CVE-2025-49704: Critical Microsoft SharePoint Code Injection Vulnerability Advisory
Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704.
FREQUENTLY ASKED
What is CVE-2025-49704 and why is it critical?
CVE-2025-49704 is a critical Code Injection vulnerability (CWE-94) in Microsoft SharePoint with a CVSS score of 8.8. It is significant because it allows authorized attackers to execute malicious code over a network. The vulnerability is currently being exploited in the wild, often in conjunction with ransomware activities, making immediate remediation essential for organizational security.
Which versions of Microsoft SharePoint are affected by this vulnerability?
The vulnerability affects SharePoint versions including those built on the 16.0.0 codebase. This typically encompasses SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Additionally, CISA warns that any public-facing versions that have reached end-of-life (EOL), such as SharePoint Server 2013 and earlier, are at extreme risk and should be disconnected.
Has a patch been released for CVE-2025-49704?
Yes, Microsoft has released patches for CVE-2025-49704. However, administrators should be aware that a patch bypass for this specific vulnerability was identified as CVE-2025-53770. Therefore, it is critical to apply the most recent updates, which include the robust protections designed for CVE-2025-53770, to ensure the code injection vulnerability is fully mitigated.
What is the remediation deadline and how does it impact compliance?
The remediation deadline for CVE-2025-49704 is 2025-07-23. For federal agencies and organizations adhering to CISA BOD 22-01, failing to mitigate this vulnerability or disconnect EOL versions by this date results in non-compliance. Given the active exploitation status, this deadline reflects the high risk and the narrow window available to secure enterprise environments.
How can I check if my SharePoint deployment is affected?
To determine if your deployment is affected, verify the installed build numbers of your SharePoint Server instances. Compare these against the security update guide provided by Microsoft. If your server is public-facing and running SharePoint 2013 or older, it is definitively affected and should be decommissioned immediately as it no longer receives security updates for new vulnerabilities.
CVE-2025-49704: Critical Microsoft SharePoint Code Injection Vulnerability
CVE-2025-49704 is a high-severity code injection vulnerability (CWE-94) in Microsoft SharePoint with a CVSS score of 8.8, demanding immediate attention due to active exploitation and known ransomware use. This vulnerability allows an authorized attacker to execute arbitrary code over a network, posing a total threat to system integrity and confidentiality, with a strict remediation deadline of 2025-07-23.
At the core of CVE-2025-49704 lies CWE-94: Improper Control of Generation of Code ('Code Injection'). In the context of Microsoft SharePoint, this vulnerability manifests when the application fails to properly neutralize or validate input that is subsequently used to generate code segments. Because SharePoint is a complex framework that utilizes various scripting and templating engines to deliver collaborative content, an authorized user—even one with minimal privileges—can inject malicious syntax into these processed streams.
The Mechanics of the Vulnerability
Code injection differs from simple command injection by targeting the internal logic of the application environment. By exploiting CWE-94, an attacker can essentially force the SharePoint server to interpret their data as executable code. This occurs within the server-side processing layer, potentially bypassing standard security controls that focus on file uploads or external script execution.
The Attack Chain and Chaining Scenarios
The vulnerability is particularly dangerous because it does not exist in isolation. Source data indicates that CVE-2025-49704 is frequently chained with CVE-2025-49706, another SharePoint-related flaw. In a typical attack scenario, the threat actor first gains "Low Privilege" access (PR:L)—perhaps through credential stuffing or phishing—and then uses the code injection flaw to escalate their presence. Furthermore, a patch bypass (CVE-2025-53770) was quickly discovered after the initial disclosure of CVE-2025-49704. This suggests that the underlying vulnerable component in SharePoint's code generation logic is fundamentally complex, requiring multiple layers of hardening to fully secure.
Blast Radius and Impact
The blast radius of a successful exploit is classified as "Total" (SSVC Technical Impact: Total). Since the vulnerability allows code execution, the attacker can achieve a full takeover of the SharePoint instance. This includes the ability to read sensitive documents, modify organizational data, and disrupt service availability. Given the EPSS score of 0.59583 (98.3rd percentile), the probability of this vulnerability being leveraged in broad automated attacks is extremely high.
Who Is Affected: Enterprise Scope and Compliance
This vulnerability primarily impacts organizations running on-premises versions of Microsoft SharePoint Server. The affected versions identified include those based on the 16.0.0 build branch, which includes:
SharePoint Server 2016
SharePoint Server 2019
SharePoint Server Subscription Edition
CISA BOD 22-01 and Federal Compliance
Due to the active exploitation of this flaw, CISA has added CVE-2025-49704 to its Known Exploited Vulnerabilities (KEV) Catalog. Per Binding Operational Directive (BOD) 22-01, federal civilian executive branch agencies are required to remediate this vulnerability by the specified deadline of 2025-07-23.
Private sector organizations are strongly encouraged to treat this deadline as a critical benchmark. The presence of known ransomware use underscores that this is not merely a theoretical risk; it is a clear and present danger to business continuity. Organizations using legacy SharePoint versions that have reached End-of-Life (EOL) or End-of-Service (EOS), specifically SharePoint Server 2013 and earlier, must immediately disconnect these systems from the public internet, as they are inherently vulnerable and no longer receive security updates.
Official Remediation Steps
Immediate action is required to secure affected SharePoint environments. Follow these prioritized steps:
Identify Vulnerable Instances: Inventory all SharePoint Server deployments. Use administrative tools to check build numbers and confirm if they fall within the affected 16.0.0 range.
Apply Cumulative Updates (CU): Navigate to the Microsoft Security Update Guide and download the latest patches. Note that you must apply the updates associated with CVE-2025-53770, as these provide the more robust protection required to prevent the initial patch bypass for CVE-2025-49704.
Decommission EOL Software: If your organization is running SharePoint Server 2013, 2010, or earlier, these versions cannot be patched against this vulnerability. Disconnect these servers from the network and migrate data to a supported version or SharePoint Online.
Verify Patch Integrity: After installation, verify that the security updates have been applied correctly by checking the version numbers against the vendor’s advisory. Ensure that the SharePoint Products Configuration Wizard is run if required by the update process.
Monitor for Indicators of Compromise (IoC): Review SharePoint logs for unusual authorized user activity, especially around service accounts or accounts that do not typically engage in administrative or configuration-level actions.
Security Best Practices for SharePoint Hardening
Beyond patching, organizations should implement the following defensive measures to mitigate CWE-94 and related code injection risks:
Principle of Least Privilege (PoLP): Review and restrict user permissions within SharePoint. Ensure that only a minimal number of users have the ability to modify pages or web parts, as this vulnerability requires an "Authorized" (PR:L) state.
Network Segmentation: Isolate SharePoint servers from the broader corporate network and the public internet using firewalls and demilitarized zones (DMZs). Access should be granted via VPN or secure gateways with Multi-Factor Authentication (MFA).
Input Validation and Sanitization: Implement strict server-side validation for all user-supplied data. Utilize Content Security Policy (CSP) headers to restrict where scripts can be loaded from and prevent unauthorized code execution in the browser context.
Web Application Firewall (WAF) Tuning: Configure WAF rules to detect and block common code injection patterns (e.g., unexpected script tags or encoded executable syntax) directed at SharePoint endpoints.
Endpoint Detection and Response (EDR): Deploy EDR agents on SharePoint servers to monitor for post-exploitation behavior, such as the spawning of suspicious child processes (e.g., cmd.exe or powershell.exe) by the SharePoint worker processes.
Regular Security Audits: Conduct periodic penetration testing specifically targeting SharePoint's customized web parts and third-party integrations, which are often the weakest links in code injection defense.