New Scanner Released to Detect SharePoint Servers Vulnerable to 0-Day Attack

An open-source scanning tool has been released to identify SharePoint servers vulnerable to the critical zero-day exploit CVE-2025-53770. 

The newly published scanner, available on GitHub, enables organizations to rapidly assess their SharePoint infrastructure for this unauthenticated Remote Code Execution vulnerability that has been actively exploited in the wild. 

Key Takeaways
1. Open-source tool detects SharePoint servers vulnerable to critical zero-day CVE-2025-53770.
2. Allows unauthenticated remote code execution on unpatched SharePoint servers.
3. Scan infrastructure and install Microsoft security patches.

The tool works by injecting harmless test markers into SharePoint’s ToolBox widget to confirm exploitability without causing system damage.

New Scanner for SharePoint RCE Flaw

Identified by Niels Hofmans, CVE-2025-53770 scanner represents a crucial defensive resource for organizations running on-premises SharePoint environments. 

Developed through reverse-engineering techniques applied to malicious payloads observed in active attacks, the tool provides system administrators with a straightforward method to identify vulnerable installations. 

The scanner targets SharePoint servers lacking critical security updates KB5002768 and KB5002754, which patch this severe vulnerability.

The command-line tool operates with simple syntax: ./CVE-2025-53770 [ …], enabling bulk scanning of multiple SharePoint instances simultaneously. 

When executed with debug logging enabled using the -log=debug -version parameters, the scanner attempts to extract detailed SharePoint version information while testing for vulnerability. 

Organizations can expect clear output indicating vulnerability status, with warnings displayed for compromised systems alongside version details such as “MicrosoftSharePointTeamServices: 16.0.0.5469”.

The vulnerability exploits SharePoint’s ToolPane.aspx endpoint through carefully crafted HTTP POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx. 

The attack mechanism utilizes two critical form parameters: MSOTlPn_Uri for control source path validation and MSOTlPn_DWP for web part configuration injection.

The malicious payload structure incorporates ASP.NET directives including <%@ Register Tagprefix=”Scorecard” Namespace=”Microsoft.PerformancePoint.Scorecards” and server-side markup . 

The exploit delivers GZIP-compressed, base64-encoded serialized data through the CompressedDataTable parameter, triggering deserialization-based remote code execution. 

The scanner’s proof-of-concept payload contains a harmless XML structure with the marker “This is a harmless CVE-2025-53770 PoC marker” to demonstrate exploitability without system compromise.

Mitigations

Security experts emphasize that CVE-2025-53770 builds upon the previously disclosed SharePoint vulnerability CVE-2025-49706, indicating an evolution in SharePoint-targeted attack methodologies. 

The vulnerability affects the SharePoint runtime process directly, enabling attackers to achieve system-level code execution through System.DelegateSerializationHolder deserialization attacks. 

Threat actors have been observed leveraging PowerShell encoded commands through this vector to establish persistent access to compromised SharePoint environments.

The scanner’s availability on GitHub with Docker support facilitates rapid deployment across enterprise environments. 

Organizations should immediately deploy this tool to assess their SharePoint infrastructure while prioritizing the installation of Microsoft’s security patches to remediate the underlying vulnerability.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now