SharePoint Server Remote Code Execution Vulnerability
漏洞信息
漏洞名称: SharePoint Server Remote Code Execution Vulnerability
漏洞编号:
- CVE: CVE-2025-53770
漏洞类型: 反序列化
漏洞等级: 严重
漏洞描述: 受影响产品: Microsoft SharePoint Server是一款广泛使用的企业级协作平台,支持文档管理、团队协作和业务流程自动化。它通常部署在企业内部网络中,用于支持内部和外部协作。此次漏洞影响的版本包括SharePoint Server 2016、2019以及订阅版,这些版本在全球范围内被广泛使用。
漏洞解释: 该漏洞被标识为CVE-2025-53770,涉及反序列化漏洞,允许未经认证的远程代码执行(RCE)。攻击者可以通过伪造HTTP头绕过认证(CVE-2025-53771),上传恶意的ASPX网页壳(spinstall0.aspx),从web.config中提取加密秘密,以及利用ViewState的不安全反序列化来远程执行代码。这种漏洞的存在主要是因为输入验证不充分和不安全的反序列化操作。
影响分析: 此漏洞的安全风险极高,攻击者可以在不需要任何认证的情况下远程执行任意代码,导致服务器被完全控制。此外,攻击者还可以窃取敏感信息,如加密密钥,进一步危害企业安全。由于漏洞已被积极利用,全球多个安全机构已发出紧急警告。企业应立即评估其SharePoint服务器的安全性,并应用最新的安全补丁以防止潜在的攻击。
产品厂商: Microsoft
产品名称: SharePoint Server
影响版本: 2016, 2019, and Subscription Edition
来源: https://github.com/Sec-Dan/CVE-2025-53770-Scanner
类型: CVE-2025:github search
仓库文件
- .gitattributes
- README.md
- requirements.txt
- spScanner.py
- splash.txt
来源概述
CVE-2025-53770 Scanner by DanSec
A simple, effective reconnaissance tool to identify potential exposure to the critical SharePoint vulnerability CVE-2025-53770.
[!Warning]
This tool is intended for authorised testing purposes only.
The author (DanSec) takes no responsibility for misuse or damage caused by unauthorised scanning or usage. Ensure you have explicit permission to scan any domain or service before using this tool.
About CVE-2025-53770
CVE-2025-53770 (“ToolShell”) is a critical vulnerability affecting on-premises SharePoint Server versions 2016, 2019, and Subscription Edition.
It enables unauthenticated remote code execution (RCE) via:
- Authentication bypass by header spoofing (CVE-2025-53771)
- Upload of a malicious ASPX web shell (
spinstall0.aspx) - Extraction of cryptographic secrets from
web.config - Unsafe deserialization exploiting
ViewStateto execute code remotely
This vulnerability has been actively exploited, prompting urgent warnings from authorities worldwide.
For detailed information:
What Does This Scanner Do?
- Performs subdomain enumeration (using
Sublist3randcrt.sh) to identify potential SharePoint hosts. - Safely checks each discovered subdomain for signs of vulnerability to CVE-2025-53770.
- Outputs results in a structured CSV file for easy review.
This scanner DOES NOT exploit the vulnerability. It merely identifies potential points of exposure.
Installation
Clone the repository and install dependencies:
1 | |
Usage
1 | |
Example:
1 | |
Available Flags
| Flag | Description | Default |
|---|---|---|
<target_domain> |
Root domain to scan (required) | - |
-o, --output |
CSV output filename | CVE-2025-53770_output.csv |
--passive |
Run a passive scan (skip subdomain enumeration) | Disabled |
--threads |
Number of concurrent scan threads | 1 |
--retries |
Number of retries per host | 1 |
--rate-limit |
Max requests per second (0 for unlimited) | 0 |
Interpreting Results
- VULNERABLE (Red): HTTP 200 OK responses, potentially vulnerable
- CLEAN (Green): Other HTTP responses, likely not exposed
- ERRORS (Yellow): Connection or network errors
The resulting CSV file will contain detailed status for each scanned subdomain.
Responsible Usage
- Always obtain explicit authorization before scanning.
- Inform stakeholders before initiating scans, especially in sensitive environments.
- Use only on systems you own, manage, or have explicit consent to test.
Issues & Contributions
Found a bug or have a feature request? Open an issue or pull request!
Stay safe, and happy scanning!
— DanSec