Critical SharePoint Flaw CVE-2025-53770 Exposes Servers to RCE Attacks — New Open-Source Scanner Released

Listen to this Post

Featured Image

A Wake-Up Call for On-Premises SharePoint Users

A dangerous new vulnerability, CVE-2025-53770, is now being actively exploited by hackers to gain remote access to SharePoint servers — no credentials required. In response, a Belgian cybersecurity researcher known as hazcod has developed a powerful open-source scanner that allows system administrators to detect if their environments are vulnerable. Published on GitHub, this tool helps mitigate the risk by quickly checking for exploitability through harmless test payloads.

SharePoint,

What’s worse is that this vulnerability builds on a previous one (CVE-2025-49706), proving that cybercriminals are actively enhancing their methods to break into unpatched systems. The exploit affects SharePoint servers that haven’t applied Microsoft’s KB5002768 and KB5002754 security updates. That makes the urgency for patching and vulnerability scanning immediate.

Hazcod’s scanner offers multiple modes of operation — including SharePoint version detection and debug logging for deeper analysis. It’s being actively maintained, with new updates made just hours ago. Crucially, the tool is designed to be safe for real-world testing without harming production environments. But organizations are urged to tread carefully and understand the full scope of testing implications.

This isn’t just another bug. It’s a full-scale RCE gateway into one of the most common enterprise platforms, and threat actors are already taking advantage. The release of this open-source tool offers a fighting chance for defenders — but only if they act fast.

The Real Threat of CVE-2025-53770

Unauthenticated RCE in the Wild

CVE-2025-53770 has emerged as one of the most significant SharePoint threats in recent memory. The exploit lets attackers remotely execute code without any authentication, using weaknesses in the ToolBox widget of SharePoint. This gives them the power to run malicious scripts, access sensitive data, and take full control of vulnerable servers.

Building on Past Vulnerabilities

This is not an isolated case. CVE-2025-53770 appears to be an evolution of CVE-2025-49706, showing how cybercriminals are refining their tools. These back-to-back vulnerabilities signal a troubling trend: SharePoint’s attack surface is expanding, and adversaries are staying a step ahead of defenders.

How the Attack Works

The attack involves sending a crafted HTTP POST request to the ToolPane.aspx endpoint of SharePoint servers. These requests include compressed, base64-encoded payloads that carry harmful ASP.NET directives and server-side code. Once processed, the SharePoint instance unknowingly executes the malicious payload.

Researchers have confirmed that attackers are using this flaw to run PowerShell scripts remotely, often to install backdoors, exfiltrate data, or deploy ransomware.

GitHub Scanner Provides Urgent Help

To combat this threat, hazcod’s open-source scanner lets administrators test for exploitability in a safe, responsible manner. The tool attempts to inject a benign marker into the widget, analyzing the server’s response to determine if it’s vulnerable. No actual harm is done, making it ideal for testing in production environments.

The scanner supports:

Basic vulnerability scanning

SharePoint version detection

Debug logging for environment insights

The tool is actively maintained, with ongoing updates that refine detection accuracy and fix compatibility issues.

Security Depends on Patching

Microsoft has issued critical patches (KB5002768 and KB5002754), but many organizations using on-premises SharePoint installations may have delayed applying them. These are the exact targets threat actors are exploiting today.

It’s not enough to assume your system is safe. If those patches aren’t applied, your SharePoint server is at serious risk.

A Tool Born from Real Attacks

The scanner was built by reverse-engineering payloads captured during actual attacks. This real-world foundation makes it particularly effective — it’s tailored to catch what attackers are already using, not just theoretical issues.

However, there’s a disclaimer: running the tool still requires an understanding of its potential impact. Misuse or incorrect implementation in sensitive environments could cause unintended behavior. Always use it responsibly.

What Undercode Say:

The Evolution of SharePoint as an Attack Vector

SharePoint has transformed from a basic document-sharing service into a full enterprise collaboration platform. But that growth has introduced significant attack surfaces, and vulnerabilities like CVE-2025-53770 prove that the platform hasn’t matured in security at the same rate.

The fact that this exploit requires no authentication means attackers can launch campaigns at scale, scanning the internet for exposed endpoints and deploying automated payloads. It’s a script kiddie’s dream and a CISO’s nightmare.

Why Open-Source Tools Matter Now More Than Ever

Hazcod’s scanner serves a crucial role in empowering defenders. Commercial vulnerability scanners often lag behind, and they rarely adapt to exploits in the early stages of active abuse. By contrast, open-source tools built by researchers who study live attacks offer faster, real-world detection.

But there’s another side: open-source tools can also fall into the wrong hands. Threat actors could use them to map vulnerable systems faster than defenders patch. That’s the double-edged sword of cybersecurity transparency.

Microsoft’s Patch Timeline and Disclosure Approach

One area of concern is Microsoft’s delay in releasing public advisories. CVE-2025-53770 is only getting serious attention now, despite evidence that it may have been used in the wild for weeks. That raises questions about how quickly vendors should respond — especially when zero-day exploits are involved.

Microsoft must improve early warning mechanisms and simplify patch deployment for on-prem environments, which often lag behind cloud-based services due to internal compliance or technical limitations.

Threat Intelligence-Driven Security Testing

Hazcod’s reverse-engineering of actual attack payloads gives this scanner a unique edge. It reflects a shift toward threat intelligence-based security tooling — tools that are reactive to what’s happening now, not just theoretical threats.

Organizations should move in that direction too. Regular pen testing, red teaming, and real-time vulnerability detection will become standard, not optional, in modern enterprise security.

Long-Term Recommendations

1. Patch immediately — Apply KB5002768 and KB5002754.

  1. Run hazcod’s scanner — Confirm whether your environment is exploitable.
  2. Implement strict perimeter monitoring — Watch for unexpected POST requests or base64-encoded payloads.
  3. Upgrade where possible — Consider moving to cloud-hosted SharePoint to benefit from faster updates and fewer RCE vectors.
  4. Adopt DevSecOps — Integrate vulnerability scanning directly into your CI/CD pipelines to catch flaws before deployment.

🔍 Fact Checker Results:

✅ The scanner is real and hosted on GitHub by hazcod
✅ CVE-2025-53770 is a confirmed RCE flaw, as disclosed by Microsoft
❌ There is no patch-free solution — systems must be updated or risk compromise

📊 Prediction:

Expect a surge in SharePoint-targeted attacks over the next 60 days. Cybercriminals are likely to exploit lagging patch adoption among enterprise systems, especially in government and healthcare sectors where on-prem environments persist. Exploit kits may soon automate this RCE attack for use in ransomware campaigns.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin