Actively Exploited SharePoint 0-Day Vulnerabilities CVE-2025-53770 & CVE-2025-53771 | Metasploit RCE Module Released

Table of Contents

• What’s the Big Deal?
• Why Should You Care?
• How Does the Exploit Work?
• Technical Breakdown (Simplified)
• Patch Bypass? Yes!
• What Can You Do Right Now?
• Conclusion
• TL;DR Recap
• Frequently Asked Questions (FAQs)

What’s the Big Deal?

Security researchers have just released a powerful Metasploit module that targets two zero-day vulnerabilities in Microsoft SharePoint Server. These are not just theoretical — attackers are already using them in real-world attacks.

The vulnerabilities, named CVE-2025-53770 and CVE-2025-53771, allow a hacker to take control of a SharePoint server without any login credentials — just one malicious HTTP request is enough.

Why Should You Care?

If your company uses SharePoint Server 2019, you could be at risk. These flaws let attackers:

• Run code with SYSTEM-level privileges (the highest level)

• Install malware or steal sensitive data

• Completely take over your server
  And here’s the scary part — Microsoft hasn’t released a fix yet.

How Does the Exploit Work?

The new Metasploit module, titled:

exploit/windows/http/sharepoint_toolpane_rce

…uses a technique called .NET deserialization to run malicious code. It targets the SharePoint URL:

/_layouts/15/ToolPane.aspx

Here’s what makes it dangerous:

• It works with one HTTP request

• It bypasses Microsoft’s previous patch from KB5002741

• It gives full control over the machine

The module can even create a Meterpreter session — a remote shell — directly inside the server’s core system directory.

Technical Breakdown (Simplified)

• System Targeted: SharePoint Server 2019 (tested on Windows Server 2022)

• Vulnerable Endpoint: ToolPane.aspx

• Exploit Type: Remote Code Execution (RCE)

• Privileges Gained: SYSTEM

• Payloads Supported:

  • Reverse shells (meterpreter_reverse_tcp)

  • Simple command execution

• Delivery Options: CERTUTIL, CURL, TFTP

• Network Flexibility: Works over HTTPS, with proxy support

Attackers send a specially crafted payload, which gets deserialized and executed by the SharePoint server — no user interaction or login required.

 Patch Bypass? Yes!

These zero-days are patch bypasses for two older vulnerabilities:

• CVE-2025-49704

• CVE-2025-49706

Even if you applied Microsoft’s patch earlier this year, these new exploits go right around it.

What Can You Do Right Now?

Since no official patch exists yet, it’s time to go into defensive mode. Here’s what security teams should do immediately:

1. Scan SharePoint Traffic

Look for strange access to ToolPane.aspx, especially from external IPs.

 2. Lock Down Access

Limit who can access SharePoint, especially from the internet. Block unnecessary endpoints.

3. Update SIEM & Detection Tools

Add rules to detect suspicious deserialization patterns or the use of certutil.exe.

 4. Check for Backdoors

Monitor system32/inetsrv for unexpected files or command activity.

 5. Stay Alert for Patch Announcements

Microsoft will likely release an out-of-band fix. Be ready to deploy quickly.

Conclusion

This is one of the most serious SharePoint vulnerabilities we’ve seen in years. The fact that it allows unauthenticated SYSTEM-level access makes it a favorite for attackers — and now, it’s freely available in Metasploit.

If you manage SharePoint in your environment, do not wait. Secure your systems, apply workarounds, and monitor everything until Microsoft provides a proper patch.

TL;DR Recap

• Critical SharePoint 0-day: CVE-2025-53770 & CVE-2025-53771

• Metasploit module released and working in real attacks

• Unauthenticated access with SYSTEM privileges

•  Exploit bypasses old patches

•  No fix available yet — mitigation is urgent

FAQ

What are CVE-2025-53770 and CVE-2025-53771 vulnerabilities in SharePoint?

These are critical 0-day vulnerabilities in Microsoft SharePoint Server 2019 that allow unauthenticated remote code execution (RCE) via a specially crafted HTTP request.

