Cyber Resilience

CVE-2025-49704

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linkedRCE

Published: 08 July 2025

Published
08 July 2025
Modified
27 October 2025
KEV Added
22 July 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5958 98.3th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49704 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-49704 is a code injection vulnerability, tracked under CWE-94, that affects Microsoft Office SharePoint. The flaw permits improper control over code generation and carries a CVSS 3.1 score of 8.8, reflecting network attack vector, low attack complexity, and low privileges required with no user interaction needed.

An authorized attacker with network access can exploit the issue to execute arbitrary code on affected SharePoint servers, resulting in full compromise of confidentiality, integrity, and availability on the target system.

Microsoft’s Security Response Center advisory and accompanying security blog describe available patches for on-premises SharePoint deployments, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog and references coordinated efforts to disrupt active exploitation.

The EPSS score rose from lower values after the July 2025 disclosure to a peak of 0.7661 on 2025-12-11 before receding to the current 0.5958, indicating increased exploitation interest several months post-publication.

EU & UK References

Vulnerability details

Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

CWE(s)
KEV Date Added
22 July 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Code injection (CWE-94) leading to unauthenticated RCE on SharePoint directly enables remote exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20963Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2026-32201Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2025-53770Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2025-21348Same product: Microsoft Sharepoint Server
CVE-2026-26114Same product: Microsoft Sharepoint Server
CVE-2025-21344Same product: Microsoft Sharepoint Server
CVE-2026-20947Same product: Microsoft Sharepoint Server
CVE-2026-26106Same product: Microsoft Sharepoint Server
CVE-2025-59237Same product: Microsoft Sharepoint Server
CVE-2025-54897Same product: Microsoft Sharepoint Server

Affected Assets

microsoft
sharepoint server
2016, 2019

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through application of Microsoft patches directly eliminates the code injection vulnerability in SharePoint.

prevent

Information input validation prevents code injection by ensuring user-supplied inputs to SharePoint do not contain executable code.

detect

Vulnerability scanning detects the presence of CVE-2025-49704 in SharePoint deployments, enabling prioritization for patching.

References