来源

关联漏洞

介绍

# 🔐 Bluefire Redteam – SharePoint CVE-2025-53770 Detection & Remediation Toolkit

This open-source toolkit provides security teams with battle-tested scripts to detect, assess, and remediate the critical SharePoint zero-day vulnerability **CVE-2025-53770 (CVSS 9.8)** — currently being exploited in the wild.

> Maintained by [Bluefire Redteam](https://bluefire-redteam.com), a global offensive security firm.

---

## ⚠️ About CVE-2025-53770

- **Vulnerability**: Deserialization of untrusted data in on-prem SharePoint Server
- **Impact**: Unauthenticated Remote Code Execution (RCE), MachineKey theft, persistent compromise
- **Affected**: SharePoint Server 2016, 2019, Subscription Edition
- **Not affected**: SharePoint Online (Microsoft 365)

Once exploited, attackers can:
- Execute code before login
- Steal ASP.NET MachineKeys
- Forge trusted __VIEWSTATE payloads
- Remain persistent even after patching


## 💡 Why Use This Toolkit If Microsoft Already Released a Patch?
While Microsoft provides security updates and mitigation guidance, many organizations still struggle with operationalizing those instructions. This toolkit from Bluefire Redteam automates the detection of vulnerable SharePoint builds, verifies patch status, scans for indicators of compromise (IoCs), and performs critical actions like enabling AMSI and rotating MachineKeys — steps that Microsoft recommends but does not automate. It’s designed to help security teams quickly assess and harden their environments with minimal effort and zero guesswork, especially in large or hybrid deployments.


---

## ⚠️ Modification Disclaimer

This repository is maintained by Bluefire Redteam for informational and operational use only.

> ❗ Please **do not fork, modify, or create derivative scripts under this repository**.

If you need a custom version, contact our team directly via [bluefire-redteam.com/contact](https://bluefire-redteam.com/contact). Unauthorized modifications may introduce security risks and are not supported by Bluefire Redteam.


📄 [Executive CISO Briefing →](./docs/ciso-briefing.md)  
⚙️ [Generate Local CISO Report →](./scripts/generate-ciso-report.ps1)


## 🔍 Usage Instructions

### ✅ Step 1: Clone the Repository

```bash
git clone https://github.com/bluefireredteam/bluefire-sharepoint-cve-2025-53770.git
cd bluefire-sharepoint-cve-2025-53770
```

---

### 🧪 Step 2: Run the Detection Script on Windows

```powershell
.\scripts\detect-vulnerability.ps1
```

This script:

* Detects installed SharePoint version and checks if it's vulnerable
* Checks if the latest patches are installed (KB5002754 / KB5002768)
* Verifies if AMSI is enabled
* Scans for known Indicators of Compromise (e.g., `spinstall0.aspx`, encoded PowerShell, suspicious w3wp.exe behavior)

---

### 🛡️ Step 3: Run the Remediation Script (If Vulnerable)

```powershell
.\scripts\remediate-vulnerability.ps1
```

This script:

* Verifies patch presence
* Enables Antimalware Scan Interface (AMSI)
* Rotates SharePoint ASP.NET MachineKeys
* Restarts IIS services

---

### 🐧 Step 4: Run the Linux Hybrid Scan (Optional)

```bash
bash ./scripts/hybrid-ioc-scan.sh
```

Useful for:

* Reverse proxies, DMZ servers, or shared Linux environments connected to vulnerable SharePoint instances
* Scanning for dropped payloads, encoded PowerShell, or lateral movement behavior




## 🙋‍♂️ Support / Consulting

Need help analyzing your environment or running this toolkit at scale?

🔗 [Contact Bluefire Redteam](https://bluefire-redteam.com/contact)

---

## 📄 License

This project is licensed under the [MIT License](./LICENSE).

---

## ⭐️ Why This Matters

SharePoint sits at the core of many enterprise intranets, workflows, and DevOps pipelines. CVE-2025-53770 allows unauthenticated attackers to take full control of these environments with minimal friction. This toolkit gives defenders a reliable first line of defense — backed by a red team’s real-world testing.

文件快照

 [4.0K]  /data/pocs/769cc7a7ed4b53c5f74b729df0fd4b1e2cef6dcd
├── [4.0K]  docs
│   └── [3.2K]  ciso-briefing.md
├── [1.3K]  LICENSE
├── [3.9K]  README.md
└── [4.0K]  scripts
    ├── [2.8K]  detect-vulnerability.ps1
    ├── [1.7K]  generate-ciso-report.ps1
    ├── [ 826]  hybrid-ioc-scan.sh
    └── [1.1K]  remediate-vulnerability.ps1

2 directories, 7 files

备注