IRIS C2

Published July 21, 2025

IRIS C2 Delivers Day-Zero SharePoint Exploit Module for CVE-2025-53770

Breaking: Critical SharePoint Vulnerability Actively Exploited in the Wild

Just hours after Eye Security broke the news about CVE-2025-53770 (dubbed "ToolShell"), a critical unauthenticated remote code execution vulnerability affecting all on-premises SharePoint servers, IRIS C2 customers already have access to a fully-featured exploitation module. While Microsoft scrambles to develop patches and organizations worldwide assess their exposure, IRIS C2 operators can immediately begin testing and securing their environments.

The vulnerability, which carries a CVSS score of 9.8, affects SharePoint Server 2016, 2019, and Subscription Edition. As of this writing, Microsoft has not released any patches, and given the nature of on-premises deployments, many organizations will remain vulnerable for weeks or even months to come.

Immediate Response: The IRIS C2 SharePoint Exploit Module

Our security research team worked through the night to deliver a production-ready module that enables:

  • Automated scanning for vulnerable SharePoint servers
  • One-click exploitation with full RCE capabilities
  • Cryptographic key extraction for persistent access
  • Complete post-exploitation framework
  • Anti-forensics and evasion techniques
The SharePoint CVE-2025-53770/53771 Exploit Module integrated seamlessly into IRIS C2
The SharePoint CVE-2025-53770/53771 Exploit Module integrated seamlessly into IRIS C2

Key Features and Capabilities

1. Vulnerability Information Dashboard

The module provides comprehensive information about the vulnerability, including:

  • CVE details and CVSS scoring
  • Affected versions and exploit chain information
  • Real-time IOCs from active exploitation campaigns
  • Detection signatures (Exploit:W32/W3WPLaunch.A!DeepGuard)
Detailed vulnerability information and IOCs at your fingertips

2. Mass Vulnerability Scanning

Our scanning engine can rapidly identify vulnerable SharePoint instances across your network or target ranges:

Mass scanning interface with real-time vulnerability detection
Mass scanning interface with real-time vulnerability detection

Key scanning features:

  • Parallel scanning with configurable threads
  • Multiple detection methods (version headers, endpoints, error pages)
  • Automatic vulnerability verification
  • Export capabilities for scan results

3. One-Click Exploitation

Once vulnerable servers are identified, exploitation is as simple as selecting targets and clicking "Exploit":

Streamlined exploitation interface with target management

The module handles the entire exploit chain automatically:

  1. Authentication bypass via the SignOut.aspx Referer trick
  2. Deserialization RCE through ToolPane.aspx
  3. Deployment of the SharpyShell web shell (spinstall0.aspx)
  4. Extraction of cryptographic keys for persistent access

4. Advanced Payload Generation

Generate custom ViewState payloads using the extracted cryptographic material:

Native payload generation without external dependencies
Native payload generation without external dependencies

Our implementation includes:

  • Native .NET deserialization gadget chains
  • TypeConfuseDelegate payload support
  • Signed ViewState generation with HMAC validation
  • No dependency on external tools like ysoserial.net

5. Comprehensive Post-Exploitation

The module provides a full suite of post-exploitation capabilities:

Advanced post-exploitation features for complete control
Advanced post-exploitation features for complete control

Available actions include:

  • Persistence: Deploy hidden backdoors
  • Credential Theft: Extract SharePoint service accounts and IIS AppPool credentials
  • Database Access: Dump SharePoint content databases
  • Domain Enumeration: Leverage SharePoint's AD integration
  • Anti-Forensics: Clean logs and traces

6. Real-Time Console and Logging

Monitor all operations in real-time with our integrated console.

7. Comprehensive Reporting

Export detailed reports of all exploitation activities.

Technical Implementation Highlights

Native Payload Generation

Unlike other tools that rely on external binaries, our module includes a native C++ implementation of the required .NET deserialization gadgets. This means:

  • No external dependencies
  • Faster payload generation
  • Better operational security
  • Cross-platform compatibility

Operational Considerations

Detection and Evasion

The module includes several evasion techniques:

  • Randomized User-Agent strings
  • X-Forwarded-For header manipulation
  • Configurable request timing
  • Anti-forensics capabilities

Responsible Use

This module is intended for:

  • Authorized penetration testing
  • Security assessment of your own infrastructure
  • Research and defensive development
  • Incident response and compromise assessment

Why IRIS C2 Customers Have the Advantage

While the security community is still analyzing this vulnerability and building proof-of-concepts, IRIS C2 customers have:

  1. Immediate Access: The module is available now through the Tools menu
  2. Production-Ready Code: Not a proof-of-concept, but a fully-featured exploitation framework
  3. Integrated Workflow: Seamlessly integrated into your existing C2 operations
  4. No External Dependencies: Everything needed is built into the module
  5. Continuous Updates: As new information emerges, we'll push updates automatically

Getting Started

To access the SharePoint exploit module:

  1. Update to the latest version of IRIS C2
  2. Navigate to Tools → SharePoint Exploit (CVE-2025-53770)
  3. Add target SharePoint servers to scan
  4. Review the vulnerability information and IOCs
  5. Begin your assessment

The Bottom Line

With potentially hundreds of thousands of vulnerable SharePoint servers worldwide and no patches currently available, organizations need tools to assess and understand their exposure immediately. IRIS C2's SharePoint exploit module provides security teams with the capability to:

  • Quickly identify vulnerable servers in their environment
  • Understand the full impact of potential compromise
  • Test defensive measures and detection capabilities
  • Prepare incident response procedures

As Eye Security noted in their research, this vulnerability is being actively exploited in the wild. Don't wait for patches that may be weeks away – start assessing your SharePoint infrastructure today.

Stay Protected

The IRIS C2 team continues to monitor this evolving situation. We'll provide updates to the module as new information becomes available, including:

  • Additional evasion techniques
  • New IOCs from active campaigns
  • Enhanced post-exploitation capabilities
  • Defensive recommendations

Furthermore, we are closely monitoring efforts by defenders to fortify their systems, including the development of new YARA rules to detect this exploit. IRIS C2 is committed to keeping this module updated to overcome these defensive measures, ensuring its continued effectiveness and extending its useful service life for our operators.

For our customers, this is just another example of how IRIS C2 delivers cutting-edge capabilities when you need them most. While others are still reading about vulnerabilities, you're already equipped to exploit them.

To learn more, please contact support@IRISC2.com

IRIS C2 - Professional Command & Control for the Modern Operator

Disclaimer: This tool is for authorized security testing only. Users are responsible for complying with all applicable laws and regulations. Unauthorized access to computer systems is illegal and unethical.