Goal Reached Thanks to every supporter β€” we hit 100%!

Goal: 1000 CNY Β· Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-53770 PoC β€” Microsoft SharePoint Server Remote Code Execution Vulnerability

Source
https://github.com/Bluefire-Redteam-Cybersecurity/bluefire-sharepoint-cve-2025-53770
Associated Vulnerability
Title:Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-53770)
Description:Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Readme

# πŸ” Bluefire Redteam – SharePoint CVE-2025-53770 Detection & Remediation Toolkit

This open-source toolkit provides security teams with battle-tested scripts to detect, assess, and remediate the critical SharePoint zero-day vulnerability **CVE-2025-53770 (CVSS 9.8)** β€” currently being exploited in the wild.

> Maintained by [Bluefire Redteam](https://bluefire-redteam.com), a global offensive security firm.

---

## ⚠️ About CVE-2025-53770

- **Vulnerability**: Deserialization of untrusted data in on-prem SharePoint Server
- **Impact**: Unauthenticated Remote Code Execution (RCE), MachineKey theft, persistent compromise
- **Affected**: SharePoint Server 2016, 2019, Subscription Edition
- **Not affected**: SharePoint Online (Microsoft 365)

Once exploited, attackers can:
- Execute code before login
- Steal ASP.NET MachineKeys
- Forge trusted __VIEWSTATE payloads
- Remain persistent even after patching


## πŸ’‘ Why Use This Toolkit If Microsoft Already Released a Patch?
While Microsoft provides security updates and mitigation guidance, many organizations still struggle with operationalizing those instructions. This toolkit from Bluefire Redteam automates the detection of vulnerable SharePoint builds, verifies patch status, scans for indicators of compromise (IoCs), and performs critical actions like enabling AMSI and rotating MachineKeys β€” steps that Microsoft recommends but does not automate. It’s designed to help security teams quickly assess and harden their environments with minimal effort and zero guesswork, especially in large or hybrid deployments.


---

## ⚠️ Modification Disclaimer

This repository is maintained by Bluefire Redteam for informational and operational use only.

> ❗ Please **do not fork, modify, or create derivative scripts under this repository**.

If you need a custom version, contact our team directly via [bluefire-redteam.com/contact](https://bluefire-redteam.com/contact). Unauthorized modifications may introduce security risks and are not supported by Bluefire Redteam.


πŸ“„ [Executive CISO Briefing β†’](./docs/ciso-briefing.md)  
βš™οΈ [Generate Local CISO Report β†’](./scripts/generate-ciso-report.ps1)


## πŸ” Usage Instructions

### βœ… Step 1: Clone the Repository

```bash
git clone https://github.com/bluefireredteam/bluefire-sharepoint-cve-2025-53770.git
cd bluefire-sharepoint-cve-2025-53770
```

---

### πŸ§ͺ Step 2: Run the Detection Script on Windows

```powershell
.\scripts\detect-vulnerability.ps1
```

This script:

* Detects installed SharePoint version and checks if it's vulnerable
* Checks if the latest patches are installed (KB5002754 / KB5002768)
* Verifies if AMSI is enabled
* Scans for known Indicators of Compromise (e.g., `spinstall0.aspx`, encoded PowerShell, suspicious w3wp.exe behavior)

---

### πŸ›‘οΈ Step 3: Run the Remediation Script (If Vulnerable)

```powershell
.\scripts\remediate-vulnerability.ps1
```

This script:

* Verifies patch presence
* Enables Antimalware Scan Interface (AMSI)
* Rotates SharePoint ASP.NET MachineKeys
* Restarts IIS services

---

### 🐧 Step 4: Run the Linux Hybrid Scan (Optional)

```bash
bash ./scripts/hybrid-ioc-scan.sh
```

Useful for:

* Reverse proxies, DMZ servers, or shared Linux environments connected to vulnerable SharePoint instances
* Scanning for dropped payloads, encoded PowerShell, or lateral movement behavior




## πŸ™‹β€β™‚οΈ Support / Consulting

Need help analyzing your environment or running this toolkit at scale?

πŸ”— [Contact Bluefire Redteam](https://bluefire-redteam.com/contact)

---

## πŸ“„ License

This project is licensed under the [MIT License](./LICENSE).

---

## ⭐️ Why This Matters

SharePoint sits at the core of many enterprise intranets, workflows, and DevOps pipelines. CVE-2025-53770 allows unauthenticated attackers to take full control of these environments with minimal friction. This toolkit gives defenders a reliable first line of defense β€” backed by a red team’s real-world testing.
File Snapshot

 [4.0K]  /data/pocs/769cc7a7ed4b53c5f74b729df0fd4b1e2cef6dcd
β”œβ”€β”€ [4.0K]  docs
β”‚Β Β  └── [3.2K]  ciso-briefing.md
β”œβ”€β”€ [1.3K]  LICENSE
β”œβ”€β”€ [3.9K]  README.md
└── [4.0K]  scripts
    β”œβ”€β”€ [2.8K]  detect-vulnerability.ps1
    β”œβ”€β”€ [1.7K]  generate-ciso-report.ps1
    β”œβ”€β”€ [ 826]  hybrid-ioc-scan.sh
    └── [1.1K]  remediate-vulnerability.ps1

2 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers β€” if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online β€” thank you for the support. View subscription plans β†’