CVE-2025-54897 Overview
CVE-2025-54897 is a deserialization of untrusted data vulnerability [CWE-502] in Microsoft Office SharePoint Server. An authenticated attacker can send a crafted serialized payload over the network to trigger unsafe object deserialization and execute arbitrary code on the SharePoint server. The flaw affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Microsoft published an advisory on September 9, 2025, and has issued security updates through the Microsoft Security Response Center.
Critical Impact
Authenticated attackers can achieve remote code execution on SharePoint servers, exposing site collections, credentials, and lateral movement paths across the enterprise.
Affected Products
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016 Enterprise
Discovery Timeline
- 2025-09-09 - Microsoft publishes security advisory for CVE-2025-54897
- 2025-09-09 - CVE-2025-54897 published to the National Vulnerability Database (NVD)
- 2025-09-12 - Last updated in NVD database
Technical Details for CVE-2025-54897
Vulnerability Analysis
The vulnerability arises when SharePoint Server deserializes attacker-controlled data without sufficient type validation. An authenticated user with low privileges can submit a malicious serialized object through a network-accessible SharePoint endpoint. During deserialization, the server reconstructs gadget chains that invoke arbitrary methods, leading to code execution in the context of the SharePoint application pool identity.
Successful exploitation grants the attacker the ability to read and modify content databases, harvest machine keys, and pivot to other systems trusted by the SharePoint farm. Because SharePoint typically runs with elevated service privileges, the impact extends beyond the application layer to the underlying Windows host.
The EPSS model assigns this issue a noticeably elevated exploitation probability, indicating that adversaries view SharePoint deserialization flaws as high-value targets.
Root Cause
The root cause is insecure deserialization [CWE-502]. SharePoint accepts serialized objects from a network-facing interface and reconstructs them without enforcing a strict allow-list of safe types. Untrusted payloads can therefore instantiate classes whose constructors or property setters execute system operations.
Attack Vector
The attack vector is network-based and requires authenticated access to the SharePoint site. No user interaction is required after the attacker authenticates. An attacker with any valid SharePoint account, including a low-privilege contributor, can craft a serialized payload and submit it to a vulnerable handler. The deserialization routine then executes the embedded gadget chain server-side. Because the CVE does not have a published proof of concept, exploitation details remain limited to the Microsoft advisory.
Detection Methods for CVE-2025-54897
Indicators of Compromise
- Unexpected child processes spawned by w3wp.exe running under SharePoint application pool accounts, especially cmd.exe, powershell.exe, or csc.exe.
- Anomalous .aspx or .dll files written to SharePoint LAYOUTS, TEMPLATE, or _app_bin directories.
- Outbound network connections from SharePoint servers to previously unseen external hosts immediately following authenticated POST requests.
- IIS logs showing authenticated POST requests with large binary payloads to SharePoint application endpoints.
Detection Strategies
- Monitor IIS and SharePoint ULS logs for serialized payload signatures such as __type, TypeObject, or BinaryFormatter markers in request bodies.
- Alert on process lineage where SharePoint worker processes spawn scripting or compilation utilities.
- Hunt for newly created scheduled tasks, services, or local accounts on SharePoint front-end and application servers.
Monitoring Recommendations
- Enable detailed IIS request logging and forward logs to a centralized SIEM for correlation.
- Deploy endpoint behavioral monitoring on SharePoint servers to detect post-exploitation activity such as credential dumping and lateral movement.
- Review SharePoint farm administrator and site collection administrator group memberships on a recurring schedule.
How to Mitigate CVE-2025-54897
Immediate Actions Required
- Apply the September 2025 Microsoft security updates for the affected SharePoint Server versions, as referenced in the Microsoft Security Update CVE-2025-54897 advisory.
- Rotate SharePoint machine keys and service account credentials if there is any suspicion of prior compromise.
- Restrict SharePoint authentication to trusted users and review recently created accounts for unauthorized access.
Patch Information
Microsoft has released security updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Administrators should obtain the cumulative update packages from the Microsoft Security Update CVE-2025-54897 advisory and deploy them to all front-end, application, and search servers in the farm.
Workarounds
- Limit network exposure of SharePoint Server by placing it behind authenticated VPN or zero trust network access where business requirements allow.
- Enforce least-privilege access on SharePoint sites to reduce the population of users who could exploit the vulnerability.
- Configure web application firewall rules to inspect and block requests containing suspicious serialized object signatures targeting SharePoint endpoints.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
