High

Microsoft SharePoint Deserialization RCE

IdentifiersCVE-2025-54897CWE-502· Deserialization of Untrusted Data

CVE-2025-54897 is a remote code execution vulnerability in Microsoft Office SharePoint caused by deserialization of untrusted data. According to the provided content, SharePoint improperly handles attacker-controlled serialized data, allowing an authorized attacker to trigger code execution over the network. No additional vulnerable component, method, or function is identified in the supplied material.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote code execution in Microsoft Office SharePoint by an authorized attacker. In practical terms, this can enable execution of attacker-supplied code on the target SharePoint server, which may lead to full compromise of the SharePoint application and potentially broader impact to connected enterprise resources depending on the server's privileges and environment.

Mitigation

If you can’t patch tonight, do this now.

Prioritize deployment of the September 9, 2025 Microsoft security updates after appropriate testing. Until patching is complete, reduce exposure by limiting SharePoint access to trusted users and networks, closely monitoring SharePoint servers for suspicious activity, and preparing incident response actions if exploitation is suspected. The provided content does not include a SharePoint-specific vendor workaround beyond patching.

Remediation

Patch, then assume compromise.

Apply Microsoft's September 2025 security updates for affected Microsoft products, including the patch addressing CVE-2025-54897, in accordance with the September 2025 Patch Tuesday guidance referenced in the provided advisories. Validate patch deployment through normal patch compliance processes and investigate any indications of prior compromise separately, as patching does not remediate historical attacker access.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationSharepoint Serverapplication

Microsoft CorporationSharepoint Server 2016application

Microsoft CorporationSharepoint Server 2019application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

securelistNews

Dec 23, 2025

Webrat, disguised as exploits, is spreading via GitHub repositories | Securelist

A CVE identifier used as lure branding for a malicious GitHub repository in the Webrat distribution campaign; the article does not describe the vulnerability itself.

help net securityNews

Dec 23, 2025

Budding infosec pros and aspiring cyber crooks targeted with fake PoC exploits

A remote code execution vulnerability in Microsoft SharePoint.

bank info securityNews

Sep 11, 2025

Breach Roundup: Vidar Strikes Back

A remote code execution vulnerability in Microsoft SharePoint.

govinfosecurityNews

Sep 11, 2025

Breach Roundup: Vidar Strikes Back

A remote code execution vulnerability in Microsoft SharePoint.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-54897

NVD

nvd.nist.gov/vuln/detail/CVE-2025-54897

MITRE CWE · CWE-502

Deserialization of Untrusted Data

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54897