SharePoint's all over are getting hacked, and the exploit is pretty crazy.
https://github.com/rapid7/metasploit-framework/pull/20409
https://github.com/MuhammadWaseem29/CVE-2025-53770
summerizer
Summary
This video discusses a critical security vulnerability in Microsoft SharePoint that led to a significant breach of the U.S. National Nuclear Security Administration (NNSA). The presenter outlines how this exploit, dubbed "Tool Shell," leverages two major bugs in SharePoint to bypass authentication and execute arbitrary code on the server. The first bug is an authentication bypass caused by improper reliance on the HTTP referer header, allowing attackers to gain editing privileges without valid credentials. The second bug involves unsafe deserialization of compressed .NET objects within a SharePoint scorecard component, enabling attackers to run malicious code remotely. The presenter provides a detailed walkthrough of setting up a vulnerable SharePoint environment on Windows Server, the frustrations of managing Windows servers, and demonstrates the exploit using the Metasploit framework and Kali Linux. The video concludes with a warning for SharePoint administrators to apply patches promptly, emphasizing the severe implications of this vulnerability, especially considering SharePoint’s widespread use in government and enterprise environments.
Highlights
- 🐞 A critical SharePoint vulnerability led to the hacking of the NNSA, a key U.S. nuclear security agency.
- 🔐 Authentication bypass was achieved using manipulation of the HTTP referer header, allowing unauthorized page editing.
- 🧩 Unsafe deserialization of compressed .NET serialized data enabled remote code execution through SharePoint scorecards.
- 🖥️ Setting up a SharePoint test environment is complex and frustrating, involving specific Windows Server versions and configurations.
- 💻 The exploit was demonstrated using Metasploit and Kali Linux, showing full remote control over the target server.
- ⚠️ Microsoft has released patches, but administrators must urgently apply them to prevent exploitation.
- 🔄 This vulnerability highlights the dangers of broken trust boundaries and unsafe data deserialization in widely used web applications.
Key Insights
-
🕵️ Authentication Bypass via Referer Header: The exploit abuses the HTTP referer header to trick SharePoint into believing the user was authenticated, bypassing standard login mechanisms. This reveals a fundamental flaw in how SharePoint validates user sessions, showing the pitfalls of relying on client-supplied headers for security-critical decisions. This is a textbook example of broken authentication controls that can have catastrophic consequences.
-
💥 Deserialization Vulnerabilities in .NET Environments: The unsafe deserialization of the compressed data tables within SharePoint scorecards is a classic security issue where serialized objects contain executable code. Attackers can manipulate these serialized blobs to execute arbitrary .NET bytecode on the server. This vulnerability underscores the risks inherent in handling serialized data without stringent validation or sandboxing.
-
🏢 SharePoint’s Ubiquity Makes Exploits Particularly Dangerous: SharePoint is widely used, especially in government and large organizations. A vulnerability like this not only affects individual entities but also poses systemic risk to critical infrastructure. The NNSA hack illustrates how security weaknesses in common platforms can become national security threats.
-
🛠️ Complexity and Fragility of Windows Server Environments: The presenter’s struggles with installing and configuring SharePoint on Windows Server 2019 reveal the operational challenges administrators face. Requirements like needing multiple CPU cores or specific server versions can cause silent failures, which complicate patching and defense efforts. This suggests that operational complexity contributes to security risks.
-
🔄 Metasploit’s Role in Streamlining Exploitation: Metasploit abstracts the complex steps of coupling exploits with payloads, making it easier for attackers to leverage vulnerabilities effectively. The presenter demonstrates how an exploit module can be combined with a reverse TCP shell payload to gain full control of the target. This highlights the importance of defenders understanding attacker toolchains to better anticipate threats.
-
🧪 Trust Boundaries are Critical in Software Security: The vulnerability arises because SharePoint incorrectly assumes that authenticated users’ data can be trusted implicitly. Once the authentication barrier was bypassed, the deserialization of malicious objects led to remote code execution. This emphasizes the need for strict boundaries and validation even for “trusted” data sources.
-
🔒 Patching and Defense Must be Proactive: Microsoft is aware of this issue and has released patches, but the window for exploitation remains open until patches are applied. The video serves as a stark reminder that administrators must prioritize timely updates, especially for widely deployed platforms handling sensitive data.
Summary Expansion
The presenter opens by expressing frustration over managing Windows servers, setting the tone for the difficulty in replicating and demonstrating the vulnerability. The bug, called "Tool Shell," is a SharePoint exploit currently under mass exploitation, notably involving a simple curl command that chains two vulnerabilities together.
