CVE-2025-49704
CVE-2025-49704 is a high-severity vulnerability in Microsoft Sharepoint Server with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-07-22). The underlying weakness is classified as CWE-94.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-07-22)
- EU (EUVD) id: EUVD-2025-20554
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-07-22)
- Weakness: CWE-94
- Affected product: Microsoft Sharepoint Server
- Published:
- Last modified:
Description
Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2025-49704: Microsoft SharePoint Server Code Injection Under Active Exploitation
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2025-49704 |
| Published | 2025-07-08 |
| CVSS v3.1 | 8.8 (High) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.99907 |
| KEV | Yes (added 2025-07-22) |
| CWE | CWE-94 — Improper Control of Generation of Code (Code Injection) |
| Vendor | Microsoft |
Summary
CVE-2025-49704 is a high-severity code injection vulnerability in Microsoft Office SharePoint Server. An attacker with low-privilege access can inject and execute arbitrary code on the target server over the network without requiring user interaction. The vulnerability carries a CVSS v3.1 score of 8.8 and has been added to CISA's Known Exploited Vulnerabilities catalog, with evidence of active exploitation by ransomware groups.
Background
Microsoft SharePoint Server is a widely deployed on-premises collaboration and document management platform used by enterprises globally. The 2016 and 2019 releases remain prevalent in organizations that have not migrated to SharePoint Online. In July 2025, Microsoft disclosed this flaw alongside active exploitation campaigns targeting on-premises SharePoint installations, prompting an emergency security response.
Root Cause
The vulnerability is classified under CWE-94: Improper Control of Generation of Code (code injection). The root cause lies in insufficient input validation and sanitization within SharePoint's request handling pipeline, which allows an authenticated attacker to supply malicious input that is subsequently evaluated or executed as code by the server. Because the application fails to adequately control code generation, attacker-controlled data can alter the intended control flow and achieve arbitrary code execution in the context of the SharePoint application or underlying server.
Impact
The CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H translates to:
- Attack Vector (Network): Exploitable remotely over the network.
- Attack Complexity (Low): No special conditions or complex prerequisites required.
- Privileges Required (Low): The attacker needs only low-level authorized access.
- User Interaction (None): No victim interaction is necessary.
- Scope (Unchanged): The vulnerable component is the only one impacted.
- Confidentiality, Integrity, Availability (All High): Successful exploitation grants the attacker full read, write, and destroy capabilities on the server.
Given active exploitation and a ransomware nexus, this is not merely a theoretical server compromise risk — it has been observed in the wild as an initial access vector leading to data encryption, exfiltration, and business disruption.
Exploitation Walkthrough
Ethics Notice: The following is a generic, defender-oriented description of exploitation mechanics. No weaponized code or step-by-step attack instructions are provided.
An attacker with valid low-privilege credentials (or a compromised low-privilege account) interacts with a vulnerable SharePoint endpoint. By crafting a request that embeds malicious input in a field processed by SharePoint's backend, the attacker causes the server to evaluate that input as executable code. Because the flaw is in the code-generation path, the attacker's payload runs with the privileges of the SharePoint application worker process or the underlying web server. With network access and no user interaction required, this can be automated at scale against exposed SharePoint instances.
Affected and Patched Versions
Based on the source data, the following products are affected:
- Microsoft SharePoint Server 2016 (Enterprise)
- Microsoft SharePoint Server 2019
Specific patch levels or KB article numbers were not included in the source CVE record. Administrators should consult the Microsoft Security Response Center (MSRC) advisory for the definitive list of patched builds and security update packages.
Remediation
- Apply Security Updates: Install the latest Microsoft security updates for SharePoint Server 2016 and 2019 as detailed in the MSRC advisory. Prioritize patching any internet-facing or perimeter-accessible SharePoint farms.
- Network Segmentation: Restrict network access to SharePoint administration and application endpoints to trusted internal IP ranges. Block unnecessary outbound connections from SharePoint servers.
- Web Application Firewall (WAF): Deploy or tune WAF rules to detect anomalous requests targeting SharePoint code-execution paths. Use this as a compensating control until patching is complete.
- Credential Hygiene: Enforce multi-factor authentication (MFA) for all SharePoint accounts and rotate credentials if compromise is suspected. Low-privilege accounts remain a viable foothold for this attack.
- Least Privilege: Review and minimize SharePoint service account and application pool privileges to reduce the blast radius of a successful exploit.
Detection
- Monitor SharePoint application and IIS logs for unusual HTTP requests to endpoints associated with code evaluation or dynamic compilation.
- Alert on unexpected process spawning by SharePoint worker processes (w3wp.exe), especially command-line interpreters or scripting engines.
- Deploy endpoint detection and response (EDR) on SharePoint servers and hunt for file-system anomalies, credential dumping, or lateral-movement indicators.
- Correlate authentication logs with known-compromised or low-privilege accounts making anomalous API or web requests.
Assessment
This vulnerability exemplifies how a single code-injection flaw in a core enterprise collaboration platform can escalate into a widespread ransomware event. The EPSS score of 0.99907 (99.9th percentile) reflects extremely high real-world exploit probability, and inclusion in the CISA KEV catalog on 2025-07-22 confirms confirmed in-the-wild usage. The European Union vulnerability database (EUVD-2025-20554) also flags it as actively exploited from the same date.
Key lessons:
- Input validation failures in code-generation paths remain a critical and recurrent source of high-severity vulnerabilities in enterprise software.
- On-premises SharePoint deployments without rapid patch cadences are attractive, durable targets for ransomware actors.
References
Frequently asked questions
- What is CVE-2025-49704?
- Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- How severe is CVE-2025-49704?
- CVE-2025-49704 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-49704 being actively exploited?
- Yes. CVE-2025-49704 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-07-22, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-49704?
- CVE-2025-49704 primarily affects Microsoft Sharepoint Server. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-49704?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-49704 have an EU (EUVD) identifier?
- Yes. CVE-2025-49704 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-20554. It is also flagged as exploited in the EUVD (since 2025-07-22).
- When was CVE-2025-49704 published?
- CVE-2025-49704 was published on 2025-07-08 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49704
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
Affected products (2)
- cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Sharepoint Server
- CVE-2013-1330 — Critical (CVSS 10.0): The default configuration of Microsoft SharePoint Portal Server 2003 SP3, SharePoint Server 2007 SP3 and 2010 SP1 and…
- CVE-2020-1595 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from…
- CVE-2020-1210 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source…
- CVE-2026-20963 — Critical (CVSS 9.8): Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a…
- CVE-2025-53770 — Critical (CVSS 9.8): Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute…
- CVE-2023-29357 — Critical (CVSS 9.8): Microsoft SharePoint Server Elevation of Privilege Vulnerability
All CVEs affecting Microsoft Sharepoint Server →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.