## https://sploitus.com/exploit?id=A19C1D46-FE68-573C-BB04-74623D8236CB
# CVE-2025-53770
This is a scanner for [the SharePoint unauthenticated Remote Code Execution vulnerability](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/), assigned CVE number CVE-2025-53770.
The code for this was written by reverse-engineering a payload seen in [the wild](https://raw.githubusercontent.com/kaizensecurity/CVE-2025-53770/refs/heads/master/payload).
Use at your own risk, I am not responsible for any negative impact this might cause.
## How does it work?
It tries to exploit the vulnerability by injecting [a marker](pkg/payload/test_payload.go) in the SharePoint ToolBox widget.
If in the SharePoint server response this unharmful marker is found, the host is marked as vulnerable.
## How to use
```zsh
# check if is vulnerable and try extract version information
% ./CVE-2025-53770 [ ...]
INFO[0000] set log level fields.level=info
INFO[0000] starting scanner targets=1
INFO[0001] detected SharePoint version target= version="MicrosoftSharePointTeamServices: 16.0.0.5469\n"
WARN[0001] target is vulnerable target=
# turn on debug logging and try retrieving SharePoint version information
% ./CVE-2025-53770 -log=debug -version
...
```
## Who is vulnerable?
Anyone running the *on-prem* version of SharePoint server without KB5002768 & KB5002754.
## How does this vulnerability work?
The vulnerability presumably builds upon a previously disclosed vulnerability for SharePoint, CVE-2025-49706.
By sending a HTTP POST request to `https:///_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx` with a GZIP-ed, BASE64-encoded payload, you can achieve Remote Code Execution as the SharePoint runtime process.
Two form parameters are important here:
1. `MSOTlPn_Uri`: Control source path
This pretends to reference a legitimate SharePoint control (AclEditor.ascx), and tricks SharePoint into allowing the web part edit.
This seems to be mock/fake value just to pass validation.
The original malicious payload includes `MSOTlPn_Uri=https://%s/_controltemplates/15/AclEditor.ascx`, but this does not seem to be used at this point.
2. `MSOTlPn_DWP`: Web partial configuration.
This parameter injects custom ASP.NET directives (``) and server-side markup (``).
The `CompressedDataTable` parameter holds attacker-controlled serialized data (GZIP + base64), triggering the RCE.
This payload follows a certain structure:
```xml
" DataTable-CaseSensitive="false" runat="server">
```
If a control like `Scorecard:ExcelDataSet` exists and its `CompressedDataTable` property is set, it's deserialized directly by the SharePoint DWP Parser.
The payload itself can be rather interesting, as it can contain a `System.DelegateSerializationHolder` which triggers a deserialization RCE.
Threat actors abused this to pass `/c powershell -EncodedCommand ` in their payload to achieve code exection.
In our case, we merely pass a static placeholder to prove exploitability;
```xml
This is a harmless CVE-2025-53770 PoC marker.
2025-07-21T14:04:52Z
```