatched.

Update: Since we published our community and FAQ blog post, Microsoft has created an additional CVE and added in some preliminary patches for SharePoint Subscription Edition and SharePoint Server 2019.

CVE	Description	CVSSv3
CVE-2025-53771	Microsoft SharePoint Server Spoofing Vulnerability	6.3

For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.

Cyber Exposure Alerts

Tenable Research

Tenable Vulnerability Management

Vulnerability Watch

Forum Discussion

FAQ on SharePoint Zero-Day Vulnerability Exploitation (CVE-2025-53770)

Recent Discussions

Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)

Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks

CVE-2025-7775: Citrix NetScaler ADC and Gateway Zero-Day RCE Vulnerability Exploited in the Wild

CVE-2025-25256: Proof of Concept Released for Fortinet FortiSIEM Command Injection Vulnerability

Microsoft’s August 2025 Patch Tuesday Addresses 107 CVEs (CVE-2025-53779)

Americas

Europe

Asia / Australia