CVE-2025-49704
Published: 08 July 2025
Summary
CVE-2025-49704 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through application of Microsoft patches directly eliminates the code injection vulnerability in SharePoint.
Information input validation prevents code injection by ensuring user-supplied inputs to SharePoint do not contain executable code.
Vulnerability scanning detects the presence of CVE-2025-49704 in SharePoint deployments, enabling prioritization for patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection (CWE-94) leading to unauthenticated RCE on SharePoint directly enables remote exploitation of a public-facing application.
NVD Description
Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Deeper analysisAI
CVE-2025-49704 is an improper control of code generation vulnerability, classified as code injection (CWE-94), affecting Microsoft Office SharePoint. Published on 2025-07-08, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low complexity and privileges.
An authorized attacker with low privileges, such as an authenticated SharePoint user, can exploit this vulnerability over the network without requiring user interaction. Successful exploitation allows arbitrary code execution, resulting in high impacts to confidentiality, integrity, and availability on the targeted system.
Microsoft's update guide provides patches for remediation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704. The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49704. A Microsoft security blog post addresses disrupting active exploitation of on-premises SharePoint vulnerabilities: https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/.
This vulnerability is actively exploited in the wild, particularly against on-premises SharePoint deployments, underscoring the urgency of applying available patches.
Details
- CWE(s)
- KEV Date Added
- 22 July 2025