CyberSecurityNews

PoC and Technical details Released for SharePoint Remote Code Execution Vulnerability


Proof-of-concept (PoC) exploit code and deep technical details have now been released for CVE-2025-53770, a critical remote code execution (RCE) vulnerability in on‑premises Microsoft SharePoint Server.

This disclosure raises the risk of rapid weaponization and mass exploitation against unpatched SharePoint environments.

CVE-2025-53770 is a deserialization-of-untrusted-data flaw in how SharePoint processes specially crafted data sources, enabling an unauthenticated attacker to execute arbitrary code over the network.

The bug exists in on‑premises SharePoint Server 2016, 2019, and Subscription Edition, but Microsoft 365 SharePoint Online is not affected.

After the initial emergency patches, Microsoft shipped a second fix that introduced a new TypeNameParserImpl component to change how type names are parsed for DataSet objects, specifically to address issues with generic type handling.

PoC for SharePoint RCE Vulnerability

The newly published research by Viettel Cyber shows how attackers can still achieve RCE by abusing XML schema processing in the ExcelDataSet control used by the PerformancePoint BI services.

The attack focuses on the BIMonitoringAuthoringService web service at the endpoint /_vti_bin/PPS/PPSAuthoringService.asmx, which exposes a TestConnection method for validating data source connections.

When a DataSource object with SourceName=”ExcelWorkbook” is passed to this API, SharePoint uses an XmlSerializer to deserialize the dataSource.CustomData field into an ExcelDataSet instance and then accesses the ExcelDataSet.DataTable.

Viettel Cyber Security found that the flaw bypasses XmlValidator by exploiting how XML schema imports are handled, allowing unsafe types to pass validation.

Microsoft’s DataSetSurrogateSelector constrains input to “XmlSchema” and “XmlDiffGram” and runs XmlValidator to ensure only allowed types are used. However, XmlValidator only sees the main XmlSchema string.

By embedding and elements that reference an external XSD over the network, the attacker forces the .NET XmlSchema preprocessor to pull additional schema from an attacker‑controlled HTTP server.

XmlValidator does not inspect this imported schema, so malicious type definitions contained in the external XSD are never blocked.

The PoC uses this gap to define an msdata: DataType that points to a complex generic type chain that ends with System. Web. UI.LosFormatter and System.Windows.Data.ObjectDataProvider, which are known deserialization gadgets capable of executing arbitrary code when fed controlled payloads.

With the schema bypass in place, the attacker crafts a matching XmlDiffGram payload that populates a row containing the malicious com: pwn element.

The diffgram instantiates an ExpandedWrapper object, which then calls LosFormatter.Deserialize on attacker‑supplied data, ultimately triggering the RCE.

At runtime, the call stack flows through BinarySerialization.Deserialize() and helper routines that reconstruct objects from a compressed base64 string, before reaching ExcelDataSet.get_DataTable(), ExcelDataSourceProvider.SetDataSource(), DataSourceRegistry.GetDataSource(), and ServerHelper.TestDataSourceConnection() inside SharePoint’s PerformancePoint stack.

The PoC demonstrates full exploitability using a low‑privileged site member account. The attacker first creates a SharePoint list and an item, then starts an HTTP server that hosts the external schema file (for example, common.xsd) reachable by the SharePoint server.

They construct a SOAP request to PPSAuthoringService.asmx invoking TestConnection, setting SourceName=”ExcelWorkbook” and embedding the malicious ExcelDataSet XML and diffgram in the CustomData field.

The Location ItemUrl is pointed to the list item using a URL pattern that ends with an ID and an artificial suffix, such as /sites/zdi/Lists/test/1_.123, to satisfy the service’s regex checks.

When the request is processed, the chain completes, and a process such as win32calc.exe is spawned on the SharePoint server, demonstrating reliable remote code execution.

Security vendors have already confirmed active exploitation of CVE-2025-53770 in the wild and described large‑scale ToolShell attack campaigns against SharePoint.

The availability of such detailed gadget chains and schema‑import techniques will likely accelerate copycat attacks.

Organizations running on‑premises SharePoint should treat this as an emergency: apply Microsoft’s latest patches for CVE-2025-53770, enable AMSI integration, rotate ASP.NET MachineKey values, and perform threat hunting for suspicious PerformancePoint and ViewState activity on exposed servers.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide



Source link