SharePoint, a widely used Microsoft platform for collaborative document management and organizational workflows, is common in many government agencies, including the NNSA. Due to its complexity and integration with Windows environments, it presents a large attack surface. The first vulnerability involves an authentication bypass where SharePoint trusts the HTTP referer header to determine if a user has already authenticated. By spoofing this header to simulate coming from a sign-in page, attackers gain unauthorized access to page editing features.
The second vulnerability revolves around the unsafe handling of serialized .NET objects embedded in SharePoint scorecard components. These scorecards accept Excel-style data which is serialized into a compressed Base64-encoded blob. Because this deserialization occurs without proper validation or authentication checks—exacerbated by the authentication bypass—attackers can inject malicious .NET bytecode that executes arbitrary commands on the server.
The presenter compares this to Python’s insecure pickle module, which similarly allows arbitrary code execution if untrusted data is deserialized. The analogy helps viewers understand the core risk: deserialization of untrusted data leads to code execution.
To demonstrate the exploit, the presenter details the challenges of setting up a vulnerable SharePoint server, including issues with Windows Server versions and hardware requirements, highlighting the operational complexity often overlooked in security discussions.
Using Kali Linux and Metasploit, the presenter runs the exploit module that exploits the authentication bypass and deserialization bug, sets a reverse TCP shell payload, and gains remote control over the SharePoint server. This is demonstrated live by migrating the session to an active Windows process and executing a calculator application remotely, showcasing full command execution capability.
The video closes with a call to action for administrators to patch immediately, recognizing the severity of the vulnerability due to its ease of exploitation and the critical nature of affected organizations. The presenter also briefly reflects on whether languages like Rust could have prevented the vulnerability, concluding that while memory safety is important, this issue is fundamentally about trust boundaries and unsafe deserialization, which are not fully mitigated by language choice alone.
Conclusion
This video provides a thorough and technical explanation of a dangerous SharePoint vulnerability that combines an authentication bypass with unsafe deserialization to enable remote code execution. It underscores the importance of secure session management, proper handling of serialized data, and proactive patching practices. The demonstration using real tools like Metasploit and Kali illustrates how attackers can exploit such vulnerabilities to gain full control over critical systems. In a broader context, it highlights systemic issues in legacy enterprise software, operational complexity, and the ongoing challenges of securing widely deployed platforms in sensitive environments.
Dave's Garage also covers this well: https://www.youtube.com/watch?v=L7EWXnPslA8
summerizer
Summary
The video, presented by Dave Plameumber, a former Microsoft software engineer, delves into a critical cybersecurity threat impacting Microsoft SharePoint on-premises servers globally. The vulnerability, identified as CVE-202553770 with a CVSS score of 9.8 out of 10, allows unauthenticated attackers to execute remote code on unpatched SharePoint servers, jeopardizing business data, intellectual property, and sensitive information. Dave explains the fundamental role of SharePoint in enterprise collaboration and the difference between SharePoint Online, which is managed and patched by Microsoft, and on-premises SharePoint servers, which remain vulnerable and widely used in regulated industries or legacy environments.
He breaks down the technical details of the exploit, which hinges on a deserialization flaw in SharePoint’s tool pane component, combined with an authentication bypass vulnerability. Attackers use crafted HTTP requests to deserialise malicious payloads, gaining full control over the affected servers. The video highlights real-world exploitation by threat groups like Storm 2603, who have been deploying ransomware and stealing confidential data since July 2025. Dave stresses the global scale of the threat, affecting government agencies, enterprises, and critical infrastructure, with the potential for severe economic and operational disruptions.
To mitigate the risk, Dave provides a detailed defense strategy, emphasizing immediate patching with Microsoft’s emergency updates, network segmentation, firewall restrictions, rotating cryptographic keys, enabling anti-malware interfaces, and monitoring for suspicious activity. For unsupported SharePoint versions, he recommends zero-trust network principles and accelerating migration to SharePoint Online. Backup best practices are also underscored to safeguard against ransomware. The video concludes with a call to action for viewers to subscribe for more cybersecurity insights and mentions Dave’s personal book on the autism spectrum.
Highlights
- 🚨 CVE-202553770 is a critical SharePoint on-premises vulnerability with a CVSS score of 9.8, enabling remote code execution by attackers.
- 🏢 SharePoint is a core collaboration platform in many organizations, but only on-premises servers are vulnerable, not SharePoint Online.
