A Metasploit exploit module targeting critical zero-day vulnerabilities in Microsoft SharePoint Server that are currently being exploited in the wild.
The module, developed by Principal Security Researcher Stephen Fewer, exploits a chained attack leveraging CVE-2025-53770 and CVE-2025-53771 to achieve unauthenticated remote code execution on vulnerable SharePoint installations.
These vulnerabilities represent patch bypasses for previously disclosed security vulnerabilities and were first observed in active exploitation campaigns around July 19, 2025.
The newly released Metasploit module addresses a sophisticated attack chain that bypasses existing security patches for Microsoft SharePoint Server.
The vulnerabilities CVE-2025-53770 and CVE-2025-53771 function as patch bypasses for two previously patched vulnerabilities, CVE-2025-49704 and CVE-2025-49706, effectively reintroducing the security vulnerabilities through alternative attack vectors.
This development represents a significant escalation in SharePoint-targeted attacks, as threat actors have successfully circumvented Microsoft’s security updates.
The exploit module was developed based on analysis of real-world attack traffic captured in the wild, with the original exploit payload consisting of a single HTTP request that demonstrated the vulnerability’s severity.
Security researchers were able to reverse-engineer the attack methodology after obtaining a sample of the malicious HTTP request, which was subsequently shared through public security channels for further analysis and defensive measures.
The timing of this disclosure is particularly concerning, as the vulnerabilities were actively exploited before patches were available, representing a true zero-day threat.
The rapid development and release of the Metasploit module serves both as a tool for security professionals to test their environments and as an indicator of the exploit’s relative simplicity and effectiveness.
SharePoint 0-Day Vulnerabilities
The Metasploit module demonstrates considerable technical sophistication in its implementation, supporting multiple payload delivery mechanisms and target configurations.
During testing, the module successfully achieved remote code execution on Microsoft SharePoint Server 2019 version 16.0.10417.20027 running on Windows Server 2022, establishing Meterpreter sessions with system-level privileges.
The exploit operates through the SharePoint ToolPane component, requiring no authentication credentials to execute successfully.
Current payload options include both HTTP-based Meterpreter reverse TCP connections and generic command execution capabilities.
The module’s flexibility allows security professionals to customize payloads based on their testing requirements, with support for various exit techniques and extension loading mechanisms.
The exploitation process executes within the Internet Information Services (IIS) worker process context, providing attackers with significant system access.
The development team has identified several areas for improvement, including reimplementation of certain exploit components using native Metasploit deserialization routines and evaluation of in-memory payload delivery options.
These enhancements would further streamline the exploit’s effectiveness while reducing detection signatures.
Security Implications
The active exploitation of these SharePoint vulnerabilities in production environments underscores the critical nature of this security threat.
The release of this Metasploit module follows established responsible disclosure practices while providing security teams with necessary tools for environmental assessment.
Organizations running affected SharePoint Server installations face immediate risk of compromise, particularly given the unauthenticated nature of the attack vector.
The exploit’s single HTTP request methodology makes it particularly attractive to threat actors seeking rapid, low-effort compromise of corporate SharePoint environments.
Stephen Fewer’s role as Principal Security Researcher at Rapid7 lends significant credibility to this disclosure, given his extensive track record in vulnerability research and exploit development.
His GitHub profile demonstrates consistent contributions to security research, including previous work on high-profile CVEs affecting enterprise software platforms.
The broader implications of these vulnerabilities extend beyond individual SharePoint installations, as many organizations rely heavily on SharePoint for document management and collaboration.
The patch bypass nature of these vulnerabilities suggests that traditional update management may be insufficient, requiring more comprehensive security monitoring and potentially additional compensating controls until definitive patches become available.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
