CVE-2025-49704

Warning

Media report

EPSS 64.91%
Published 08.07.2025 16:58:05
Last modified 30.07.2025 01:00:01
Source secure@microsoft.com
Teams watchlist Login
Open Login

Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Affected products Warnungen 1 Metrics 2 CWE 1 References 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Microsoft ≫ Sharepoint Server Version2016 SwEditionenterprise

Microsoft ≫ Sharepoint Server Version2019

22.07.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft SharePoint Code Injection Vulnerability

Vulnerability

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704.

Description

CISA recommends disconnecting public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS). For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use. For supported versions, please follow the mitigations according to CISA and vendor instructions. Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	64.91%	0.984

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
secure@microsoft.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://www.heise.de/news/Patchday-Microsoft-schliesst-100-000-Luecke-in-SharePoint-aus-Hacker-Wettbewerb-10479811.html

Medienbericht

heise Security

https://www.heise.de/news/Kritische-Sharepoint-Sicherheitsluecke-Erste-Patches-fuer-ToolShell-sind-da-10493989.html

Medienbericht

heise Security

https://krebsonsecurity.com/2025/07/microsoft-fix-targets-attacks-on-sharepoint-zero-day/

Medienbericht

Krebs on Security

https://www.heise.de/news/Update-Neue-Version-von-Sharepoint-2016-behebt-Toolshell-Luecke-10495573.html

Medienbericht

heise Security