Cyber Posture

CVE-2025-49712

HighRCE

Published: 12 August 2025

Published
12 August 2025
Modified
15 August 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2470 96.2th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49712 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates deserialization of untrusted data by requiring validation of all information inputs before processing in SharePoint.

SI-2 Flaw Remediation good match
prevent

Ensures timely remediation of the specific deserialization flaw through flaw remediation processes like patching.

SI-16 Memory Protection partial match
prevent

Mitigates remote code execution consequences of successful deserialization via memory protection safeguards such as DEP and ASLR.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct RCE via deserialization in network-accessible SharePoint server application matches exploitation of public-facing apps.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Deeper analysisAI

CVE-2025-49712 is a deserialization of untrusted data vulnerability (CWE-502) in Microsoft Office SharePoint. Published on 2025-08-12T18:15:30.183, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue stems from improper handling of untrusted data, enabling code execution.

An authorized attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), allowing remote code execution.

Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49712.

Details

CWE(s)
CWE-502

Affected Products

microsoft
sharepoint server
2016, 2019

CVEs Like This One

CVE-2025-53770Same product: Microsoft Sharepoint Server
CVE-2025-54897Same product: Microsoft Sharepoint Server
CVE-2026-20963Same product: Microsoft Sharepoint Server
CVE-2025-59237Same product: Microsoft Sharepoint Server
CVE-2026-26114Same product: Microsoft Sharepoint Server
CVE-2026-26106Same product: Microsoft Sharepoint Server
CVE-2025-49701Same product: Microsoft Sharepoint Server
CVE-2025-49704Same product: Microsoft Sharepoint Server
CVE-2025-59228Same product: Microsoft Sharepoint Server
CVE-2026-32201Same product: Microsoft Sharepoint Server

References