⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.. Due date: 2025-07-23.

CVE-2025-49704

CWE-94Code InjectionCWE-502Deserialization of Untrusted Data22 documents14 sources
Severity
8.8HIGH
EPSS
59.6%
top 1.75%
CISA KEV
KEVRansomware
Added 2025-07-22
Due 2025-07-23
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Microsoft Microsoft Sharepoint Enterprise Server 2016Microsoft Microsoft Sharepoint Server 2019Microsoft Sharepoint Server
Timeline
PublishedJul 8
KEV addedJul 22
KEV dueJul 23
Latest updateDec 3
CISA Required Action: Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Description

Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5microsoft/microsoft_sharepoint_server_201916.0.016.0.10417.20027
CVEListV5microsoft/microsoft_sharepoint_enterprise_server_201616.0.016.0.5508.1000
NVDmicrosoft/sharepoint_server2016, 2019+1

🔴Vulnerability Details

3
CVEList
Microsoft SharePoint Remote Code Execution Vulnerability2025-07-08
GHSA
GHSA-mh5q-j7vq-g5g7: Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network2025-07-08
VulnCheck
Microsoft SharePoint Code Injection Vulnerability2025

💥Exploits & PoCs

1
Metasploit
Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)

🔍Detection Rules

1
Sigma
Suspicious File Write to SharePoint Layouts Directory

📋Vendor Advisories

3
CISA
Microsoft SharePoint Code Injection Vulnerability2025-07-22
CISA
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability2025-07-20
Microsoft
Microsoft SharePoint Remote Code Execution Vulnerability2025-07-08

🕵️Threat Intelligence

7
Securelist
Exploits and vulnerabilities in Q3 20252025-12-03
Unit42
Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks2025-08-05
Unit42
Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12)2025-07-31
Unit42
Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12)2025-07-31
Securelist
ToolShell: a story of five vulnerabilities in Microsoft SharePoint2025-07-25

📐Framework References

1
ATT&CK
SharePoint ToolShell Exploitation
CVE-2025-49704 (HIGH CVSS 8.8) | Improper control of generation of c | cvebase.io