CVE-2025-49704

Warnung

Medienbericht

EPSS 59.58%
Veröffentlicht 08.07.2025 16:58:05
Zuletzt bearbeitet 27.10.2025 17:12:33
Quelle secure@microsoft.com
CVE-Watchlists
Login
Unerledigt
Login

Microsoft SharePoint Remote Code Execution Vulnerability

Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Betroffene Produkte Warnungen 1 Metriken 2 CWE 1 Referenzen 11

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Microsoft ≫ Sharepoint Server Version2016 SwEditionenterprise

Microsoft ≫ Sharepoint Server Version2019

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

22.07.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft SharePoint Code Injection Vulnerability

Schwachstelle

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704.

Beschreibung

CISA recommends disconnecting public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS). For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use. For supported versions, please follow the mitigations according to CISA and vendor instructions. Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	59.58%	0.982

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secure@microsoft.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://www.heise.de/news/Patchday-Microsoft-schliesst-100-000-Luecke-in-SharePoint-aus-Hacker-Wettbewerb-10479811.html

Media Report

https://www.heise.de/news/Kritische-Sharepoint-Sicherheitsluecke-Erste-Patches-fuer-ToolShell-sind-da-10493989.html

Media Report

https://krebsonsecurity.com/2025/07/microsoft-fix-targets-attacks-on-sharepoint-zero-day/

Media Report

https://www.heise.de/news/Update-Neue-Version-von-Sharepoint-2016-behebt-Toolshell-Luecke-10495573.html

Media Report

https://www.heise.de/news/Microsofts-Sharepoint-Luecken-Die-Zero-Days-die-vielleicht-gar-keine-waren-10505387.html

Media Report

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704

Vendor Advisory