What version of SharePoint is affected by these vulnerabilities?

Microsoft SharePoint Server 2019, specifically version 16.0.10417.20027, is confirmed to be vulnerable.

How are these SharePoint 0-day vulnerabilities being exploited?

Attackers are sending a single malicious HTTP request to the ToolPane.aspx endpoint, triggering a .NET deserialization flaw that grants SYSTEM-level access.

Is there a Metasploit module available for these SharePoint exploits?

Yes, a new Metasploit module titled exploit/windows/http/sharepoint_toolpane_rce was released as pull request #20409.

What can attackers achieve using this exploit?

They can gain full SYSTEM-level remote code execution without any authentication.

What tools does the Metasploit module use to deliver payloads?

It supports multiple methods including CERTUTIL, CURL, and TFTP for payload fetching.

What are the payload options in the Metasploit module?

The module supports reverse shells like meterpreter_reverse_tcp and generic command execution.

What SharePoint endpoint is being targeted by the exploit?

/_layouts/15/ToolPane.aspx is the vulnerable endpoint used to trigger the deserialization bug.

Is authentication required to exploit this flaw?

No, the exploit works without any authentication, making it highly dangerous.

Is this vulnerability being actively exploited in the wild?

Yes, Rapid7 confirmed that attacks were observed starting July 19, 2025.

What is the role of .NET deserialization in this attack?

The flaw lies in the way SharePoint deserializes untrusted input, allowing attackers to craft malicious payloads that lead to RCE.

Can older vulnerabilities be bypassed with this new exploit?

Yes, it bypasses previous fixes for CVE-2025-49704 and CVE-2025-49706.

How is the malicious payload constructed in the exploit?

It uses Msf::Util::DotNetDeserialization to build payloads, replacing the previously leaked base64 chain.

Does the exploit clean up after itself?

Yes, it includes auto-cleanup features to remove artifacts after successful exploitation.

Can this exploit be used over HTTPS?

Yes, the module supports SSL and even proxy tunneling options like SOCKS4, SOCKS5, and HTTP.

Is there a patch available from Microsoft?

As of now, there is no official patch, but organizations are urged to monitor and harden their environments.

What initial patch was bypassed by this exploit?

The earlier KB5002741 patch tried to implement path validation, but the new exploit circumvents it.

Are there any known workarounds?

Network-level protections like IP filtering, WAF rules, and limiting access to ToolPane.aspx can help mitigate the risk temporarily.

What is a Meterpreter session and why is it used here?

Meterpreter is an advanced payload in Metasploit that gives interactive shell access. In this case, it establishes control over the server.

Where is the Meterpreter session established in this exploit?

The session is initiated within c:\windows\system32\inetsrv, the default directory for IIS.

Is this exploit stealthy?

Yes, because it uses a single HTTP request and includes cleanup options, it can avoid detection by traditional security tools.

How should security teams respond immediately?

Review SharePoint logs, restrict access to vulnerable endpoints, monitor for unusual activity, and apply any vendor workarounds.

What is pull request #20409 in the Metasploit repository?

It is the official PR that introduces the new exploit module for these SharePoint vulnerabilities.

What is the severity level of these vulnerabilities?

Critical—due to unauthenticated SYSTEM-level RCE and active exploitation in the wild.

What are the potential consequences if exploited?

Attackers could take full control of the server, exfiltrate data, pivot to other internal systems, or deploy ransomware.

Are cloud-hosted SharePoint services affected?

No. This only impacts on-premise SharePoint Server 2019 installations.

Can security appliances block the attack?

Advanced intrusion prevention systems (IPS), firewalls with application-layer rules, or WAFs may detect and block exploit attempts.

Does enabling authentication on the endpoint stop the exploit?

In some cases, but attackers may still bypass weak authentication setups or shift the target endpoint.

How does this highlight the need for patch management?

It shows how attackers can find creative ways to bypass outdated or partial patches, stressing the need for continuous monitoring and defense-in-depth.

What should I do if I suspect my server is compromised?

Disconnect the server from the network, investigate using forensics tools, and contact your incident response team or CERT.