CISA Warns of Microsoft SharePoint Code Injection and Authentication Vulnerability Exploited in Wild
CISA has issued an urgent warning regarding two critical Microsoft SharePoint vulnerabilities that threat actors are actively exploiting in the wild.
The vulnerabilities, designated as CVE-2025-49704 and CVE-2025-49706, pose significant risks to organizations running on-premises SharePoint servers and have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog with an immediate remediation deadline.
Key Takeaways
1. CVE-2025-49704 and CVE-2025-49706 are being actively exploited to compromise SharePoint servers.
2. CISA requires immediate remediation by July 23, 2025.
3. Disconnect old SharePoint systems, patch current versions immediately.
Code Injection Vulnerability (CVE-2025-49704)
CVE-2025-49704 represents a severe code injection vulnerability in Microsoft SharePoint that falls under the CWE-94 classification for Improper Control of Generation of Code.
This flaw allows authorized attackers to execute arbitrary code over a network connection, potentially giving them complete control over the affected SharePoint server.
The vulnerability enables threat actors to inject malicious code into the SharePoint application, which can then be executed with the privileges of the SharePoint service account, leading to potential system compromise and data exfiltration.
Improper Authentication Vulnerability (CVE-2025-49706)
CVE-2025-49706 is an improper authentication vulnerability classified under CWE-287 (Improper Authentication) that affects Microsoft SharePoint’s authentication mechanisms.
This security flaw allows authorized attackers to perform spoofing attacks over a network, enabling them to impersonate legitimate users and bypass authentication controls.
Successful exploitation of this vulnerability grants attackers unauthorized access to view sensitive information and make modifications to disclosed data, effectively compromising the integrity and confidentiality of SharePoint environments.
When the two vulnerabilities are chained together, they combine to form a powerful attack vector.
Threat actors typically leverage CVE-2025-49706 first to bypass authentication mechanisms through spoofing techniques, then exploit CVE-2025-49704 to inject and execute malicious code on the compromised server.
Microsoft has confirmed that the update for CVE-2025-53770 includes more robust protections than the individual patches for these vulnerabilities, suggesting a comprehensive security enhancement approach that addresses the underlying architectural weaknesses.
| CVE | Title | CVSS 3.1 Score | Severity |
| CVE-2025-49704 | Microsoft SharePoint Code Injection Vulnerability | 8.8 | Medium |
| CVE-2025-49706 | Microsoft SharePoint Improper Authentication Vulnerability | 6.5 | Medium |
CISA Issues 24-Hour Patch Deadline
CISA added both vulnerabilities to the KEV catalog on July 22, 2025, with an unprecedented 24-hour remediation deadline set for July 23, 2025.
This aggressive timeline reflects the severity of active exploitation and the critical nature of the vulnerabilities.
The agency has issued specific guidance under Binding Operational Directive (BOD) 22-01, requiring federal agencies to immediately address these security flaws.
Organizations are particularly vulnerable if they’re running end-of-life (EOL) or end-of-service (EOS) SharePoint versions, including SharePoint Server 2013 and earlier releases that no longer receive security updates.
CISA emphasizes that these legacy systems should be completely disconnected from public-facing networks immediately.
CISA recommends a multi-layered approach to address these vulnerabilities. For supported SharePoint versions, organizations must apply the latest security patches and follow Microsoft’s comprehensive mitigation guidance.
However, for EOL systems like SharePoint Server 2013, the only viable option is complete disconnection from network access.
The agency’s mitigation instructions reference multiple Microsoft security advisories and vulnerability databases, including the Microsoft Security Response Center (MSRC) and National Vulnerability Database (NVD).
Organizations should also consider implementing network segmentation, enhanced monitoring, and access controls as part of their broader cybersecurity posture to prevent similar exploitation attempts in the future.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
