PoC Released for Critical SharePoint RCE Vulnerability CVE-2025-53770
Proof-of-concept (PoC) exploit code and detailed technical analysis have been publicly released for CVE-2025-53770, a critical remote code execution (RCE) vulnerability affecting on-premises Microsoft SharePoint Server deployments.
The publication of working exploit techniques significantly increases the risk of widespread exploitation, especially against organizations that have not yet applied Microsoft's security updates.
Overview
CVE-2025-53770 is a deserialization vulnerability that allows attackers to execute arbitrary code on vulnerable SharePoint servers by supplying specially crafted data to affected components.
The vulnerability impacts:
- Microsoft SharePoint Server 2016
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Subscription Edition
Microsoft confirmed that SharePoint Online (Microsoft 365) is not affected.
Technical Background
Following the initial disclosure, Microsoft released emergency patches and later introduced additional protections through a new TypeNameParserImpl component designed to improve validation of DataSet type parsing.
However, researchers from Viettel Cyber Security demonstrated a method to bypass these protections by abusing XML schema processing within SharePoint's PerformancePoint Services.
The attack targets the following endpoint:
/_vti_bin/PPS/PPSAuthoringService.asmx
Specifically, the vulnerable TestConnection method used for validating data source connections.
How the Exploit Works
When SharePoint processes a data source configured with:
SourceName="ExcelWorkbook"
the application deserializes the supplied CustomData field into an ExcelDataSet object using .NET's XmlSerializer.
Researchers discovered that SharePoint's validation mechanism only inspects the primary XML schema and fails to properly analyze externally imported schemas.
Schema Import Bypass
Attackers can include:
<xs:import>
<xs:include>
directives within the XML schema.
These directives force SharePoint to retrieve additional schema definitions from an attacker-controlled server.
Because the imported schema is not validated, malicious type definitions bypass SharePoint's security controls.
Deserialization Gadget Chain
The malicious schema defines a dangerous object chain involving:
System.Web.UI.LosFormatterSystem.Windows.Data.ObjectDataProvider
These classes are well-known .NET deserialization gadgets frequently used in remote code execution attacks.
A crafted XML DiffGram payload then triggers:
LosFormatter.Deserialize()
which processes attacker-controlled serialized data and ultimately executes arbitrary code on the server.
Execution Flow
The exploit path flows through several SharePoint components:
BinarySerialization.Deserialize()
↓
ExcelDataSet.get_DataTable()
↓
ExcelDataSourceProvider.SetDataSource()
↓
DataSourceRegistry.GetDataSource()
↓
ServerHelper.TestDataSourceConnection()
Once the payload is processed, arbitrary commands execute with the privileges of the SharePoint application.
Proof of Concept Demonstration
Researchers demonstrated successful exploitation using only a low-privileged SharePoint user account.
The attack process involves:
- Creating a SharePoint list item
- Hosting a malicious XSD schema on an attacker-controlled server
- Sending a crafted SOAP request to:
PPSAuthoringService.asmx
- Referencing the malicious external schema
- Triggering deserialization through the TestConnection method
Successful exploitation resulted in the execution of:
win32calc.exe
on the SharePoint server, confirming reliable remote code execution.
Active Exploitation Observed
Multiple security vendors have already reported active exploitation attempts linked to ToolShell attack campaigns targeting exposed SharePoint environments.
The release of public PoC code, detailed gadget chains, and schema bypass techniques is expected to accelerate exploitation efforts and increase the likelihood of copycat attacks.
Mitigation
Organizations running on-premises SharePoint should take immediate action:
Apply Security Updates
Install Microsoft's latest security patches addressing:
CVE-2025-53770
Enable AMSI Protection
Ensure Microsoft Antimalware Scan Interface (AMSI) integration is enabled for SharePoint environments.
Rotate ASP.NET Machine Keys
Rotate:
ASP.NET MachineKey
values to invalidate potentially compromised cryptographic material.
Threat Hunting
Review logs and investigate for:
- Suspicious PerformancePoint activity
- Unusual SOAP requests
- Unexpected schema imports
- ViewState abuse attempts
- Unknown web shells
- Unauthorized process execution
Restrict Internet Exposure
Limit direct access to SharePoint servers whenever possible and place systems behind VPNs, reverse proxies, or additional authentication controls.
Conclusion
The release of public exploit code for CVE-2025-53770 dramatically increases the threat to organizations operating on-premises SharePoint environments. The vulnerability enables remote code execution through a sophisticated XML schema import bypass and deserialization attack chain, and active exploitation has already been observed in the wild.
Organizations should prioritize patching immediately and conduct threat hunting to identify signs of compromise.