CISA has issued an pressing warning concerning two crucial Microsoft SharePoint vulnerabilities that menace actors are actively exploiting within the wild.
The vulnerabilities, designated as CVE-2025-49704 and CVE-2025-49706, pose important dangers to organizations working on-premises SharePoint servers and have been added to CISA’s Identified Exploited Vulnerabilities (KEV) catalog with a right away remediation deadline.
Key Takeaways1. CVE-2025-49704 and CVE-2025-49706 are being actively exploited to compromise SharePoint servers.2. CISA requires rapid remediation by July 23, 2025.3. Disconnect previous SharePoint programs, patch present variations instantly.
Code Injection Vulnerability (CVE-2025-49704)
CVE-2025-49704 represents a extreme code injection vulnerability in Microsoft SharePoint that falls below the CWE-94 classification for Improper Management of Technology of Code.
This flaw permits approved attackers to execute arbitrary code over a community connection, probably giving them full management over the affected SharePoint server.
The vulnerability allows menace actors to inject malicious code into the SharePoint utility, which might then be executed with the privileges of the SharePoint service account, resulting in potential system compromise and knowledge exfiltration.
Improper Authentication Vulnerability (CVE-2025-49706)
CVE-2025-49706 is an improper authentication vulnerability categorised below CWE-287 (Improper Authentication) that impacts Microsoft SharePoint’s authentication mechanisms.
This safety flaw permits approved attackers to carry out spoofing assaults over a community, enabling them to impersonate professional customers and bypass authentication controls.
Profitable exploitation of this vulnerability grants attackers unauthorized entry to view delicate info and make modifications to disclosed knowledge, successfully compromising the integrity and confidentiality of SharePoint environments.
When the 2 vulnerabilities are chained collectively, they mix to kind a strong assault vector.
Risk actors usually leverage CVE-2025-49706 first to bypass authentication mechanisms by means of spoofing strategies, then exploit CVE-2025-49704 to inject and execute malicious code on the compromised server.
Microsoft has confirmed that the replace for CVE-2025-53770 consists of extra strong protections than the person patches for these vulnerabilities, suggesting a complete safety enhancement method that addresses the underlying architectural weaknesses.
CVETitleCVSS 3.1 ScoreSeverityCVE-2025-49704Microsoft SharePoint Code Injection Vulnerability8.8MediumCVE-2025-49706Microsoft SharePoint Improper Authentication Vulnerability6.5Medium
CISA Points 24-Hour Patch Deadline
CISA added each vulnerabilities to the KEV catalog on July 22, 2025, with an unprecedented 24-hour remediation deadline set for July 23, 2025.
This aggressive timeline displays the severity of lively exploitation and the crucial nature of the vulnerabilities.
The company has issued particular steerage below Binding Operational Directive (BOD) 22-01, requiring federal businesses to right away deal with these safety flaws.
Organizations are notably susceptible in the event that they’re working end-of-life (EOL) or end-of-service (EOS) SharePoint variations, together with SharePoint Server 2013 and earlier releases that now not obtain safety updates.
CISA emphasizes that these legacy programs ought to be fully disconnected from public-facing networks instantly.
CISA recommends a multi-layered method to handle these vulnerabilities. For supported SharePoint variations, organizations should apply the newest safety patches and comply with Microsoft’s complete mitigation steerage.
Nonetheless, for EOL programs like SharePoint Server 2013, the one viable possibility is full disconnection from community entry.
The company’s mitigation directions reference a number of Microsoft safety advisories and vulnerability databases, together with the Microsoft Safety Response Middle (MSRC) and Nationwide Vulnerability Database (NVD).
Organizations also needs to think about implementing community segmentation, enhanced monitoring, and entry controls as a part of their broader cybersecurity posture to forestall comparable exploitation makes an attempt sooner or later.
Increase detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
