automatic module_metadata_base.json update

jenkins-metasploit · jenkins-metasploit · commit 41698afa32eb · 2025-08-06T19:33:05.000Z
diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
@@ -179526,6 +179526,81 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_windows/http/sharepoint_toolpane_rce": {
+    "name": "Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)",
+    "fullname": "exploit/windows/http/sharepoint_toolpane_rce",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-07-08",
+    "type": "exploit",
+    "author": [
+      "Viettel Cyber Security",
+      "sfewer-r7"
+    ],
+    "description": "This module exploits the authentication bypass vulnerabilities CVE-2025-49706 and CVE-2025-53771, and an unsafe\n          deserialization vulnerability CVE-2025-49704, to achieve unauthenticated RCE against a vulnerable Microsoft\n          SharePoint Server. The vulnerability CVE-2025-53770 was disclosed as being a patch bypass of CVE-2025-49704,\n          and as described by the finders, CVE-2025-53770 targets a different endpoint within the /_vti_bin/ URI path.\n          As this exploit module does not target the endpoint associated with CVE-2025-53770 (per the original finders),\n          we believe this module is best described as exploiting CVE-2025-49704 and not CVE-2025-53770.",
+    "references": [
+      "CVE-2025-49704",
+      "CVE-2025-49706",
+      "CVE-2025-53770",
+      "CVE-2025-53771",
+      "URL-https://blog.viettelcybersecurity.com/sharepoint-toolshell/",
+      "URL-https://blog.leakix.net/2025/07/using-their-own-weapons-for-defense-a-sharepoint-story/",
+      "URL-https://securelist.com/toolshell-explained/",
+      "URL-https://www.zerodayinitiative.com/advisories/ZDI-25-580/",
+      "URL-https://www.zerodayinitiative.com/advisories/ZDI-25-581/",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771",
+      "URL-https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/",
+      "URL-https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/",
+      "URL-https://gist.github.com/gboddin/6374c04f84b58cef050f5f4ecf43d501",
+      "URL-https://x.com/codewhitesec/status/1944743478350557232",
+      "URL-https://x.com/thezdi/status/1923317597673533552",
+      "URL-https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2025-08-06 15:33:57 +0000",
+    "path": "/modules/exploits/windows/http/sharepoint_toolpane_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/sharepoint_toolpane_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_windows/http/sharepoint_unsafe_control": {
     "name": "Microsoft SharePoint Unsafe Control and ViewState RCE",
     "fullname": "exploit/windows/http/sharepoint_unsafe_control",
