IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2025-53770|Auth: none — unauthenticated|Reboot: required|Manual only

KB5002753: Windows Server Security Update (July 2025)

Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-53771. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704.

Published Jul 20, 2025 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2025-07-21 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft SharePoint. Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

SharePoint Administrators
IT Security
Running sharepoint server: v < 16.0.18526.20508, 2016, 2019
Fixed inKB5002753, KB5002754, KB5002759, KB5002760, KB5002768 (applies to 3 product versions) — build 16.0.10417.20037, 16.0.18526.20508+
Real-world incidentsWhat we've seen

Used in known ransomware campaigns. Threat-research write-up: https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5002753

Manual remediation steps

Apply the Microsoft Security Update

Microsoft has released an official security update that fixes this vulnerability.

Required KB Updates

    1
    KB5002753 — https://support.microsoft.com/help/5002753
    1
    KB5002754 — https://support.microsoft.com/help/5002754
    1
    KB5002759 — https://support.microsoft.com/help/5002759
    1
    KB5002760 — https://support.microsoft.com/help/5002760
    1
    KB5002768 — https://support.microsoft.com/help/5002768

Supersedes: KB5002739, KB5002743

Affected Products

    1
    Microsoft SharePoint Enterprise Server 2016
    1
    Microsoft SharePoint Server 2019
    1
    Microsoft SharePoint Server Subscription Edition

Fixed Build Numbers

    1
    16.0.10417.20037
    1
    16.0.18526.20508
    1
    16.0.5513.1001

Installation Methods

Windows Update (recommended)

1
Settings → Windows Update → Check for updates
2
The security update is offered if your system is in scope
3
Restart when prompted (may or may not be required for this update)

Microsoft Update Catalog (manual download)

1
Open https://catalog.update.microsoft.com
2
Search for KB5002753
3
Download the package matching your OS architecture and Windows build
4
Run the .msu installer with administrator privileges
5
Restart when prompted

WSUS / SCCM / Intune

Approve KB5002753 for the affected products in your update management console.

Microsoft Download Center Links

    1
    https://www.microsoft.com/en-us/download/details.aspx?id=108285
    1
    https://www.microsoft.com/en-us/download/details.aspx?id=108286
    1
    https://www.microsoft.com/en-us/download/details.aspx?id=108287
    1
    https://www.microsoft.com/en-us/download/details.aspx?id=108288
    1
    https://www.microsoft.com/en-us/download/details.aspx?id=108289

Verification

Confirm the update is installed:

Get-HotFix | Where-Object { $_.HotFixID -in @('KB5002753','KB5002754','KB5002759','KB5002760','KB5002768') }

References

    1
    Microsoft Security Response Center: https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
    1
    KB article: https://support.microsoft.com/help/5002753
    1
    KB article: https://support.microsoft.com/help/5002759
    1
    KB article: https://support.microsoft.com/help/5002760
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-53770
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53770

Discovery Credit

Viettel Cyber Security with Trend Zero Day Initiative, khoadha with vcslab of Viettel Cyber Security, fb8a5048b1d8827e8ae96f410d40bf00cc313e3cc307da0df9e18099c9398b51

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2025-53770MSRC AdvisoryNVDKBKB5002753