Researchers have developed a new Metasploit exploit module targeting critical zero-day vulnerabilities in Microsoft SharePoint Server that are being actively exploited in the wild.
The module, designated as pull request #20409 in the Metasploit Framework repository, addresses CVE-2025-53770 and CVE-2025-53771, which enable unauthenticated remote code execution (RCE) attacks against vulnerable SharePoint installations.
Key Takeaways
1. SharePoint vulnerabilities (CVE-2025-53770/53771) exploited in the wild via a single HTTP request.
2. Unauthenticated RCE on SharePoint 2019 with SYSTEM privileges.
3. Secure SharePoint deployments immediately - no patches available.
Metasploit Module For SharePoint 0-Day
The newly identified vulnerabilities represent sophisticated patch bypasses for previously disclosed security flaws CVE-2025-49704 and CVE-2025-49706.
Rapid7 confirmed that the exploit was first observed in active attacks circa July 19, 2025, utilizing a single HTTP request to compromise SharePoint servers.
The exploit specifically targets the /_layouts/15/ToolPane.aspx endpoint, leveraging a deserialization vulnerability to achieve code execution with SYSTEM privileges.
The attack vector demonstrates remarkable simplicity, requiring only a single malicious HTTP request containing a specially crafted .NET deserialization payload.
During testing, the module successfully compromised a Windows Server 2022 system running SharePoint Server 2019 version 16.0.10417.20027, establishing a Meterpreter session within the c:windowssystem32inetsrv directory.
The Metasploit module exploit/windows/http/sharepoint_toolpane_rce supports multiple payload configurations, including cmd/windows/http/x64/meterpreter_reverse_tcp for full interactive sessions and cmd/windows/generic for command execution.
The exploit utilizes the Msf::Util::DotNetDeserialization routines to construct malicious payloads, replacing the original base64-encoded gadget chain discovered in wild attacks.
Current module options include configurable target hosts (RHOSTS), ports (RPORT), SSL negotiation, and proxy support through various protocols, including SOCKS4, SOCKS5, and HTTP.
The payload delivery mechanism supports multiple fetch commands, including CERTUTIL, CURL, and TFTP, with automatic cleanup capabilities to remove artifacts after execution.
Mitigations
The vulnerability affects Microsoft SharePoint Server installations, particularly those running version 2019.
Initial patch attempts through KB5002741 implemented path validation checks for ToolPane.aspx endpoints, but the new exploit successfully bypasses these protections.
Testing revealed that some SharePoint configurations with authentication requirements may need endpoint adjustments from error.aspx to start.aspx for successful exploitation verification.
Organizations should immediately review their SharePoint deployments for indicators of compromise and implement network-level protections while awaiting official Microsoft patches.
The active exploitation of these vulnerabilities, combined with their unauthenticated nature, presents significant risks to enterprise environments running affected SharePoint versions.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
