CVE-2025-49704

Name of the Vulnerable Software and Affected Versions Microsoft SharePoint versions prior to July 2025 patchday Microsoft SharePoint Server 2016 Microsoft SharePoint Server 2019 Microsoft SharePoint Server Subscription Edition (SE) Microsoft SharePoint (affected versions not specified)

Description Microsoft SharePoint contains a flaw related to improper control of code generation, specifically a code injection issue. This allows an authorized attacker to execute code over a network. The vulnerability is related to deserialization of untrusted data and can be exploited through specially crafted WebPart POST requests. Exploitation has been observed in real-world attacks, including targeting US federal agencies like the Kansas City National Security Campus (KCNSC), and is actively exploited by multiple actors, including groups attributed to China. Initial patches released by Microsoft were found to be ineffective, requiring further updates and configuration upgrades. The vulnerability allows attackers to bypass authentication and gain remote code execution, potentially enabling shell access, database queries, and web shell deployment. The vulnerability is also a bypass of a previously patched issue. Approximately 24.9K services are found to be vulnerable yearly.

Recommendations For all affected versions of Microsoft SharePoint, install the latest security patches released by Microsoft. For SharePoint Server 2016, 2019, and Subscription Edition, ensure the latest patches are installed to resolve CVE-2025-49704. Manually run configuration upgrades after applying the patches, as this step was often missed and left systems vulnerable.