关联漏洞
描述
A critical zero-auth RCE vulnerability in SharePoint (CVE-2025-53770), now exploited in the wild, building directly on the spoofing flaw CVE-2025-49706.
介绍
# 🚨 CVE‑2025‑53770 – SharePoint Zero-Day Variant Exploited for Full RCE
**A Critical Escalation from CVE‑2025‑49706** <br/>
By **Aditya Bhatt** – Red Team | VAPT <br/>
---
## 📌 TL;DR
**CVE‑2025‑53770** is a **critical (CVSS 9.8) zero-auth RCE vulnerability** in Microsoft SharePoint now actively exploited in the wild. This isn’t a standalone issue—it’s a **variant of CVE‑2025‑49706**, which I previously covered.
But while CVE‑2025‑49706 required authentication, **53770 doesn’t**.
This is **unauthenticated code execution**, with real-world web shell drops and privilege escalation in active attacks. Patch now.
---
## 🔁 In Case You Missed It:
> I previously analyzed **[CVE‑2025‑49706](https://infosecwriteups.com/cve-2025-49706-sharepoint-spoofing-vulnerability-under-active-exploitation-3a640df68d3e)** – a spoofing vulnerability in SharePoint that allowed token manipulation, web shell uploads, and lateral movement from an authenticated foothold.
>
> **CVE‑2025‑53770** builds on the same foundation but skips the login altogether.
---
## 🧠 What is CVE‑2025‑53770?
* **Type**: Unauthenticated Remote Code Execution (RCE)
* **Severity**: **CVSS 9.8 (Critical)**
* **Affected Products**:
* SharePoint Server 2016 (unpatched)
* SharePoint Server 2019
* SharePoint Server Subscription Edition
 <br/>
---
### 🔍 Root Cause
According to Microsoft, this is a **variant of CVE‑2025‑49706** and involves **improper handling of crafted authentication tokens**—combined with malicious \_\_VIEWSTATE payloads—that lead to direct execution in IIS worker processes.
---
## ⚔️ Real-World Attacks
### 🚨 ToolShell Campaign Update:
* Attackers are chaining:
* **CVE‑2025‑49704 (deserialization bug)**
* **CVE‑2025‑49706 (spoofed header + auth bypass)**
* **CVE‑2025‑53770 (unauth RCE)**
* Dropping:
* `spinstall0.aspx` web shell
* Payloads like `SuspSignoutReq.exe`
* Persistence tools under `w3wp.exe`
### 🎯 Affected Targets (based on MSRC reports):
* Government and Education sectors
* On-prem SharePoint portals
* Any SharePoint instance exposed to the internet without July patches
---
## 🧪 Attack Flow (Simplified):
1. 📥 Malicious request sent to vulnerable endpoint (unauthenticated)
2. 🧾 Injected `__VIEWSTATE` payload or forged token bypasses validation
3. 💣 Code executed inside IIS (`w3wp.exe`) under NT AUTHORITY\SYSTEM
4. 🐚 Web shell uploaded, remote access established
5. 🛰️ C2 communication initiated, lateral movement begins
<img width="984" height="732" alt="_- visual selection" src="https://github.com/user-attachments/assets/fd082fbd-9933-42f7-8779-6962f6a24d01" /> <br/>
---
## 🛡️ Mitigation & Patching
### ✅ Patch Immediately
Microsoft released out-of-band security updates on **July 20–21, 2025**:
* **SharePoint 2019** ➝ `KB5002741`
* **SharePoint SE** ➝ `KB5002755`
* SharePoint 2016 is pending — **isolate servers ASAP**
🔗 [Microsoft Patch Catalog](https://www.catalog.update.microsoft.com)
---
### ✅ Harden Systems
* Disable external access to SharePoint until patched
* Rotate **machine keys / viewstate validation keys**
* Enable **AMSI + Defender AV** with these PowerShell flags:
```powershell
Set-MpPreference -EnableControlledFolderAccess Enabled
Set-MpPreference -EnableScriptScanning $true
```
---
### 🔎 Detection & Threat Hunting
#### IOC Examples:
* `spinstall0.aspx`
* `SuspSignoutReq.exe`
* Large encoded `__VIEWSTATE` in POST payloads
* Suspicious process tree:
* `w3wp.exe` → `cmd.exe` → `powershell.exe`
#### Defender KQL Hunt:
```kusto
DeviceFileEvents
| where FileName contains "spinstall0.aspx" or FolderPath contains "inetpub"
| where ActionType == "FileCreated"
```
---
## 🔗 Connection to CVE‑2025‑49706
| CVE ID | Access Required | Impact | Exploitation |
| ------------------ | ------------------- | -------------------------- | ------------ |
| **CVE‑2025‑49706** | Authenticated | Spoofing / Shell Drop | Confirmed |
| **CVE‑2025‑53770** | **Unauthenticated** | **RCE + SYSTEM Privilege** | **Active** |
> Microsoft confirmed 53770 as a **variant** of 49706, now weaponized into unauthenticated RCE.
---
## 🧠 Final Thoughts
This isn't just another CVE drop.
**CVE‑2025‑53770 is one of the most dangerous SharePoint vulnerabilities in recent memory.**
It builds on an already-bad spoofing flaw (49706) and eliminates the only barrier—**authentication**.
If you're running an on-prem SharePoint instance and haven't patched since **early July 2025**, assume compromise and hunt aggressively.
 <br/>
---
## 📚 References
* [Microsoft Blog – CVE-2025-53770](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770)
* [SecurityWeek Coverage](https://www.securityweek.com/sharepoint-under-attack-microsoft-warns-of-zero-day-exploited-in-the-wild-no-patch-available/?utm_source=chatgpt.com)
* [My CVE‑2025‑49706 Analysis](https://infosecwriteups.com/cve-2025-49706-sharepoint-spoofing-vulnerability-under-active-exploitation-3a640df68d3e)
* [Wiz Threat Intel](https://www.wiz.io/vulnerability-database/cve/cve-2025-53770)
---
## 👨💻 About the Author
I'm a cybersecurity practitioner focused on offensive security, exploit analysis, and red team operations.
I’ve ranked in the top 2% on TryHackMe and published security tools like **KeySentry**, **ShadowHash**, and **PixelPhantomX**.
I hold certifications like **CEH**, **Security+**, and the **IIT Kanpur Red Team Certificate**, and write regularly for **InfoSec WriteUps** and other security platforms.
🔗 GitHub: [@AdityaBhatt3010](https://github.com/AdityaBhatt3010) <br/>
✍️ Medium: [@adityabhatt3010](https://medium.com/@adityabhatt3010) <br/>
💼 LinkedIn: [Aditya Bhatt](https://www.linkedin.com/in/adityabhatt3010) <br/>
---
文件快照
[4.0K] /data/pocs/cc2d3370f31580f21a6b5c9fc0bdc4c68bad2d4e
├── [1.0K] LICENSE
└── [6.2K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。