Microsoft SharePoint 未授权远程代码执行漏洞

漏洞信息

漏洞名称： Microsoft SharePoint 未授权远程代码执行漏洞

漏洞编号：

• CVE： CVE-2025-53770

漏洞类型： 未授权访问

漏洞等级： 严重

漏洞描述： 受影响产品: Microsoft SharePoint是一种广泛使用的企业级协作平台，支持文档管理、内容管理和业务流程自动化。它通常部署在企业内部网络中，但也可能暴露在互联网上，以便远程访问。由于其广泛的应用，SharePoint成为攻击者的高价值目标。

漏洞解释: CVE-2025-53770是一个严重的未授权远程代码执行（RCE）漏洞，它允许攻击者无需任何认证即可在目标系统上执行任意代码。此漏洞是CVE-2025-49706的变种，但消除了对认证的需求，使得攻击更加危险。漏洞的根本原因在于SharePoint对特制认证令牌的处理不当，结合恶意的__VIEWSTATE负载，导致在IIS工作进程中直接执行代码。

影响分析: 此漏洞的利用可能导致攻击者完全控制受影响的SharePoint服务器，包括上传web shell、执行任意命令、窃取敏感数据以及进行横向移动。由于攻击无需认证，且可以自动化执行，因此风险极高。已经观察到在野利用此漏洞的攻击活动，主要针对政府和教育部门的SharePoint实例。微软已经发布了紧急补丁，建议所有受影响用户立即应用。

产品厂商： Microsoft

产品名称： SharePoint Server

影响版本： SharePoint Server 2016 (unpatched), SharePoint Server 2019, SharePoint Server Subscription Edition

来源： https://github.com/AdityaBhatt3010/CVE-2025-53770-SharePoint-Zero-Day-Variant-Exploited-for-Full-RCE

类型： CVE-2025:github search

仓库文件

• LICENSE
• README.md

来源概述

🚨 CVE‑2025‑53770 – SharePoint Zero-Day Variant Exploited for Full RCE

A Critical Escalation from CVE‑2025‑49706

By Aditya Bhatt – Red Team | VAPT

---

📌 TL;DR

CVE‑2025‑53770 is a critical (CVSS 9.8) zero-auth RCE vulnerability in Microsoft SharePoint now actively exploited in the wild. This isn’t a standalone issue—it’s a variant of CVE‑2025‑49706, which I previously covered.
But while CVE‑2025‑49706 required authentication, 53770 doesn’t.

This is unauthenticated code execution, with real-world web shell drops and privilege escalation in active attacks. Patch now.

---

🔁 In Case You Missed It:

I previously analyzed CVE‑2025‑49706 – a spoofing vulnerability in SharePoint that allowed token manipulation, web shell uploads, and lateral movement from an authenticated foothold.

CVE‑2025‑53770 builds on the same foundation but skips the login altogether.

---

🧠 What is CVE‑2025‑53770?

• Type: Unauthenticated Remote Code Execution (RCE)

• Severity: CVSS 9.8 (Critical)

• Affected Products:

  • SharePoint Server 2016 (unpatched)
  • SharePoint Server 2019
  • SharePoint Server Subscription Edition

---

🔍 Root Cause

According to Microsoft, this is a variant of CVE‑2025‑49706 and involves improper handling of crafted authentication tokens—combined with malicious __VIEWSTATE payloads—that lead to direct execution in IIS worker processes.

---

⚔️ Real-World Attacks

🚨 ToolShell Campaign Update:

• Attackers are chaining:

  • CVE‑2025‑49704 (deserialization bug)
  • CVE‑2025‑49706 (spoofed header + auth bypass)
  • CVE‑2025‑53770 (unauth RCE)

• Dropping:

  • spinstall0.aspx web shell
  • Payloads like SuspSignoutReq.exe
  • Persistence tools under w3wp.exe

🎯 Affected Targets (based on MSRC reports):

• Government and Education sectors
• On-prem SharePoint portals
• Any SharePoint instance exposed to the internet without July patches

---

🧪 Attack Flow (Simplified):

1. 📥 Malicious request sent to vulnerable endpoint (unauthenticated)
2. 🧾 Injected __VIEWSTATE payload or forged token bypasses validation
3. 💣 Code executed inside IIS (w3wp.exe) under NT AUTHORITY\SYSTEM
4. 🐚 Web shell uploaded, remote access established
5. 🛰️ C2 communication initiated, lateral movement begins

---

🛡️ Mitigation & Patching

✅ Patch Immediately

Microsoft released out-of-band security updates on July 20–21, 2025:

• SharePoint 2019 ➝ KB5002741
• SharePoint SE ➝ KB5002755
• SharePoint 2016 is pending — isolate servers ASAP

🔗 Microsoft Patch Catalog

---

✅ Harden Systems

• Disable external access to SharePoint until patched
• Rotate machine keys / viewstate validation keys
• Enable AMSI + Defender AV with these PowerShell flags:

Set-MpPreference -EnableControlledFolderAccess Enabled
Set-MpPreference -EnableScriptScanning $true

---

🔎 Detection & Threat Hunting

IOC Examples:

• spinstall0.aspx

• SuspSignoutReq.exe

• Large encoded __VIEWSTATE in POST payloads

• Suspicious process tree:

  • w3wp.exe → cmd.exe → powershell.exe

Defender KQL Hunt:

DeviceFileEvents
| where FileName contains "spinstall0.aspx" or FolderPath contains "inetpub"
| where ActionType == "FileCreated"

---

🔗 Connection to CVE‑2025‑49706

CVE ID	Access Required	Impact	Exploitation
CVE‑2025‑49706	Authenticated	Spoofing / Shell Drop	Confirmed
CVE‑2025‑53770	Unauthenticated	RCE + SYSTEM Privilege	Active

Microsoft confirmed 53770 as a variant of 49706, now weaponized into unauthenticated RCE.

---

🧠 Final Thoughts

This isn’t just another CVE drop.
CVE‑2025‑53770 is one of the most dangerous SharePoint vulnerabilities in recent memory.
It builds on an already-bad spoofing flaw (49706) and eliminates the only barrier—authentication.

If you’re running an on-prem SharePoint instance and haven’t patched since early July 2025, assume compromise and hunt aggressively.

---

📚 References

• Microsoft Blog – CVE-2025-53770
• SecurityWeek Coverage
• My CVE‑2025‑49706 Analysis
• Wiz Threat Intel

---

👨‍💻 About the Author

I’m a cybersecurity practitioner focused on offensive security, exploit analysis, and red team operations.
I’ve ranked in the top 2% on TryHackMe and published security tools like KeySentry, ShadowHash, and PixelPhantomX.
I hold certifications like CEH, Security+, and the IIT Kanpur Red Team Certificate, and write regularly for InfoSec WriteUps and other security platforms.

🔗 GitHub: @AdityaBhatt3010

✍️ Medium: @adityabhatt3010

💼 LinkedIn: Aditya Bhatt

---