A Python-based reconnaissance scanner for safely identifying potential exposure to SharePoint vulnerability CVE-2025-53770.
# CVE-2025-53770 Scanner by DanSec
**A simple, effective reconnaissance tool to identify potential exposure to the critical SharePoint vulnerability CVE-2025-53770.**
> [!Warning]
>
>**This tool is intended for authorised testing purposes only.**
>The author (`DanSec`) takes **no responsibility** for misuse or damage caused by unauthorised scanning or usage. Ensure you have explicit permission to scan any domain or service before using this tool.
## About CVE-2025-53770
**CVE-2025-53770 ("ToolShell")** is a critical vulnerability affecting on-premises SharePoint Server versions 2016, 2019, and Subscription Edition.
It enables unauthenticated remote code execution (RCE) via:
- Authentication bypass by header spoofing (CVE-2025-53771)
- Upload of a malicious ASPX web shell (`spinstall0.aspx`)
- Extraction of cryptographic secrets from `web.config`
- Unsafe deserialization exploiting `ViewState` to execute code remotely
This vulnerability has been actively exploited, prompting urgent warnings from authorities worldwide.
**For detailed information:**
- [Microsoft Security Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770)
- [Trend Micro Analysis](https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html)
- [Rapid7 Analysis](https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/)
---
## What Does This Scanner Do?
- Performs subdomain enumeration (using `Sublist3r` and `crt.sh`) to identify potential SharePoint hosts.
- Safely checks each discovered subdomain for signs of vulnerability to CVE-2025-53770.
- Outputs results in a structured CSV file for easy review.
**This scanner DOES NOT exploit the vulnerability.** It merely identifies potential points of exposure.
---
## Installation
Clone the repository and install dependencies:
```bash
git clone https://github.com/Sec-Dan/CVE-2025-53770-Scanner.git
cd CVE-2025-53770-scanner
pip install -r requirements.txt
```
---
## Usage
```bash
python spScanner.py <target_domain> [options]
```
**Example:**
```bash
python spScanner.py example.com --threads 5 --retries 2
```
## Available Flags
| Flag | Description | Default |
| ----------------- | -------------------------------------------------- | --------- |
| `<target_domain>` | Root domain to scan (required) | - |
| `-o, --output` | CSV output filename | `CVE-2025-53770_output.csv` |
| `--passive` | Run a passive scan (skip subdomain enumeration) | Disabled |
| `--threads` | Number of concurrent scan threads | `1` |
| `--retries` | Number of retries per host | `1` |
| `--rate-limit` | Max requests per second (0 for unlimited) | `0` |
---
## Interpreting Results
- **VULNERABLE (Red):** HTTP 200 OK responses, potentially vulnerable
- **CLEAN (Green):** Other HTTP responses, likely not exposed
- **ERRORS (Yellow):** Connection or network errors
The resulting CSV file will contain detailed status for each scanned subdomain.
---
## Responsible Usage
- **Always obtain explicit authorization** before scanning.
- Inform stakeholders before initiating scans, especially in sensitive environments.
- Use only on systems you own, manage, or have explicit consent to test.
---
## Issues & Contributions
Found a bug or have a feature request? Open an issue or pull request!
**Stay safe, and happy scanning!**
— *DanSec*
[4.0K] /data/pocs/0d21f6002c927d782b0a34813356093f81a2f37e
├── [3.5K] README.md
├── [ 24] requirements.txt
├── [1.1K] splash.txt
└── [7.8K] spScanner.py
0 directories, 4 files