Security research toolkit for testing SharePoint ToolPane vulnerabilities
Overview • Features • Getting started • Usage • Project structure
This repository contains proof-of-concept exploits and analysis tools for the SharePoint ToolPane vulnerability (CVE-2025-53770). The project demonstrates exploitation techniques including authentication bypass and unsafe deserialization vulnerabilities affecting Microsoft SharePoint Server.
Warning
For authorized security testing only. This project is intended for educational purposes, penetration testing, and security research on systems you own or have explicit permission to test.
CVE-2025-53770 is a critical vulnerability in Microsoft SharePoint Server that allows unauthenticated remote code execution through a combination of authentication bypass and unsafe deserialization. This vulnerability affects SharePoint Server 2019 and is particularly dangerous as it requires no authentication.
The vulnerability chain includes:
- CVE-2025-49706 - Authentication bypass affecting ToolPane.aspx
- CVE-2025-53771 - Patch bypass for CVE-2025-49706
- CVE-2025-49704 - Unsafe deserialization vulnerability
- CVE-2025-53770 - Patch bypass targeting different endpoints
- Multiple exploitation methods - Python and cURL implementations
- Target scanning - Automated vulnerable version detection
- Payload analysis - Tools to decode and analyze exploit payloads
- Comprehensive documentation - Detailed vulnerability analysis and exploitation guidance
- Real-world testing - Proven against multiple SharePoint versions
- Python 3.x with
requestsandurllib3libraries - Network access to target SharePoint servers
- Authorization to test target systems
Use the scanner to identify potentially vulnerable SharePoint installations:
python3 scanner/scanner.py <target_ip_or_hostname>Execute the main Python exploit against a target:
python3 exploit/exploit.py <target_ip_or_hostname>Example output:
[+] Targeting: http://192.168.1.100
[+] Sending exploit payload...
[+] Response Status: 200
[+] Response Length: 1234 bytes
Test using the provided cURL commands:
# Review the cURL file for specific commands
cat metasploit_ref/cURLUse the analysis tool to decode and examine exploit responses:
python3 analysis/analyse.pyThis tool extracts and decodes base64-encoded payloads from captured traffic.
├── analysis/
│ └── analyse.py # Payload analysis and decoding tools
├── exploit/
│ └── exploit.py # Main Python RCE exploit
├── metasploit_ref/
│ ├── cURL # cURL command examples
│ ├── sharepoint_toolpane_rce.md # Detailed vulnerability documentation
│ └── sharepoint_toolpane_rce.rb # Ruby reference implementation
├── out/ # Analysis output directory
├── scanner/
│ └── scanner.py # Vulnerability scanner
└── README.md # This file
The following SharePoint Server versions are confirmed vulnerable:
- SharePoint Server 2019
16.0.10337.12109(RTM version) - SharePoint Server 2019
16.0.10417.20018(June 2025 patch level) - SharePoint Server 2019
16.0.10417.20027(July 2025 patch level)*
*The July 2025 patch level may still be exploitable unless administrators have manually performed configuration updates.
Caution
This project is provided for educational and authorized security testing purposes only.
- Only test systems you own or have explicit written permission to test
- Unauthorized testing of systems may violate local, state, and federal laws
- Users are solely responsible for ensuring compliance with applicable laws
- The authors assume no liability for misuse of this software
⭐ If this project helps your security research, consider starring it on GitHub!