PoC Released for Critical SharePoint RCE Vulnerability CVE-2025-53770
Proof-of-concept exploit code is now available for CVE-2025-53770, a critical RCE vulnerability in on-premises Microsoft SharePoint Server, increasing the risk of widespread exploitation.

Proof-of-concept (PoC) exploit code and detailed technical analysis have been released for CVE-2025-53770, a critical remote code execution (RCE) vulnerability affecting on-premises versions of Microsoft SharePoint Server. This disclosure significantly elevates the risk of this flaw being weaponized and exploited en masse against unpatched environments.
The vulnerability, classified as a deserialization-of-untrusted-data flaw, allows an unauthenticated attacker to execute arbitrary code over the network by sending specially crafted data. The affected versions include on-premises SharePoint Server 2016, 2019, and Subscription Edition. Microsoft 365 SharePoint Online is not impacted.
Researchers at Viettel Cyber Security have detailed how attackers can achieve RCE by exploiting XML schema processing within the ExcelDataSet control, specifically through the PerformancePoint BI services' BIMonitoringAuthoringService web service. The attack targets the TestConnection method, which deserializes a DataSource object's CustomData field using an XmlSerializer.
The core of the exploit lies in bypassing Microsoft's XmlValidator. While the validator is designed to restrict deserialization to allowed types like "XmlSchema" and "XmlDiffGram," it only inspects the main XML schema string. Attackers can embed <xs:import> and <xs:include> elements that reference external XSD files hosted on an attacker-controlled server. The XmlValidator does not scrutinize these imported schemas, allowing malicious type definitions to pass unnoticed.
This schema import bypass enables the use of known deserialization gadgets, such as LosFormatter and ObjectDataProvider. By defining a malicious msdata:DataType in the external XSD, attackers can chain these gadgets to achieve arbitrary code execution. The PoC demonstrates this by crafting a matching XmlDiffGram payload that instantiates an ExpandedWrapper object, which then calls LosFormatter.Deserialize on attacker-supplied data.
The exploit chain culminates in the successful execution of arbitrary code on the SharePoint server. The PoC shows that a low-privileged site member account is sufficient to initiate the attack. The process involves setting up an external HTTP server for the malicious schema and sending a crafted SOAP request to the BIMonitoringAuthoringService.
Security vendors have already confirmed that CVE-2025-53770 is being actively exploited in the wild, with reports of large-scale "ToolShell" attack campaigns targeting SharePoint servers. The public availability of detailed exploit techniques and gadget chains is expected to accelerate further attacks.
Organizations running on-premises SharePoint are urged to treat this as an emergency. Applying Microsoft's latest security patches for CVE-2025-53770, enabling AMSI integration, rotating ASP.NET MachineKey values, and conducting threat hunting for suspicious activity related to PerformancePoint and ViewState are critical mitigation steps.