Rapid7’s 2026 Global Cybersecurity Summit is now available on-demand.Watch sessions.
Rapid7

module

Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)

Disclosed
Jul 8, 2025
Created
Aug 7, 2025

Description

This module exploits the authentication bypass vulnerabilities CVE-2025-49706 and CVE-2025-53771, and an unsafe
deserialization vulnerability CVE-2025-49704, to achieve unauthenticated RCE against a vulnerable Microsoft
SharePoint Server. The vulnerability CVE-2025-53770 was disclosed as being a patch bypass of CVE-2025-49704,
and as described by the finders, CVE-2025-53770 targets a different endpoint within the /_vti_bin/ URI path.
As this exploit module does not target the endpoint associated with CVE-2025-53770 (per the original finders),
we believe this module is best described as exploiting CVE-2025-49704 and not CVE-2025-53770.

Authors

Viettel Cyber Security
sfewer-r7

Platform

Windows

Architectures

cmd

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


msf > use exploit/windows/http/sharepoint_toolpane_rce
msf exploit(sharepoint_toolpane_rce) > show targets
...targets...
msf exploit(sharepoint_toolpane_rce) > set TARGET < target-id >
msf exploit(sharepoint_toolpane_rce) > show options
...show and set options...
msf exploit(sharepoint_toolpane_rce) > exploit

Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.