A critical zero-day vulnerability, identified as CVE-2025-53770, has been actively exploited in Microsoft SharePoint servers, prompting the release of an open-source scanning tool designed to detect susceptible systems. This tool enables organizations to swiftly assess their SharePoint infrastructure for potential exposure to this unauthenticated Remote Code Execution (RCE) flaw.
Understanding CVE-2025-53770
CVE-2025-53770 is a severe security vulnerability affecting on-premises versions of Microsoft SharePoint Server, including SharePoint Server 2016, 2019, and Subscription Edition. The flaw arises from the deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code remotely without user interaction. This vulnerability does not impact SharePoint Online as part of Microsoft 365.
The exploitation of this vulnerability has been observed since at least July 18, 2025. Attackers have been leveraging it to deploy web shells and extract cryptographic secrets from compromised SharePoint servers. These secrets enable attackers to impersonate users or services, granting them full control over the affected systems. Notably, even after applying patches, the stolen keys could allow attackers to maintain access, underscoring the necessity for comprehensive remediation steps beyond patching alone.
Development of the Detection Tool
In response to the active exploitation of CVE-2025-53770, security researcher Niels Hofmans developed an open-source scanner to assist organizations in identifying vulnerable SharePoint servers. The tool was created through reverse-engineering techniques applied to malicious payloads observed in active attacks, providing system administrators with a straightforward method to detect unpatched installations.
The scanner operates by injecting harmless test markers into SharePoint’s ToolBox widget to confirm exploitability without causing system damage. It targets SharePoint servers lacking critical security updates KB5002768 and KB5002754, which address this severe vulnerability. The command-line tool allows for bulk scanning of multiple SharePoint instances simultaneously, offering clear output indicating vulnerability status and version details.
Technical Details of the Vulnerability
The CVE-2025-53770 vulnerability exploits SharePoint’s ToolPane.aspx endpoint through carefully crafted HTTP POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx. The attack mechanism utilizes two critical form parameters: MSOTlPn_Uri for control source path validation and MSOTlPn_DWP for web part configuration injection.
The malicious payload structure incorporates ASP.NET directives, including <%@ Register Tagprefix=”Scorecard” Namespace=”Microsoft.PerformancePoint.Scorecards” and server-side markup
The scanner’s proof-of-concept payload contains a harmless XML structure with the marker “This is a harmless CVE-2025-53770 PoC marker” to demonstrate exploitability without system compromise.
Mitigation and Remediation Steps
Organizations are urged to take immediate action to mitigate the risks associated with CVE-2025-53770. Microsoft has released security patches for SharePoint Subscription Edition and SharePoint 2019; however, patches for SharePoint 2016 are still pending. In the interim, Microsoft recommends configuring the Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender Antivirus on all SharePoint servers. AMSI integration allows SharePoint Server to work with AMSI-compatible antimalware solutions to scan all web requests sent to SharePoint Server, blocking potentially malicious requests before they are processed.
For organizations unable to implement AMSI integration, it is advised to remove internet access from the SharePoint server until patches are available. Additionally, deploying Defender for Endpoint can help detect and block post-exploit activity.
Given the nature of the attacks, it is crucial to check servers’ logs for indicators of compromise. If evidence of compromise is found, affected servers should be isolated or shut down, and all credentials and system secrets that could have been exposed should be renewed. This includes rotating ASP.NET machine keys, as attackers may have obtained access keys that could allow them to return even after the systems are patched.
Conclusion
The release of the open-source scanner for CVE-2025-53770 provides organizations with a valuable tool to detect vulnerable SharePoint servers and take necessary remediation steps. Given the active exploitation of this critical vulnerability, it is imperative for organizations to promptly assess their systems, apply available patches, and implement recommended mitigations to protect their infrastructure from potential attacks.
