Microsoft SharePoint ToolShell RCE Vulnerability
漏洞信息
漏洞名称: Microsoft SharePoint “ToolShell” RCE Vulnerability
漏洞编号:
- CVE: CVE-2025-53770
漏洞类型: 反序列化
漏洞等级: 严重
漏洞描述: Microsoft SharePoint Server是一款广泛使用的企业级协作平台,支持文档管理、团队协作和业务流程自动化。它通常部署在企业内部网络中,用于提高团队协作效率和信息共享。CVE-2025-53770是一个严重的远程代码执行(RCE)漏洞,影响Microsoft SharePoint Server 2016、2019和订阅版(仅限本地部署,不包括SharePoint Online)。攻击者可以通过利用逻辑缺陷和不安全的反序列化绕过认证,实现完全服务器控制。此漏洞链公开称为“ToolShell”,已在活跃攻击中被观察到。漏洞的技术根源在于SharePoint处理特定HTTP请求时的逻辑缺陷,以及在不安全的环境中执行反序列化操作。攻击者可以通过发送特制的HTTP POST请求到隐藏的管理页面,利用伪造的Referer头绕过认证,随后通过反序列化漏洞上传并执行恶意ASPX web shell,从而获取服务器的完全控制权。此漏洞的利用可能导致服务器被完全接管,包括任意命令执行、文件访问/修改、数据泄露以及内部网络中的横向移动。由于攻击者可以窃取服务器的机器密钥,即使初始补丁已应用,攻击者仍能保持持久访问,直到密钥被手动更换。此漏洞的严重性评分为CVSS 9.8(严重),强调了其对企业安全的重大威胁。
产品厂商: Microsoft
产品名称: SharePoint Server
影响版本: SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition
来源: https://github.com/bharath-cyber-root/sharepoint-toolshell-cve-2025-53770
类型: CVE-2025:github search
仓库文件
- README.md
来源概述
SharePoint “ToolShell” RCE Exploit (CVE-2025-53770)
Overview
CVE-2025-53770 is a critical remote code execution (RCE) vulnerability affecting Microsoft SharePoint Server 2016, 2019, and Subscription Edition (on-premises only, not SharePoint Online). Attackers can bypass authentication and achieve full server control by exploiting a logic flaw and unsafe deserialization. This exploit chain—publicly known as “ToolShell”—has been observed in active attacks.
Technical Details
Affected Versions
- SharePoint Enterprise Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
- Not applicable to SharePoint Online (Microsoft 365)
Severity
- CVSS Score: 9.8 (Critical)
Exploit Chain: Step-by-Step
1. Authentication Bypass
- The attacker sends a specially crafted HTTP POST request to the hidden management page:
/_layouts/15/ToolPane.aspx?DisplayMode=Edit - The request contains a forged Referer header:
1
Referer: /_layouts/SignOut.aspx - Due to a logic flaw, SharePoint treats this request as coming from a legitimate, authenticated session, granting access.
2. Remote Code Execution via Deserialization
- Using access to the privileged endpoint, the attacker submits a payload exploiting an unsafe deserialization bug, allowing arbitrary code execution.
- Typically, the attacker uploads a malicious ASPX web shell (e.g.,
spinstall0.aspx) to the SharePoint system directory.
3. Web Shell Deployment and Key Theft
- The web shell is executed, letting the attacker read sensitive SharePoint configuration files.
- The attacker extracts the server’s machine keys:
ValidationKeyDecryptionKey
- These cryptographic keys protect user authentication tokens and session state (ViewState).
4. Full Server Takeover and Persistence
- With the keys, the attacker can create their own valid, signed payloads that SharePoint will trust and execute.
- This enables persistent RCE and allows bypass of most security controls, even after initial patching—unless the stolen keys are rotated.
Impact
- Total compromise of on-premises SharePoint server:
- Arbitrary command execution
- File access/modification
- Data exfiltration
- Lateral movement throughout the internal network
- Persistence: Attackers maintain access using stolen machine keys until those keys are manually changed.
Example Attack Flow (Diagram)
sequenceDiagram
participant Attacker
participant SharePoint Server
Attacker->>SharePoint Server: POST /ToolPane.aspx (with fake Referer)
SharePoint Server-->>Attacker: Grants admin access (auth bypass)
Attacker->>SharePoint Server: Uploads malicious web shell
Attacker->>SharePoint Server: Executes web shell to read config
SharePoint Server-->>Attacker: Returns ValidationKey and DecryptionKey
Attacker->>SharePoint Server: Sends forged, signed payloads (persistent RCE)
Remediation
- Apply Microsoft patches:
Official Advisory & Updates (Microsoft MSRC) - Immediate machine key rotation after compromise
- Audit server for unauthorized ASPX files and unusual activity
References
This document is for research and defensive purposes only. Do not attempt exploitation on systems you do not own or have explicit authorization to test.