漏洞信息 漏洞名称: Microsoft SharePoint 远程代码执行漏洞
漏洞编号:
漏洞类型: 命令执行
漏洞等级: 严重
漏洞描述: Microsoft SharePoint是一款广泛使用的企业级协作平台,支持文档管理、内容管理、社交网络等功能,常见于企业内部部署,用于团队协作和信息共享。该平台因其强大的功能和易用性,在全球范围内拥有大量用户。此次发现的漏洞CVE-2025-53770涉及SharePoint的远程代码执行(RCE)漏洞,攻击者可以通过构造特定的HTTP请求,利用ToolPane.aspx或spinstall0.aspx页面中的缺陷,实现远程代码执行。漏洞的技术根源在于SharePoint对这些页面的输入验证不足,未能正确过滤或处理用户提交的数据,从而导致攻击者可以注入并执行恶意代码。此漏洞的利用无需用户交互,攻击者可以直接通过网络发起攻击,对受影响的系统造成严重影响,包括但不限于数据泄露、服务中断、甚至完全控制系统。由于SharePoint的广泛使用,此漏洞的影响范围较大,建议相关用户尽快采取防护措施。
产品厂商: Microsoft
产品名称: SharePoint
来源: https://github.com/nisargsuthar/suricata-rule-CVE-2025-53770
类型: CVE-2025:github search
仓库文件
README.md
SharepointGET.pcap
SharepointPOST.pcap
来源概述 suricata-rule-CVE-2025-53770 Detection rules for CVE-2025-53770
1 2 3 alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ET EXPLOIT SharePoint RCE ToolShell CVE-2025-53770" ; http.method; content: "POST" ; flow: established, to_server; http.uri; pcre:"/\/ _layouts\/ \d +\/ ToolPane\. aspx\? DisplayMode=Edit&a=\/ ToolPane\. aspx/" ; http.accept_enc; content:"gzip, deflate" ; http.referer; content: "/_layouts/SignOut.aspx" ; http.request_body; content:"_controltemplates" ; content: "AclEditor.ascx" ; content: "CompressedDataTable" ; content: "Scorecard" ; content: "ExcelDataSet" ; reference: url,https:// research.eye.security/ sharepoint-under-siege/ ; reference: url,https://github.com/kaizensecurity/CVE-2025-53770/tree/master ; reference: url, https:// www.rapid7.com/ blog/ post/ etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-202 5-53770 / ; classtype:web-application-attack; sid:1000000 ; rev: 1 ;)-> $HOME_NET any (msg: "ET EXPLOIT SharePoint RCE ToolShell CVE-2025-53770" ; http.method; content: "GET" ; flow: established, to_server; http.uri; pcre:"/\/ _layouts\/ \d +\/ spinstall0\. aspx/" ; http.referer; content: "/_layouts/SignOut.aspx" ; reference: url,https:// research.eye.security/ sharepoint-under-siege/ ; reference: url,https://github.com/kaizensecurity/CVE-2025-53770/tree/master ; reference: url, https:// www.rapid7.com/ blog/ post/ etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-202 5-53770 / ; classtype:web-application-attack; sid:1000001 ; rev: 1 ;)