CVE-2025-53770 PoC — Microsoft SharePoint Server Remote Code Execution Vulnerability

Source

Associated Vulnerability

Readme

# SharePoint ToolPane RCE Exploit

![funny.jpg](funny.jpg)

[![Build Status](https://img.shields.io/badge/build-passing-brightgreen?style=flat-square)](https://github.com)
[![Python 3.x](https://img.shields.io/badge/python-3.x-blue?style=flat-square&logo=python)](https://www.python.org)
[![CVE-2025-53770](https://badgen.net/badge/CVE-2025-53770/critical/red?icon=security)](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770)
[![License](https://img.shields.io/badge/license-educational-yellow?style=flat-square)](#disclaimer)

> **Security research toolkit for testing SharePoint ToolPane vulnerabilities**

[Overview](#overview) • [Features](#features) • [Getting started](#getting-started) • [Usage](#usage) • [Project structure](#project-structure)

This repository contains proof-of-concept exploits and analysis tools for the SharePoint ToolPane vulnerability (CVE-2025-53770). The project demonstrates exploitation techniques including authentication bypass and unsafe deserialization vulnerabilities affecting Microsoft SharePoint Server.

> [!WARNING]
> **For authorized security testing only.** This project is intended for educational purposes, penetration testing, and security research on systems you own or have explicit permission to test.

## Overview

CVE-2025-53770 is a critical vulnerability in Microsoft SharePoint Server that allows unauthenticated remote code execution through a combination of authentication bypass and unsafe deserialization. This vulnerability affects SharePoint Server 2019 and is particularly dangerous as it requires no authentication.

The vulnerability chain includes:
- **CVE-2025-49706** - Authentication bypass affecting ToolPane.aspx
- **CVE-2025-53771** - Patch bypass for CVE-2025-49706
- **CVE-2025-49704** - Unsafe deserialization vulnerability
- **CVE-2025-53770** - Patch bypass targeting different endpoints

## Features

- **Multiple exploitation methods** - Python and cURL implementations
- **Target scanning** - Automated vulnerable version detection
- **Payload analysis** - Tools to decode and analyze exploit payloads
- **Comprehensive documentation** - Detailed vulnerability analysis and exploitation guidance
- **Real-world testing** - Proven against multiple SharePoint versions

## Getting started

### Prerequisites

- **Python 3.x** with `requests` and `urllib3` libraries
- **Network access** to target SharePoint servers
- **Authorization** to test target systems



## Usage

### Scanning for vulnerable targets

Use the scanner to identify potentially vulnerable SharePoint installations:

```bash
python3 scanner/scanner.py <target_ip_or_hostname>
```

### Running the exploit

#### Python exploitation
Execute the main Python exploit against a target:

```bash
python3 exploit/exploit.py <target_ip_or_hostname>
```

Example output:
```
[+] Targeting: http://192.168.1.100
[+] Sending exploit payload...
[+] Response Status: 200
[+] Response Length: 1234 bytes
```

#### cURL testing
Test using the provided cURL commands:

```bash
# Review the cURL file for specific commands
cat metasploit_ref/cURL
```

### Analyzing responses

Use the analysis tool to decode and examine exploit responses:

```bash
python3 analysis/analyse.py
```

This tool extracts and decodes base64-encoded payloads from captured traffic.

## Project structure

```
├── analysis/
│   └── analyse.py              # Payload analysis and decoding tools
├── exploit/
│   └── exploit.py              # Main Python RCE exploit
├── metasploit_ref/
│   ├── cURL                    # cURL command examples
│   ├── sharepoint_toolpane_rce.md  # Detailed vulnerability documentation
│   └── sharepoint_toolpane_rce.rb  # Ruby reference implementation
├── out/                        # Analysis output directory
├── scanner/
│   └── scanner.py              # Vulnerability scanner
└── README.md                   # This file
```

## Vulnerable versions

The following SharePoint Server versions are confirmed vulnerable:

- SharePoint Server 2019 `16.0.10337.12109` (RTM version)
- SharePoint Server 2019 `16.0.10417.20018` (June 2025 patch level)
- SharePoint Server 2019 `16.0.10417.20027` (July 2025 patch level)*

*The July 2025 patch level may still be exploitable unless administrators have manually performed configuration updates.

## Disclaimer

> [!CAUTION]
> **This project is provided for educational and authorized security testing purposes only.**
> 
> - Only test systems you own or have explicit written permission to test
> - Unauthorized testing of systems may violate local, state, and federal laws
> - Users are solely responsible for ensuring compliance with applicable laws
> - The authors assume no liability for misuse of this software

## Resources

- [CVE-2025-53770 Details](https://cve.mitre.org)
- [Microsoft Security Advisory](https://msrc.microsoft.com)
- [SharePoint Security Best Practices](https://docs.microsoft.com/sharepoint/security)

---

⭐ If this project helps your security research, consider starring it on GitHub!

File Snapshot

 [4.0K]  /data/pocs/d1c8088e77deb914796a122f76394330d231cc45
├── [4.0K]  analysis
│   └── [1.7K]  analyse.py
├── [4.0K]  exploit
│   └── [5.9K]  exploit.py
├── [ 39K]  funny.jpg
├── [4.0K]  metasploit_ref
│   ├── [4.5K]  cURL
│   ├── [8.9K]  sharepoint_toolpane_rce.md
│   └── [ 17K]  sharepoint_toolpane_rce.rb
├── [4.0K]  out
│   ├── [2.0K]  analyse_inner.txt
│   ├── [5.5K]  analyse_outer.txt
│   └── [3.1K]  inner_b64.txt
├── [5.0K]  README.md
└── [4.0K]  scanner
    └── [2.8K]  scanner.py

5 directories, 11 files

Remarks