reword the language around our usage of CVE-2025-53770 to make it clear that this module is leveraging the authentication bypass for both CVE-2025-49706 and CVE-2025-53771, and the unsafe deserialization for CVE-2025-49704.

Author: sfewer-r7

documentation/modules/exploit/windows/http/sharepoint_toolpane_rce.md

@@ -1,7 +1,10 @@
 ## Vulnerable Application
-This module exploits the authentication bypass vulnerability `CVE-2025-53771` (a patch bypass of `CVE-2025-49706`),
-and an unsafe deserialization vulnerability `CVE-2025-53770` (a patch bypass of `CVE-2025-49704`), to achieve
-unauthenticated RCE against a vulnerable Microsoft SharePoint Server.
+This module exploits the authentication bypass vulnerabilities `CVE-2025-49706` and `CVE-2025-53771`, and an unsafe
+deserialization vulnerability `CVE-2025-49704`, to achieve unauthenticated RCE against a vulnerable Microsoft
+SharePoint Server. The vulnerability `CVE-2025-53770` was disclosed as being a patch bypass of `CVE-2025-49704`,
+and as described by the finders, `CVE-2025-53770` targets a different endpoint within the `/_vti_bin/` URI path.
+As this exploit module does not target the endpoint associated with `CVE-2025-53770` (per the original finders),
+we believe this module is best described as exploiting `CVE-2025-49704` alone (and not `CVE-2025-53770`).
 
 `CVE-2025-49706` is an authentication bypass affecting Microsoft SharePoint Server, allowing a remote unauthenticated
 attacker to reach the ToolPane page, located at the `/_layouts/15/ToolPane.aspx` URI. The auth bypass works if an
@@ -20,11 +23,11 @@ the ToolPane page.
 `LosFormatter` and `ObjectDataProvider` in the `diffgr:diffgram` XML document, allowing us to kick off a second
 stage deserialization gadget (which will be a `TypeConfuseDelegate` + `LosFormatter` gadget chain).
 
-`CVE-2025-53770` is a patch bypass of `CVE-2025-49704`. The patch for `CVE-2025-49704` did not apply correctly to a
-SharePoint site that had not also manually run a configuration upgrade. While the patch for `CVE-2025-49704` did not
-address the root cause, and instead marked the `Microsoft.PerformancePoint.Scorecards.Client` assembly as unsafe, the
-patch for `CVE-2025-53770` instead correctly addresses the root cause of `CVE-2025-49704` while also not relying
-on a manual configuration update to be performed.
+The July 8, 2025, patch for `CVE-2025-49704` did not apply correctly to a SharePoint site that had not also manually run
+a SharePoint configuration update. The patch for `CVE-2025-49704` did not address the root cause, and instead marked the
+`Microsoft.PerformancePoint.Scorecards.Client` assembly as unsafe. The July 19, 2025, patch for `CVE-2025-53770`
+addresses the root cause of `CVE-2025-49704` and does not rely on a manual configuration update to be performed in
+order to be affective.
 
