What is Microsoft SharePoint Server?
Microsoft SharePoint Server is an enterprise collaboration and content management platform used by organizations to manage intranets, document libraries, workflows, and team sites. SharePoint Server (on-premises) is deployed widely in enterprise environments and often integrated with Active Directory, Exchange, and business applications. Internet-facing SharePoint instances exist in many organizations for partner portals, external document sharing, and remote collaboration. SharePoint has been a recurring target for nation-state and ransomware actors due to its privileged position in corporate document management.
Overview
CVE-2025-49704 is a code injection vulnerability (CWE-94) in Microsoft SharePoint Server that allows an authenticated attacker with low-level site member privileges to execute code on the SharePoint server. CISA's 1-day remediation deadline (added July 22, deadline July 23) is among the shortest ever issued under BOD 22-01, reflecting a ransomware-linked active exploitation campaign. The vulnerability can be chained with CVE-2025-49706 for additional impact, and was later found to be only partially patched — CVE-2025-53770 ("ToolShell") is a bypass that Microsoft advises applying instead for more robust protection.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| SharePoint Server 2019 | Before July 2025 CU | July 2025 Cumulative Update |
| SharePoint Server 2016 | Before July 2025 CU | July 2025 Cumulative Update |
| SharePoint Server 2013 | End of Life — disconnect | No longer supported |
| SharePoint Server 2010 and earlier | End of Life — disconnect | No longer supported |
SharePoint Online (Microsoft 365) is managed by Microsoft and not affected.
Technical Details
The code injection vulnerability (CWE-94) in SharePoint Server allows an authenticated attacker with "site member" or equivalent low-level privileges to inject code that executes server-side in the context of the SharePoint service account (typically a domain service account with broad network privileges). The injection vector exists within SharePoint's server-side processing of user-supplied content in specific contexts.
Key chain relationships:
- CVE-2025-49706: A companion vulnerability that can be chained with CVE-2025-49704 for additional post-exploitation capabilities
- CVE-2025-53770 (ToolShell): A more robust patch bypass discovered after CVE-2025-49704 was initially patched; Microsoft recommends applying the CVE-2025-53770 patch for stronger protection
The SharePoint service account typically runs with broad domain privileges — domain user minimum, sometimes elevated — enabling lateral movement to other systems after initial code execution on the SharePoint server.
Discovery
Active exploitation was identified before the July 2025 Patch Tuesday by Microsoft MSTIC. The threat actor used the vulnerability in ransomware pre-deployment operations.
Exploitation Context
CISA's 1-day deadline reflects confirmed active exploitation in ransomware campaigns at the time of the KEV listing. Microsoft's July 22 blog "Disrupting Active Exploitation of On-Premises SharePoint Vulnerabilities" documented the campaign. EOL SharePoint versions (2013 and earlier) were particularly targeted given their permanent unpatched state.
The ransomwareUse flag confirms that attackers used SharePoint server compromise as a stepping stone to deploy ransomware across victim organizations — a pattern consistent with double-extortion operators targeting organizations with sensitive documents in SharePoint.
Remediation
- Apply the CVE-2025-53770 (ToolShell) patch — Microsoft's guidance prioritizes this over the original CVE-2025-49704 patch because CVE-2025-53770 addresses the bypass. Apply both for complete protection.
- Disconnect EOL SharePoint versions immediately (2013 and earlier) — CISA's required action explicitly mandates this.
- Apply the patch for CVE-2025-49706 simultaneously.
- Restrict internet access to SharePoint Server — internet-facing on-premises SharePoint should be placed behind a VPN or replaced with SharePoint Online.
- Review SharePoint service account privileges — minimize the service account to the least privileges needed; isolate its network access.
- Hunt for webshells in SharePoint hive directories and web application folders; look for unexpected
.aspxfiles created after July 2025. - Follow CISA's full mitigation instructions at the linked alert URL.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-49704 |
| Vendor / Product | Microsoft — SharePoint |
| NVD Published | 2025-07-08 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-94 find similar ↗ |
| CISA KEV Added | 2025-07-22 |
| CISA KEV Deadline | 2025-07-23 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-07-08 | CVE published in July 2025 Patch Tuesday; active exploitation already confirmed |
| 2025-07-20 | CISA issues alert with mitigation guidance |
| 2025-07-22 | Added to CISA Known Exploited Vulnerabilities catalog with 1-day remediation deadline |
| 2025-07-23 | CISA BOD 22-01 remediation deadline (1 day — extremely urgent) |
| 2025-07-22 | Microsoft publishes blog disrupting active exploitation campaign |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2025-49704 | Vendor Advisory |
| CISA Alert — Microsoft SharePoint Exploitation Guidance | US Government |
| NVD — CVE-2025-49704 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft MSTIC — Disrupting Active Exploitation of SharePoint Vulnerabilities | Security Research |