Cyber Resilience

CVE-2025-21348

High

Published: 14 January 2025

Published
14 January 2025
Modified
21 January 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0080 74.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21348 is a high-severity Improper Authorization (CWE-285) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

Microsoft SharePoint Server is affected by CVE-2025-21348, a remote code execution vulnerability. The flaw carries a CVSS 7.2 rating reflecting network attack vector, low attack complexity, and high-privilege requirements, with impacts allowing complete compromise of confidentiality, integrity, and availability. Associated CWEs include CWE-285.

An authenticated attacker with high privileges can exploit the issue over the network without user interaction, achieving remote code execution on the SharePoint Server and full control of the affected system.

The official advisory published by Microsoft at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21348 provides remediation guidance. EPSS for the CVE rose from a low baseline to a peak of 0.0524 on 2026-02-13 before receding to the current value of 0.0080, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Microsoft SharePoint Server Remote Code Execution Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote code execution vulnerability in public-facing Microsoft SharePoint Server directly maps to exploitation of public-facing applications for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-49701Same product: Microsoft Sharepoint Server
CVE-2026-26114Same product: Microsoft Sharepoint Server
CVE-2025-21344Same product: Microsoft Sharepoint Server
CVE-2026-20947Same product: Microsoft Sharepoint Server
CVE-2026-26106Same product: Microsoft Sharepoint Server
CVE-2025-21400Same product: Microsoft Sharepoint Server
CVE-2025-59237Same product: Microsoft Sharepoint Server
CVE-2025-54897Same product: Microsoft Sharepoint Server
CVE-2026-20963Same product: Microsoft Sharepoint Server
CVE-2026-35439Same product: Microsoft Sharepoint Server

Affected Assets

microsoft
sharepoint server
2016, 2019 · ≤ 16.0.17928.20356

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the RCE vulnerability by requiring timely identification, reporting, and correction of flaws like CVE-2025-21348 through vendor patches.

prevent

Enforces approved authorizations for access to SharePoint resources, directly addressing the improper authorization (CWE-285) that enables high-privilege RCE exploitation.

prevent

Limits damage from PR:H exploitation by ensuring users and processes operate with least privilege necessary, reducing the attack surface in SharePoint.

References