Microsoft: PoC and Technical Details Released for SharePoint Remote Code Execution Vulnerability

Microsoft: PoC and Technical Details Released for SharePoint Remote Code Execution Vulnerability

Critical SharePoint RCE Vulnerability (CVE-2025-53770) Exploited in the Wild

Proof-of-concept (PoC) exploit code and technical details have been released for CVE-2025-53770, a critical remote code execution (RCE) vulnerability in on-premises Microsoft SharePoint Server. The flaw, a deserialization-of-untrusted-data issue, allows unauthenticated attackers to execute arbitrary code over the network by exploiting how SharePoint processes specially crafted data sources.

The vulnerability affects SharePoint Server 2016, 2019, and Subscription Edition, but Microsoft 365 SharePoint Online remains unaffected. Microsoft initially released emergency patches, followed by a second fix introducing the TypeNameParserImpl component to address generic type handling in DataSet objects.

Researchers at Viettel Cyber Security demonstrated how attackers can bypass security controls by abusing XML schema processing in the ExcelDataSet control used by PerformancePoint BI services. The attack targets the BIMonitoringAuthoringService web service at the endpoint /_vti_bin/PPS/PPSAuthoringService.asmx, specifically the TestConnection method. By embedding malicious <xs:import> and <xs:include> elements in an external XSD file, attackers force SharePoint to load unsafe types from an attacker-controlled server, evading XmlValidator checks.

The PoC exploits a chain of deserialization gadgets including System.Web.UI.LosFormatter and System.Windows.Data.ObjectDataProvider to achieve RCE. The attack requires only a low-privileged SharePoint site member account and involves crafting a SOAP request to the vulnerable endpoint with a malicious ExcelDataSet payload. Successful exploitation spawns arbitrary processes, such as win32calc.exe, on the target server.

Security vendors have confirmed active exploitation in the wild, with reports of large-scale ToolShell attack campaigns targeting unpatched SharePoint environments. The release of detailed exploit techniques is expected to accelerate copycat attacks, increasing the urgency for organizations to apply Microsoft’s latest patches. Additional mitigations include enabling AMSI integration, rotating ASP.NET MachineKey values, and monitoring for suspicious PerformancePoint and ViewState activity.

Source: https://cybersecuritynews.com/poc-sharepoint-rce-vulnerability/

Microsoft_SharePoint cybersecurity rating report: https://www.rankiteo.com/company/microsoft_sharepoint

"id": "MIC1783520623",
"linkid": "microsoft_sharepoint",
"type": "Vulnerability",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'type': 'Organization'}],
 'attack_vector': 'Network',
 'description': 'Proof-of-concept (PoC) exploit code and technical details '
                'have been released for CVE-2025-53770, a critical remote code '
                'execution (RCE) vulnerability in on-premises Microsoft '
                'SharePoint Server. The flaw, a '
                'deserialization-of-untrusted-data issue, allows '
                'unauthenticated attackers to execute arbitrary code over the '
                'network by exploiting how SharePoint processes specially '
                'crafted data sources. The vulnerability affects SharePoint '
                'Server 2016, 2019, and Subscription Edition, but Microsoft '
                '365 SharePoint Online remains unaffected. Active exploitation '
                'in the wild has been confirmed, with reports of large-scale '
                'ToolShell attack campaigns targeting unpatched environments.',
 'impact': {'operational_impact': 'Arbitrary code execution on target servers',
            'systems_affected': 'Microsoft SharePoint Server 2016, 2019, '
                                'Subscription Edition'},
 'post_incident_analysis': {'corrective_actions': 'Microsoft introduced '
                                                  'TypeNameParserImpl '
                                                  'component to address '
                                                  'generic type handling in '
                                                  'DataSet objects',
                            'root_causes': 'Deserialization of untrusted data '
                                           'in SharePoint Server due to '
                                           'improper handling of XML schema '
                                           'processing in ExcelDataSet '
                                           'control'},
 'recommendations': 'Apply Microsoft’s latest patches, enable AMSI '
                    'integration, rotate ASP.NET MachineKey values, monitor '
                    'for suspicious PerformancePoint and ViewState activity, '
                    'and restrict access to vulnerable endpoints.',
 'references': [{'source': 'Viettel Cyber Security'}],
 'response': {'containment_measures': 'Apply Microsoft’s latest patches, '
                                      'enable AMSI integration, rotate ASP.NET '
                                      'MachineKey values, monitor for '
                                      'suspicious PerformancePoint and '
                                      'ViewState activity',
              'enhanced_monitoring': 'Monitor for suspicious PerformancePoint '
                                     'and ViewState activity',
              'remediation_measures': 'Microsoft released emergency patches '
                                      'and introduced TypeNameParserImpl '
                                      'component to address generic type '
                                      'handling in DataSet objects'},
 'threat_actor': 'ToolShell attack campaigns',
 'title': 'Critical SharePoint RCE Vulnerability (CVE-2025-53770) Exploited in '
          'the Wild',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2025-53770 (Deserialization of untrusted data '
                            'in SharePoint Server)'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.