Metasploit Module Released to Exploit SharePoint 0-Day Vulnerabilities

Security researchers have released a Metasploit exploitation module targeting critical zero-day vulnerabilities in Microsoft SharePoint Server, marking a significant escalation in the threat landscape for enterprise collaboration platforms.

The module exploits a chain of unauthenticated remote code execution flaws identified as CVE-2025-53770 and CVE-2025-53771, which were discovered being actively exploited in the wild as early as July 19, 2025.

Technical Details and Exploitation Chain

The newly released Metasploit module, developed by security researcher sfewer-r7 at Rapid7, demonstrates how attackers can achieve complete system compromise through SharePoint’s ToolPane component without requiring authentication.

The vulnerabilities represent sophisticated patch bypasses for two previously addressed security flaws, CVE-2025-49704 and CVE-2025-49706, highlighting the persistent challenge of securing complex web applications against determined adversaries.

The exploitation technique leverages a deserialization attack vector that allows remote code execution through a single HTTP request.

According to the technical documentation, the module can deliver various payload types, including Meterpreter reverse shells and generic command execution capabilities.

Testing demonstrations show successful compromise of SharePoint Server 2019 installations, with the exploit achieving SYSTEM-level privileges in the target environment.

The attack vector specifically targets the /_layouts/15/ToolPane.aspx endpoint, though recent patches have attempted to block this specific path.

Security researchers have noted that some installations may require alternative approaches, such as targeting /_layouts/15/start.aspx for initial reconnaissance, particularly in environments with Forms Based Authentication enabled.

The release of this Metasploit module significantly lowers the barrier to entry for cybercriminals seeking to exploit SharePoint environments.

SharePoint Server is widely deployed across enterprise environments for document management and collaboration, making these vulnerabilities particularly concerning for organizations worldwide.

The unauthenticated nature of the exploit means that attackers can compromise systems without needing valid credentials or social engineering tactics.

Security testing has confirmed the module’s effectiveness against SharePoint Server 2019 installations running version 16.0.10417.20027, though the full scope of affected versions remains under investigation.

The exploit’s ability to execute arbitrary commands and establish persistent remote access creates significant risks for data theft, ransomware deployment, and lateral movement within corporate networks.

Organizations operating SharePoint environments should immediately assess their exposure to these vulnerabilities and implement available security patches.

While Microsoft has released updates addressing the original CVE-2025-49704 and CVE-2025-49706 vulnerabilities, the bypass techniques demonstrated in this exploit suggest that additional security measures may be necessary.

Network segmentation, access controls, and comprehensive monitoring of SharePoint activities are essential defensive strategies until comprehensive patches become available for the newest vulnerability variants.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now