Share
## https://sploitus.com/exploit?id=A19C1D46-FE68-573C-BB04-74623D8236CB
# CVE-2025-53770

This is a scanner for [the SharePoint unauthenticated Remote Code Execution vulnerability](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/), assigned CVE number CVE-2025-53770.
The code for this was written by reverse-engineering a payload seen in [the wild](https://raw.githubusercontent.com/kaizensecurity/CVE-2025-53770/refs/heads/master/payload).

Use at your own risk, I am not responsible for any negative impact this might cause.

## How does it work?

It tries to exploit the vulnerability by injecting [a marker](pkg/payload/test_payload.go) in the SharePoint ToolBox widget.
If in the SharePoint server response this unharmful marker is found, the host is marked as vulnerable.

## How to use
```zsh
# check if  is vulnerable and try extract version information
% ./CVE-2025-53770 [ ...]
INFO[0000] set log level                                 fields.level=info
INFO[0000] starting scanner                              targets=1
INFO[0001] detected SharePoint version                   target= version="MicrosoftSharePointTeamServices: 16.0.0.5469\n"
WARN[0001] target is vulnerable                          target=

# turn on debug logging and try retrieving SharePoint version information
% ./CVE-2025-53770 -log=debug -version  
...
```

## Who is vulnerable?

Anyone running the *on-prem* version of SharePoint server without KB5002768 & KB5002754. 

## How does this vulnerability work?

The vulnerability presumably builds upon a previously disclosed vulnerability for SharePoint, CVE-2025-49706.
By sending a HTTP POST request to `https:///_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx` with a GZIP-ed, BASE64-encoded payload, you can achieve Remote Code Execution as the SharePoint runtime process.
Two form parameters are important here:

1. `MSOTlPn_Uri`: Control source path

This pretends to reference a legitimate SharePoint control (AclEditor.ascx), and tricks SharePoint into allowing the web part edit.  
This seems to be mock/fake value just to pass validation.
The original malicious payload includes `MSOTlPn_Uri=https://%s/_controltemplates/15/AclEditor.ascx`, but this does not seem to be used at this point.

2. `MSOTlPn_DWP`: Web partial configuration.

This parameter injects custom ASP.NET directives (``) and server-side markup (``).
The `CompressedDataTable` parameter holds attacker-controlled serialized data (GZIP + base64), triggering the RCE.
This payload follows a certain structure:

```xml



  
    
      " DataTable-CaseSensitive="false" runat="server">
    
  

```

If a control like `Scorecard:ExcelDataSet` exists and its `CompressedDataTable` property is set, it's deserialized directly by the SharePoint DWP Parser.

The payload itself can be rather interesting, as it can contain a `System.DelegateSerializationHolder` which triggers a deserialization RCE.
Threat actors abused this to pass `/c powershell -EncodedCommand ` in their payload to achieve code exection.
In our case, we merely pass a static placeholder to prove exploitability;

```xml


    
        
            
                This is a harmless CVE-2025-53770 PoC marker.
                2025-07-21T14:04:52Z
            
        
    


```