 ## Testing
 This exploit module has been successfully tested against the following versions:

modules/exploits/windows/http/sharepoint_toolpane_rce.rb

@@ -15,42 +15,49 @@ def initialize(info = {})
         info,
         'Name' => 'Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)',
         'Description' => %q{
-          This module exploits the authentication bypass vulnerability CVE-2025-53771 (a patch bypass of CVE-2025-49706),
-          and an unsafe deserialization vulnerability CVE-2025-53770 (a patch bypass of CVE-2025-49704), to achieve
-          unauthenticated RCE against a vulnerable Microsoft SharePoint Server.
+          This module exploits the authentication bypass vulnerabilities CVE-2025-49706 and CVE-2025-53771, and an unsafe
+          deserialization vulnerability CVE-2025-49704, to achieve unauthenticated RCE against a vulnerable Microsoft
+          SharePoint Server. The vulnerability CVE-2025-53770 was disclosed as being a patch bypass of CVE-2025-49704,
+          and as described by the finders, CVE-2025-53770 targets a different endpoint within the /_vti_bin/ URI path.
+          As this exploit module does not target the endpoint associated with CVE-2025-53770 (per the original finders),
+          we believe this module is best described as exploiting CVE-2025-49704 and not CVE-2025-53770.
         },
         'License' => MSF_LICENSE,
         'Author' => [
           # Discovered CVE-2025-49704 and CVE-2025-49706, demoed at Pwn2Own Berlin 2025.
+          # Credited by Microsoft as also discovering CVE-2025-53770 and CVE-2025-53771.
           'Viettel Cyber Security',
-          # Metasploit module, based on the public PoC of the zero-day exploit for CVE-2025-53770 and CVE-2025-53771.
+          # Metasploit module, based on the public PoC of the exploit for CVE-2025-49706 and CVE-2025-49704.
           'sfewer-r7'
-          # NOTE: The author attribution for CVE-2025-53770 and CVE-2025-53771 is unclear.
         ],
         'References' => [
           # Microsoft SharePoint DataSetSurrogateSelector Deserialization of Untrusted Data Remote Code Execution Vulnerability.
           ['CVE', '2025-49704'],
           # Microsoft SharePoint ToolPane Authentication Bypass Vulnerability.
           ['CVE', '2025-49706'],
-          # Patch bypass for CVE-2025-49704, exploited in-the-wild as a zero-day.
+          # Patch bypass for CVE-2025-49704, by targeting a different endpoint within the /_vti_bin/ path.
           ['CVE', '2025-53770'],
-          # Patch bypass for CVE-2025-49706, exploited in-the-wild as a zero-day.
+          # Patch bypass for CVE-2025-49706.
           ['CVE', '2025-53771'],
           # Technical analysis of CVE-2025-49704 and CVE-2025-49706 by the original finder, Dinh Ho Anh Khoa (Viettel Cyber Security).
           ['URL', 'https://blog.viettelcybersecurity.com/sharepoint-toolshell/'],
-          # LeakIX blog which captured the malicious request for the in-the-wild exploit.
+          # LeakIX blog which captured the malicious request for the in-the-wild exploit for CVE-2025-49706, CVE-2025-53771, and CVE-2025-49704.
           ['URL', 'https://blog.leakix.net/2025/07/using-their-own-weapons-for-defense-a-sharepoint-story/'],
           # Technical analysis of CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771 by Kaspersky.
           ['URL', 'https://securelist.com/toolshell-explained/'],
           # ZDI advisories for CVE-2025-49704 and CVE-2025-49706, discovered by Viettel Cyber Security.
           ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-25-580/'],
           ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-25-581/'],
-          # Microsoft advisories for CVE-2025-53770 and CVE-2025-53771, caught in-the-wild.
+          # Microsoft advisories for CVE-2025-49704 and CVE-2025-49706.
+          ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704'],
+          ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706'],
+          # Microsoft advisories for CVE-2025-53770 and CVE-2025-53771.
           ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770'],
           ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771'],
           # Microsoft Guidance.
+          ['URL', 'https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/'],
           ['URL', 'https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/'],
-          # The zero-day exploit for CVE-2025-53770 and CVE-2025-53771, published July 21, 2025.
+          # The zero-day exploit for CVE-2025-49704, CVE-2025-49706, published July 21, 2025.
           ['URL', 'https://gist.github.com/gboddin/6374c04f84b58cef050f5f4ecf43d501'],
           # Markus Wulftange (CODE WHITE GmbH) reproduced CVE-2025-49704 and CVE-2025-49706, circa July 14, 2025.
           ['URL', 'https://x.com/codewhitesec/status/1944743478350557232'],
@@ -59,7 +66,7 @@ def initialize(info = {})
           # Prior work from Steven Seeley on a similar DataSet gadget chain for SharePoint.
           ['URL', 'https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html']
         ],
-        'DisclosureDate' => '2025-07-19', # Disclosure date for CVE-2025-53770 and CVE-2025-53771.
+        'DisclosureDate' => '2025-07-08', # Disclosure date for CVE-2025-49704 and CVE-2025-49706.
         'Platform' => ['win'],
         'Arch' => [ARCH_CMD],
         'Privileged' => false, # Executes as the SharePoint site user.
@@ -112,6 +119,8 @@ def check
     # compare the target version against the RTM version (i.e. the first version of an edition) and the version *before*
     # the patch for CVE-2025-53770 and CVE-2025-53771 (which supersedes patches for CVE-2025-49704 and CVE-2025-49706
     # from July 2025).
+    # Note: A SharePoint server that has the patch for CVE-2025-49704 applied, may still be vulnerable if a SharePoint
+    # configuration update has not also manually occurred.
     # https://learn.microsoft.com/en-us/sharepoint/product-servicing-policy/updated-product-servicing-policy-for-sharepoint-2019
     # https://learn.microsoft.com/en-us/officeupdates/sharepoint-updates