SharePoint Deserialization of Untrusted Data Vulnerability
漏洞信息
漏洞名称: SharePoint Deserialization of Untrusted Data Vulnerability
漏洞编号:
- CVE: CVE-2025-53770
漏洞类型: 反序列化
漏洞等级: 严重
漏洞描述: 受影响产品: SharePoint Server是微软推出的一款企业级协作平台,广泛应用于企业内部文档管理、团队协作和业务流程自动化。它通常部署在企业内网中,作为核心的协作和内容管理解决方案。此次漏洞影响SharePoint Server 2016、2019及订阅版,而SharePoint Online(Microsoft 365)不受影响。
漏洞解释: 此漏洞属于反序列化漏洞,具体为对不可信数据的反序列化处理不当。攻击者可以利用此漏洞在未认证的情况下执行远程代码(RCE),窃取ASP.NET MachineKeys,伪造可信的__VIEWSTATE负载,甚至在打补丁后仍保持持久性。漏洞的技术根源在于SharePoint Server在处理某些数据时未进行充分的验证和清理,导致恶意构造的数据可以被反序列化并执行。
影响分析: 此漏洞的安全风险极高,CVSS评分为9.8。攻击者无需认证即可利用此漏洞执行任意代码,完全控制受影响的SharePoint环境。此外,攻击者还可以窃取MachineKeys,用于伪造身份或加密数据,进一步扩大攻击范围。由于漏洞允许在登录前执行代码,且可以持久化,因此对企业的内部网络和数据安全构成严重威胁。企业需要立即采取措施检测和修复此漏洞,以防止潜在的大规模安全事件。
产品厂商: Microsoft
产品名称: SharePoint Server
影响版本: 2016, 2019, Subscription Edition
来源: https://github.com/Bluefire-Redteam-Cybersecurity/bluefire-sharepoint-cve-2025-53770
类型: CVE-2025:github search
仓库文件
- LICENSE
- README.md
来源概述
🔐 Bluefire Redteam – SharePoint CVE-2025-53770 Detection & Remediation Toolkit
This open-source toolkit provides security teams with battle-tested scripts to detect, assess, and remediate the critical SharePoint zero-day vulnerability CVE-2025-53770 (CVSS 9.8) — currently being exploited in the wild.
Maintained by Bluefire Redteam, a global offensive security firm.
⚠️ About CVE-2025-53770
- Vulnerability: Deserialization of untrusted data in on-prem SharePoint Server
- Impact: Unauthenticated Remote Code Execution (RCE), MachineKey theft, persistent compromise
- Affected: SharePoint Server 2016, 2019, Subscription Edition
- Not affected: SharePoint Online (Microsoft 365)
Once exploited, attackers can:
- Execute code before login
- Steal ASP.NET MachineKeys
- Forge trusted __VIEWSTATE payloads
- Remain persistent even after patching
🔍 Usage Instructions
✅ Step 1: Clone the Repository
1 | |
🧪 Step 2: Run the Detection Script on Windows
1 | |
This script:
- Detects installed SharePoint version and checks if it’s vulnerable
- Checks if the latest patches are installed (KB5002754 / KB5002768)
- Verifies if AMSI is enabled
- Scans for known Indicators of Compromise (e.g.,
spinstall0.aspx, encoded PowerShell, suspicious w3wp.exe behavior)
🛡️ Step 3: Run the Remediation Script (If Vulnerable)
1 | |
This script:
- Verifies patch presence
- Enables Antimalware Scan Interface (AMSI)
- Rotates SharePoint ASP.NET MachineKeys
- Restarts IIS services
🐧 Step 4: Run the Linux Hybrid Scan (Optional)
1 | |
Useful for:
- Reverse proxies, DMZ servers, or shared Linux environments connected to vulnerable SharePoint instances
- Scanning for dropped payloads, encoded PowerShell, or lateral movement behavior
🙋♂️ Support / Consulting
Need help analyzing your environment or running this toolkit at scale?
📄 License
This project is licensed under the MIT License.
⭐️ Why This Matters
SharePoint sits at the core of many enterprise intranets, workflows, and DevOps pipelines. CVE-2025-53770 allows unauthenticated attackers to take full control of these environments with minimal friction. This toolkit gives defenders a reliable first line of defense — backed by a red team’s real-world testing.