CVE-2025-49704

Name of the Vulnerable Software and Affected Versions Microsoft SharePoint versions prior to the latest patches.

Description The software contains a flaw in the control of code generation, leading to a code injection issue. This allows an authorized attacker to execute code over a network. The vulnerability has been actively exploited by Chinese state-linked hackers, impacting US agencies like the Department of Homeland Security (DHS) and potentially defense systems. Exploitation involves deserialization of untrusted data and can lead to remote code execution. Specifically, the vulnerability allows remote attackers to achieve code execution on the server by sending a specially crafted POST request with malicious WebPart markup. The ToolShell exploit (CVE-2025-49704) has been observed in the wild since July 7th, and initial patches were found to be ineffective, requiring further updates. The vulnerability can be exploited through the DataSetSurrogateSelector, and a bypass of a previously patched issue has been identified. Approximately 24.9K services are found to be vulnerable yearly.

Recommendations Install the latest security patches released by Microsoft to address the vulnerability. Ensure that configuration upgrades are performed after patching, as this was a step missed by many administrators. As a temporary workaround, consider restricting access to the affected SharePoint instances. Monitor systems for suspicious activity and potential exploitation attempts.