DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-49704: ToolShell: Unauthenticated RCE in SharePoint via XML Deserialization

#security #cve #cybersecurity

ToolShell: Unauthenticated RCE in SharePoint via XML Deserialization

Vulnerability ID: CVE-2025-49704
CVSS Score: 8.8
Published: 2025-07-08

A Critical Remote Code Execution vulnerability in Microsoft SharePoint Server, dubbed 'ToolShell', allows attackers to execute arbitrary code via unsafe XML deserialization of DataSet objects. When chained with an authentication bypass (CVE-2025-49706), it permits unauthenticated attackers to compromise on-premises SharePoint farms fully.

TL;DR

Unauthenticated attackers can chain an authentication bypass in ToolPane.aspx with a deserialization flaw in DataSet processing to gain Remote Code Execution (RCE) on SharePoint servers. The flaw exploits the msdata:DataType XML attribute to instantiate dangerous .NET gadgets.

⚠️ Exploit Status: ACTIVE

Technical Details

  • Vulnerability Type: Unsafe Deserialization
  • Attack Vector: Network (HTTP POST)
  • Auth Required: None (when chained with CVE-2025-49706)
  • CVSS v3.1: 8.8 (High)
  • Payload: XML with msdata:DataType attribute
  • KEV Status: Listed (Active Exploitation)
  • Exploit Capability: Remote Code Execution (System/Service Account)

Affected Systems

  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server Subscription Edition
  • SharePoint Server 2019: < 16.0.10417.20027 (Fixed in: 16.0.10417.20027)
  • SharePoint Enterprise Server 2016: < 16.0.5508.1000 (Fixed in: 16.0.5508.1000)

Exploit Details

  • Metasploit: Module chaining ToolPane auth bypass and DataSet deserialization
  • ZDI: ZDI-25-581 Analysis

Mitigation Strategies

  • Apply July 2025 Security Updates immediately.
  • Restrict access to /_layouts/15/ToolPane.aspx via WAF or IIS rules.
  • Audit IIS logs for requests with Referer: *SignOut.aspx* and DisplayMode=Edit.
  • Disable the CellStorageWebService if not used (though this specific vector is ToolPane).

Remediation Steps:

  1. 1. Download the appropriate security update for your SharePoint version (KB5002618 or KB5002617).
  2. 2. Install the update on all SharePoint servers in the farm.
  3. 3. Run psconfig.exe -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures on every server.
  4. 4. Verify the patch level in Central Administration.

References

Read the full report for CVE-2025-49704 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)