Security researchers have developed a new exploit module for recently discovered critical vulnerabilities affecting Microsoft SharePoint Server, highlighting ongoing concerns about the platform’s security posture and the rapid weaponization of disclosed vulnerabilities.
The Metasploit Framework, a widely-used penetration testing platform, received a draft pull request on July 23, 2025, introducing an exploit module targeting CVE-2025-53770 and CVE-2025-53771.
These vulnerabilities represent patch bypasses for two previously addressed security flaws, CVE-2025-49704 and CVE-2025-49706, demonstrating the persistent challenge of effectively securing SharePoint installations against sophisticated attack vectors.
Zero-Day Origins and In-the-Wild Discovery
The exploit module development stems from a zero-day attack discovered in active use around July 19, 2025.
The attack chain enables unauthenticated remote code execution through SharePoint’s ToolPane component, allowing attackers to gain system-level access without requiring valid credentials.
Security researcher sfewer-r7 from Rapid7 based the Metasploit module on analysis of the captured in-the-wild exploit, which was subsequently published as a single HTTP request demonstration.
The vulnerability chain specifically targets the SharePoint ToolPane functionality, exploiting authentication bypass mechanisms that allow attackers to execute arbitrary commands on the underlying Windows server.
Testing demonstrated successful exploitation against Microsoft SharePoint Server 2019 version 16.0.10417.20027, with the exploit achieving SYSTEM-level privileges on Windows Server 2022 systems.
Technical Implementation and Capabilities
The current exploit module supports command-based payloads, with successful demonstrations showing both Meterpreter reverse shell connections and generic command execution capabilities.
The module performs automatic vulnerability detection by analyzing SharePoint version information through accessible layout pages, providing penetration testers with reliable target identification.
However, implementation challenges remain. Some SharePoint installations with specific security configurations return HTTP 401 unauthorized responses during vulnerability assessment.
Security researcher Alexey-at-work-bc identified that changing the check routine from “error.aspx” to “start.aspx” resolves authentication issues in certain deployment scenarios.
Ongoing Security Concerns
The rapid development of exploit code following vulnerability disclosure highlights the critical importance of timely SharePoint patching.
Organizations running SharePoint Server 2019 face particular risk, as the vulnerability affects widely deployed enterprise collaboration platforms that often contain sensitive corporate data.
The exploit’s effectiveness against patch bypasses suggests that Microsoft’s initial security fixes may have been incomplete, allowing determined attackers to circumvent protective measures through alternative attack vectors.
This pattern emphasizes the need for comprehensive security testing and defense-in-depth approaches rather than relying solely on vendor patches.
Mitigation and Response
Organizations should immediately assess their SharePoint deployments for vulnerability exposure and apply the latest security updates from Microsoft.
Network monitoring for unusual SharePoint ToolPane requests and implementing additional authentication controls may provide interim protection while patches are deployed.
The Metasploit module remains in draft status as developers continue refining the exploit chain and expanding payload delivery options.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Security researchers have developed a new exploit module for recently discovered critical vulnerabilities affecting Microsoft SharePoint Server){kind=link}