Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-53770 PoC — Microsoft SharePoint Server Remote Code Execution Vulnerability

Source
https://github.com/zach115th/ToolShellFinder
Associated Vulnerability
Title:Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-53770)
Description:Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Description
Scans Windows IIS logs for signs of CVE-2025-53770 & CVE-2025-53771
Readme
# ToolShellFinder: CVE-2025-53770 & CVE-2025-53771 Detection

A PowerShell script for **detecting indicators of compromise (IoCs) for CVE-2025-53770 and CVE-2025-53771** in Microsoft IIS logs.  
This script is hacked together to help DFIR teams, sysadmins, and security professionals identify suspicious activity associated with these vulnerabilities in SharePoint environments.

## Table of Contents

- [Background](#background)
- [What This Script Does](#what-this-script-does)
- [Usage](#usage)
- [Indicators of Compromise](#indicators-of-compromise)

---

## Background

**CVE-2025-53770** and **CVE-2025-53771** are recently disclosed vulnerabilities affecting Microsoft SharePoint, potentially allowing remote code execution and exploitation via crafted requests to `/ToolPane.aspx`, suspicious uploads, or exploitation of ViewState parameters. Attackers may leave forensic traces in IIS logs.

---

## What This Script Does

- **Recursively scans IIS log files** for patterns linked to exploitation attempts of these CVEs.
- **Identifies and collects matches** for four major sets of IoCs (see below).
- **Outputs a summary table** of detected events and exports detailed results to CSV for further analysis.

---

## Usage

1. **Copy the script to your investigation workstation.**
2. **Set the `$logRoot` path** at the top of the script if your IIS logs are not in `C:\inetpub\logs\LogFiles`.
3. **Run the script in a PowerShell window:**

   ```powershell
   .\toolshellfinder.ps1
   ```

   ---

## Indicators of Compromise

1. **ToolPane Exploitation Attempts (POST)**
- HTTP Method: POST
- Path: /_layouts/15/ToolPane.aspx or /_layouts/16/ToolPane.aspx
- Query String: Contains DisplayMode=Edit&a=/ToolPane.aspx
- Referer: Contains /_layouts/SignOut.aspx

2. **Suspicious File Drops (GET)**
- HTTP Method: GET
- Referer: Contains /_layouts/SignOut.aspx
- Path: Matches suspicious files in /layouts/15/ or /layouts/16/ (e.g., spinstall.aspx, debug_dev.js, etc.)

3. **start.aspx Enumeration (GET, Suspicious User-Agent)**
- HTTP Method: GET
- Path: /_layouts/15/start.aspx or /_layouts/16/start.aspx
- User-Agent: Contains curl, powershell, or python (case-insensitive, anywhere in UA string)

4. **Malicious success.aspx & ViewState (Suspicious User-Agent & Query)**
- Path: /_layouts/15/success.aspx or /_layouts/16/success.aspx
- Query String: Starts with a long __VIEWSTATE= value (≥40 chars, indicative of payloads)
- User-Agent: Contains curl, powershell, or python

---
File Snapshot

 [4.0K]  /data/pocs/380d77027ed9e3538bbc29cca80e8d98fac62653
├── [2.4K]  README.md
└── [5.7K]  toolshellfinder.ps1

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →