Microsoft SharePoint ToolPaneaspx Remote Code Execution Vulnerability
漏洞信息
漏洞名称: Microsoft SharePoint ToolPane.aspx Remote Code Execution Vulnerability
漏洞编号:
- CVE: CVE-2025-53770, CVE-2025-53771
漏洞类型: 命令执行
漏洞等级: 高危
漏洞描述: 受影响产品: Microsoft SharePoint是一款广泛使用的企业级协作平台,支持文档管理、团队协作和内容共享。它通常部署在企业内部网络中,用于提高团队的工作效率和信息共享。由于其广泛的应用,SharePoint成为了攻击者的重要目标。
漏洞解释: 该漏洞涉及CVE-2025-53770和CVE-2025-53771,属于命令执行类型。攻击者可以通过构造特殊的请求到/ToolPane.aspx页面,利用ViewState参数或进行可疑的文件上传,实现远程代码执行。漏洞的根本原因在于SharePoint对用户输入的处理不当,未能充分验证和清理来自客户端的输入,从而导致攻击者可以注入并执行恶意代码。
影响分析: 此漏洞允许攻击者在未授权的情况下远程执行任意代码,可能导致服务器被完全控制,敏感数据泄露,或服务中断。由于攻击者可以通过网络直接利用此漏洞,无需用户交互,因此风险极高。此外,攻击者可能会利用此漏洞在企业内部网络中横向移动,进一步扩大攻击范围。鉴于SharePoint的广泛使用,此漏洞的影响范围可能非常广泛,需要立即采取修补措施。
产品厂商: Microsoft
产品名称: SharePoint
来源: https://github.com/zach115th/ToolShellFinder
类型: CVE-2025:github search
仓库文件
- README.md
- toolshellfinder.ps1
来源概述
ToolShellFinder: CVE-2025-53770 & CVE-2025-53771 Detection
A PowerShell script for detecting indicators of compromise (IoCs) for CVE-2025-53770 and CVE-2025-53771 in Microsoft IIS logs.
This script is hacked together to help DFIR teams, sysadmins, and security professionals identify suspicious activity associated with these vulnerabilities in SharePoint environments.
Table of Contents
Background
CVE-2025-53770 and CVE-2025-53771 are recently disclosed vulnerabilities affecting Microsoft SharePoint, potentially allowing remote code execution and exploitation via crafted requests to /ToolPane.aspx, suspicious uploads, or exploitation of ViewState parameters. Attackers may leave forensic traces in IIS logs.
What This Script Does
- Recursively scans IIS log files for patterns linked to exploitation attempts of these CVEs.
- Identifies and collects matches for four major sets of IoCs (see below).
- Outputs a summary table of detected events and exports detailed results to CSV for further analysis.
Usage
Copy the script to your investigation workstation.
Set the
$logRootpath at the top of the script if your IIS logs are not inC:\inetpub\logs\LogFiles.Run the script in a PowerShell window:
1
.\toolshellfinder.ps1
Indicators of Compromise
- ToolPane Exploitation Attempts (POST)
- HTTP Method: POST
- Path: /_layouts/15/ToolPane.aspx or /_layouts/16/ToolPane.aspx
- Query String: Contains DisplayMode=Edit&a=/ToolPane.aspx
- Referer: Contains /_layouts/SignOut.aspx
- Suspicious File Drops (GET)
- HTTP Method: GET
- Referer: Contains /_layouts/SignOut.aspx
- Path: Matches suspicious files in /layouts/15/ or /layouts/16/ (e.g., spinstall.aspx, debug_dev.js, etc.)
- start.aspx Enumeration (GET, Suspicious User-Agent)
- HTTP Method: GET
- Path: /_layouts/15/start.aspx or /_layouts/16/start.aspx
- User-Agent: Contains curl, powershell, or python (case-insensitive, anywhere in UA string)
- Malicious success.aspx & ViewState (Suspicious User-Agent & Query)
- Path: /_layouts/15/success.aspx or /_layouts/16/success.aspx
- Query String: Starts with a long __VIEWSTATE= value (≥40 chars, indicative of payloads)
- User-Agent: Contains curl, powershell, or python