- 🌍 Over 20% of on-prem SharePoint servers are internet-facing, making them prime ransomware and data breach targets globally.
- 🔑 The exploit involves deserialization of untrusted data combined with an authentication bypass, allowing attackers to run arbitrary code.
- 🛡️ Microsoft released emergency patches on July 21st, 2025, but unsupported versions like SharePoint 2013 remain exposed with no fixes.
- 🔍 Defensive measures include patching, rotating ASP.NET machine keys, enabling anti-malware scanning, restricting network access, and monitoring for anomalies.
- 💡 Migrating to SharePoint Online and maintaining tested backups are key long-term strategies to mitigate future risks.
Key Insights
-
🔥 Severity and Urgency of the Vulnerability: With a CVSS score of 9.8, this vulnerability demands immediate action. The high score reflects both ease of exploitation and the devastating impact of full server compromise, indicating organizations must prioritize patching above almost all other tasks to avoid catastrophic breaches. Ignoring it risks operational paralysis, data theft, and regulatory penalties.
-
🏢 SharePoint’s Ubiquity and Risk Exposure: SharePoint’s widespread deployment across enterprises as a collaborative backbone means the vulnerability’s impact is vast. The fact that over 20% of on-premises instances are exposed online highlights a widespread oversight in network security configurations, emphasizing a gap in basic cyber hygiene that attackers readily exploit.
-
🧩 Technical Complexity Masked by Simplicity: The exploit leverages a known deserialization flaw, a common and dangerous programming pitfall, combined with an authentication bypass. This shows how chaining smaller vulnerabilities can lead to full remote code execution, underlining the importance of holistic security practices that consider interactions between components and not just isolated bugs.
-
🎯 Real-World Exploitation by Sophisticated Threat Actors: The involvement of groups like Storm 2603 deploying ransomware and stealing cryptographic keys reveals the exploit is not just theoretical but weaponized in the wild. This highlights the persistent threat from state-sponsored or highly organized cybercriminal groups targeting critical infrastructure and enterprises, demonstrating the need for threat intelligence integration into security operations.
-
🔄 Challenges in Securing Legacy Systems: Many organizations still rely on outdated, unsupported SharePoint versions due to compliance, cost, or operational constraints. These legacy systems have no official patches, forcing defenders to rely on network segmentation, zero-trust principles, and isolation strategies. This underscores the broader issue of legacy technology increasing organizational risk and the urgent need for modernization.
-
🛡️ Comprehensive Defense Requires Multiple Layers: Effective mitigation goes beyond patching to include rotating machine keys to invalidate stolen credentials, enabling runtime malware scanning, restricting network access, and vigilant monitoring for subtle indicators of compromise. This layered approach exemplifies modern cybersecurity best practices where defense in depth is necessary to handle sophisticated threats.
-
🔮 Future of On-Premises Software and Cloud Migration: The incident illustrates the growing security risks inherent in on-premises software maintenance and the push from vendors like Microsoft for cloud migration. While cloud platforms offer managed security and automatic patching, compliance and legacy constraints slow adoption, creating a transitional risk window. This case exemplifies the strategic imperative for organizations to plan and accelerate cloud adoption to minimize exposure.
Additional Context and Recommendations
Dave’s insights provide a comprehensive picture of how a single critical vulnerability can cascade into systemic risk for organizations. His background as a former Microsoft engineer adds credibility and practical perspective, especially in demystifying the technical mechanics and real-world implications. The video serves as both an educational resource and a call to cybersecurity action, urging organizations to evaluate their SharePoint exposure immediately.
The detailed description of the deserialization attack vector and the authentication bypass vulnerability also serves as a valuable case study for developers and security professionals, reinforcing fundamental secure coding practices such as strict input validation, use of allow-lists, avoiding insecure binary formatters, and maintaining minimal service privileges.
The global impact, underscored by media coverage and government advisories, highlights how interconnected and vulnerable critical infrastructure and enterprises remain. This incident exemplifies the ongoing cyber arms race between defenders patching vulnerabilities and attackers discovering bypasses and chaining exploits.
Ultimately, Dave’s comprehensive defense recommendations—patching, key rotation, enabling anti-malware scanning, network controls, and migration—form a best practice playbook for organizations facing similar zero-day threats in complex enterprise environments. The emphasis on backups and tested restore procedures is particularly prudent given ransomware’s prevalence.
This video is a crucial reminder that cybersecurity is a continuous process requiring vigilance, rapid response, layered defenses, and strategic planning for future resilience. Organizations ignoring these lessons risk becoming the next headline in a breach story.