SharePoint 反序列化远程代码执行漏洞
漏洞信息
漏洞名称: SharePoint 反序列化远程代码执行漏洞
漏洞编号:
- CVE: CVE-2025-53770
漏洞类型: 反序列化
漏洞等级: 高危
漏洞描述: SharePoint是微软推出的一款企业级协作平台,广泛应用于文档管理、内容管理、业务流程自动化等场景。作为企业内网的核心组件之一,SharePoint的安全性至关重要。然而,CVE-2025-53770漏洞的存在使得攻击者能够通过构造恶意的序列化数据,在目标系统上执行任意代码。该漏洞的根源在于SharePoint对用户提供的数据进行反序列化时,未能充分验证数据的合法性,导致攻击者可以利用.NET框架中的特定类(如LosFormatter和BinaryFormatter)来执行反序列化攻击链。这种漏洞的利用不需要用户交互,攻击者只需将恶意数据发送至目标服务器即可触发漏洞,从而实现远程代码执行。由于SharePoint通常部署在企业内网中,一旦被利用,攻击者可能获取服务器控制权,进而窃取敏感数据、破坏服务稳定性或进一步渗透内网。因此,该漏洞对企业的信息安全构成了严重威胁。
产品厂商: Microsoft
产品名称: SharePoint
来源: https://github.com/Rabbitbong/OurSharePoint-CVE-2025-53770
类型: CVE-2025:github search
仓库文件
- .gitattributes
- .gitignore
- OurSharePoint.sln
- OurSharePoint
- README.md
来源概述
OurSharePoint - CVE-2025-53770 (PoC)
This is a simple C# tool that builds a GZipped, Base64-encoded .NET DataSet payload using a LosFormatter-encoded inner payload. It’s designed to help reproduce the SharePoint deserialization RCE chain described in public research.
What it does
You give it a Base64-encoded payload (like one from ysoserial.net), and it:
- Wraps it inside a valid .NET DataSet with a custom XML schema + diffgram
- Serializes the result using BinaryFormatter
- GZips the serialized blob
- Base64-encodes the result and writes it to a
.b64file
References
- https://research.eye.security/sharepoint-under-siege/
- https://github.com/rapid7/metasploit-framework/pull/20409/commits
Usage
First, generate your payload using ysoserial.net:
1 | |
Then run this tool:
1 | |
This will generate:
- exploit.bin - a raw serialized DataSet
- exploit.b64 - final GZipped and Base64-encoded payload thats ready for us
Also, if you dont specify --a, --b, or --c, the tool generates random lowercase names.
Notes
This tool does not validate or inspect the payload you give it.
If you're testing locally and deserialize manually, it may execute (e.g., pop calc).
