Security researchers have disclosed a proof-of-concept (PoC) exploit and detailed technical information for CVE-2025-53770, a critical remote code execution (RCE) vulnerability affecting on-premises Microsoft SharePoint Server. This development significantly increases the risk of widespread exploitation against unpatched SharePoint environments.
CVE-2025-53770 arises from improper deserialization of untrusted data within SharePoint’s data processing mechanisms. This flaw enables unauthenticated attackers to execute arbitrary code remotely over the network. The vulnerability impacts on-premises versions of SharePoint Server 2016, 2019, and the Subscription Edition. Notably, SharePoint Online, part of Microsoft 365, remains unaffected.
Following the initial release of emergency patches, Microsoft introduced a secondary fix that incorporated a new component, TypeNameParserImpl. This update aimed to modify the parsing of type names for DataSet objects, specifically addressing issues related to generic type handling.
Details of the PoC Exploit
Recent research by Viettel Cyber Security has demonstrated that attackers can still achieve remote code execution by exploiting the XML schema processing within the ExcelDataSet control used by PerformancePoint BI services. The attack targets the BIMonitoringAuthoringService web service, particularly the TestConnection method at the endpoint /_vti_bin/PPS/PPSAuthoringService.asmx, which validates data source connections.
In this exploit, a DataSource object with SourceName set to “ExcelWorkbook” is passed to the API. SharePoint then uses an XmlSerializer to deserialize the dataSource.CustomData field into an ExcelDataSet instance and accesses its DataTable. The researchers found that by manipulating XML schema imports, attackers can bypass the XmlValidator, allowing unsafe types to pass validation. This is achieved by embedding
The PoC exploit leverages this bypass to define an msdata:DataType that points to a complex generic type chain ending with System.Web.UI.LosFormatter and System.Windows.Data.ObjectDataProvider. These are known deserialization gadgets capable of executing arbitrary code when provided with controlled payloads. By crafting a corresponding XmlDiffGram payload that populates a row containing the malicious com:pwn element, the exploit instantiates an ExpandedWrapper object. This object then calls LosFormatter.Deserialize on attacker-supplied data, ultimately triggering remote code execution.
During execution, the call stack traverses through BinarySerialization.Deserialize() and associated helper routines that reconstruct objects from a compressed base64 string. It then reaches ExcelDataSet.get_DataTable(), ExcelDataSourceProvider.SetDataSource(), DataSourceRegistry.GetDataSource(), and ServerHelper.TestDataSourceConnection() within SharePoint’s PerformancePoint stack.
Given the release of this PoC and the detailed technical insights, organizations utilizing on-premises SharePoint Server versions 2016, 2019, or the Subscription Edition should prioritize applying the latest security patches provided by Microsoft. Additionally, it is crucial to review and implement recommended security configurations to mitigate potential exploitation risks. Regular monitoring of SharePoint environments for unusual activities and conducting thorough security assessments can further enhance protection against such vulnerabilities.
The disclosure of this PoC underscores the persistent challenges in securing complex enterprise applications like SharePoint. It highlights the importance of proactive vulnerability management, timely patching, and continuous security monitoring to safeguard organizational assets against evolving threats.