CISA Alerts on Active Exploitation of Microsoft SharePoint Code Injection and Authentication Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent alerts regarding the active exploitation of two critical Microsoft SharePoint vulnerabilities, with organizations facing a same-day deadline to implement protective measures.

The alert, released yesterday, July 22, 2025, targets vulnerabilities that pose significant risks to enterprise SharePoint deployments worldwide, with the compliance deadline arriving today.

Vulnerability Overview

CISA has identified two interconnected vulnerabilities affecting Microsoft SharePoint that are currently being exploited in the wild.

These vulnerabilities can be chained together to create devastating attack scenarios, allowing malicious actors to gain unauthorized access and execute code on vulnerable systems.

CVE-2025-49706 represents a severe improper authentication vulnerability that enables authorized attackers to conduct sophisticated spoofing attacks over network connections.

Successful exploitation allows attackers to view sensitive information and make unauthorized modifications to disclosed data, creating substantial security risks for affected organizations.

The companion vulnerability, CVE-2025-49704, introduces code injection capabilities that permit authorized attackers to execute malicious code remotely over network connections.

When chained together, these vulnerabilities create a particularly dangerous attack vector that can compromise entire SharePoint environments.

With today marking the compliance deadline, CISA has issued stringent recommendations for immediate implementation.

Organizations must disconnect all public-facing SharePoint Server installations that have reached end-of-life or end-of-service status, including SharePoint Server 2013 and earlier versions that should be immediately discontinued.

For organizations running supported SharePoint versions, CISA mandates strict adherence to both agency guidance and Microsoft’s vendor-provided mitigation instructions.

The alert specifically references BOD 22-01 guidance for cloud services, requiring organizations to either implement comprehensive security measures or discontinue product usage entirely if adequate mitigations cannot be deployed.

The compressed 24-hour response timeline underscores the severity of the threat landscape.

Both vulnerabilities were added to CISA’s Known Exploited Vulnerabilities catalog on July 22, 2025, with a same-day due date of July 23, 2025, indicating active exploitation attempts have been identified in enterprise environments.

While the use of these vulnerabilities in ransomware campaigns remains unknown, the potential for chaining attacks and the active exploitation status make them high-priority targets for immediate remediation.

Organizations that fail to meet today’s deadline face potential compliance violations and increased cybersecurity risks.

Security teams should prioritize immediate vulnerability assessments and implement recommended mitigations without delay to maintain organizational security posture.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now