Critical SharePoint RCE Vulnerability CVE-2023-29357 Gets PoC Exploit Code
Key Takeaways A proof-of-concept (PoC) exploit has been released for CVE-2025-53770, a critical Remote Code Execution (RCE) vulnerability in Microsoft SharePoint Server. The vulnerability affects...
Key Takeaways
- A proof-of-concept (PoC) exploit has been released for CVE-2025-53770, a critical Remote Code Execution (RCE) vulnerability in Microsoft SharePoint Server.
- The vulnerability affects on-premises SharePoint Server 2016, 2019, and Subscription Edition. Microsoft 365 SharePoint Online is not impacted.
- This flaw is a deserialization-of-untrusted-data issue, allowing unauthenticated attackers to execute arbitrary code across the network.
- The PoC demonstrates how to bypass existing patches, significantly increasing the risk of widespread exploitation.
- Immediate patching and additional mitigation steps are crucial for affected organizations.
Critical SharePoint RCE Vulnerability Receives PoC Exploit
Exploit code and comprehensive technical analysis have been publicly released for CVE-2025-53770, a severe remote code execution (RCE) vulnerability impacting on-premises installations of Microsoft SharePoint Server. This disclosure heightens the threat of rapid weaponization and large-scale attacks targeting unpatched SharePoint environments globally.
Table Of Content
CVE-2025-53770 stems from a deserialization flaw in how SharePoint handles untrusted data. Specifically, it involves the processing of specially crafted data sources, which can be manipulated by an unauthenticated attacker to execute arbitrary code across the network. The vulnerability affects SharePoint Server 2016, 2019, and Subscription Edition. Importantly, Microsoft 365 SharePoint Online remains unaffected by this particular issue.
Following initial emergency updates, Microsoft shipped a second fix. This update introduced a new TypeNameParserImpl component, designed to modify how type names are parsed for DataSet objects, specifically addressing problems related to generic type handling.
Deep Dive into the SharePoint RCE PoC
New research published by Viettel Cyber Security details how attackers can still achieve RCE by exploiting XML schema processing within the ExcelDataSet control, a component used by SharePoint’s PerformancePoint BI services.
The attack vector targets the BIMonitoringAuthoringService web service, accessible via the /_vti_bin/PPS/PPSAuthoringService.asmx endpoint. This service exposes a TestConnection method, intended for validating data source connections. When a DataSource object with the SourceName set to “ExcelWorkbook” is passed to this API, SharePoint uses an XmlSerializer to deserialize the dataSource.CustomData field into an ExcelDataSet instance, subsequently accessing the ExcelDataSet.DataTable.
Viettel Cyber Security found that the flaw allows for a bypass of the XmlValidator. This is achieved by manipulating how XML schema imports are handled, permitting unsafe types to pass through validation mechanisms. Microsoft’s DataSetSurrogateSelector typically restricts input to “XmlSchema” and “XmlDiffGram” and employs XmlValidator to ensure only permitted types are used. However, the XmlValidator only examines the primary XmlSchema string.
Attackers can circumvent this by embedding <xs:import> and <xs:include> elements within the XML schema. These elements can reference an external XSD file hosted on an attacker-controlled HTTP server. This forces the .NET XmlSchema preprocessor to fetch additional schema definitions from the malicious server. Critically, the XmlValidator does not inspect this imported schema, meaning any malicious type definitions contained within the external XSD are not blocked.
The PoC leverages this blind spot to define an msdata:DataType that points to a complex chain of generic types. This chain ultimately culminates in known deserialization gadgets such as System.Web.UI.LosFormatter and System.Windows.Data.ObjectDataProvider, which are capable of executing arbitrary code when supplied with controlled payloads. With the schema bypass in place, the attacker then crafts a corresponding XmlDiffGram payload that populates a row containing a malicious custom element, such as com:pwn.
During execution, this diffgram instantiates an ExpandedWrapper object, which subsequently calls LosFormatter.Deserialize on attacker-supplied data. This triggers the RCE. The runtime call stack traverses through BinarySerialization.Deserialize() and helper routines that reconstruct objects from a compressed base64 string, eventually reaching ExcelDataSet.get_DataTable(), ExcelDataSourceProvider.SetDataSource(), DataSourceRegistry.GetDataSource(), and ServerHelper.TestDataSourceConnection() within SharePoint’s PerformancePoint stack.
The PoC successfully demonstrates full exploitability using a low-privileged site member account. The attack sequence involves the attacker first creating a SharePoint list and an item. Next, they initiate an HTTP server to host the external schema file (e.g., common.xsd), ensuring it is accessible to the SharePoint server. A SOAP request is then constructed to PPSAuthoringService.asmx, invoking TestConnection with SourceName="ExcelWorkbook" and embedding the malicious ExcelDataSet XML and diffgram within the CustomData field. The Location ItemUrl is set to point to the list item using a URL pattern that includes an ID and an artificial suffix, like /sites/zdi/Lists/test/1_.123, to satisfy the service’s regular expression checks. When this request is processed, the exploit chain completes, leading to the spawning of a process like win32calc.exe on the SharePoint server, confirming reliable remote code execution.
Security vendors have already reported active exploitation of CVE-2025-53770 in the wild, describing extensive ToolShell attack campaigns targeting SharePoint. The public availability of such detailed gadget chains and schema-import techniques is highly likely to accelerate further copycat attacks.
What You Should Do
- Immediately apply Microsoft’s latest patches for CVE-2025-53770 to all affected on-premises SharePoint Server installations.
- Enable Antimalware Scan Interface (AMSI) integration on your SharePoint servers to enhance detection capabilities.
- Rotate ASP.NET MachineKey values to mitigate potential session hijacking or view state tampering.
- Perform proactive threat hunting for suspicious PerformancePoint and ViewState activity on all exposed SharePoint servers.
- Monitor network traffic for unusual connections to external schema files or unexpected process creation on SharePoint servers.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.