CVE-2025-53770 PoC — Microsoft SharePoint Server Remote Code Execution Vulnerability

Source

https://github.com/0x-crypt/CVE-2025-53770-Scanner

Associated Vulnerability

Title:Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-53770)
Description:Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

Description

🎯 Vulnerability scanner for SharePoint servers affected by CVE-2025-53770. Detects unsafe deserialization using ToolPane.aspx with a crafted base64+gzip payload. 🛡️ Developed by Ahmed Tamer.

Readme


# 🛡️ CVE-2025-53770 SharePoint Vulnerability Scanner

A Python-based tool to detect vulnerable Microsoft SharePoint instances affected by **CVE-2025-53770**, an insecure deserialization vulnerability triggered via the `ToolPane.aspx` endpoint. The scanner sends a crafted, compressed ViewState payload to determine if the target leaks internal serialized objects.

---

## 🚀 Features

- ✅ Detects SharePoint instances vulnerable to CVE-2025-53770
- ✅ Supports scanning a single target or bulk URLs from a file
- ✅ Uses a safe `Scorecard:ExcelDataSet` test payload
- ✅ Decodes and decompresses reflected base64+gzip ViewState data
- ✅ Minimal dependencies and works with standard tools (`curl`, `base64`, `gzip`)
- ✅ Colored CLI output for easy identification

---

## 📖 CVE Details

- **CVE**: CVE-2025-53770
- **Component**: Microsoft SharePoint (`ToolPane.aspx`)
- **Vulnerability Type**: Insecure Deserialization / Unsafe ViewState Reflection
- **Severity**: High – May lead to sensitive data disclosure or remote code execution (RCE)
- **Test Marker**: `IntruderScannerDetectionPayload`, `ExcelDataSet`, `divWaiting`, `ProgressTemplate`, `Scorecard`

---

## 🧑‍💻 Usage

```bash
# Scan a single SharePoint URL
python3 CVE-2025-53770_Scanner.py -u https://target.sharepoint.com

# Scan multiple URLs from a file
python3 CVE-2025-53770_Scanner.py -f targets.txt
````

**Example targets.txt file:**

```
https://intranet.company.com
https://sharepoint.university.edu
https://portal.corporate.net
```

---

## 📦 Requirements

* Python 3.x
* `curl`, `base64`, `gzip` installed and available in system path
* Python module: `colorama`

Install the Python dependency:

```bash
pip install colorama
```

---

## 🔍 Sample Output

```bash
[>] Scanning: https://vulnerable.sharepoint.com
[VULNERABLE] https://vulnerable.sharepoint.com returned payload marker!
```

---

## 📝 License

This project is licensed under the [MIT License](LICENSE).

---

## 👤 Author

**Ahmed Tamer**
Cybersecurity Researcher | Bug Hunter | Red Teamer

* 💼 [LinkedIn](https://www.linkedin.com/in/ahmed-tamer-b8977b35a)

---

## ⚠️ Ethical Disclaimer

> This tool is developed for **educational and authorized security testing purposes only**.
> You are **not allowed** to use this tool against systems you do not own or lack explicit permission to test.
> Misuse of this software may result in criminal charges — **use responsibly and ethically.**

---

```
```

File Snapshot


 [4.0K]  /data/pocs/47b5907a1cb5f874f321e7352e61bf4a815b5e87
├── [3.4K]  CVE-2025-53770_Scanner.py
├── [1.0K]  LICENSE
└── [2.4K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!