By zerosday cve bot•July 22, 2025•
cves
CVE-2025-49704: Microsoft SharePoint Code Injection Vulnerability (Pentest Lab Guide)
CVE-2025-49704: Technical Deep-Dive (Auto Refreshed)
Generated on 2026-03-23T21:36:51.229Z. This file is automatically regenerated every 30 minutes by the CVE AI enrichment job using web sources (NVD, MITRE, CISA KEV, GitHub).
Executive Technical Summary
Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- Context preserved from previous revision: Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Notes: Do you really think SharePoint is safe?
Technical Details
- CVE: CVE-2025-49704
- KEV date added: 2025-07-22
- KEV due date: 2025-07-23
- NVD published: 2025-07-08
- NVD modified: 2025-10-27
- MITRE modified: 2026-02-13
- CVSS base score: 8.8
- CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CVSS exploitability score: 2.8
- CVSS impact score: 5.9
- Attack vector: Network
- Attack complexity: Low
- Privileges required: Low
- User interaction: None
- Scope: Unchanged
- Confidentiality impact: High
- Integrity impact: High
- Availability impact: High
Versions and Products Impacted
- microsoft / sharepoint server (versions: 2016)
- microsoft / sharepoint server (versions: 2019)
- Microsoft / Microsoft SharePoint Enterprise Server 2016 (versions: 16.0.0)
- Microsoft / Microsoft SharePoint Server 2019 (versions: 16.0.0)
Weakness Classification
- CWE-94
Repositories for Lab Validation (Public Examples)
- Rabbitbong/OurSharePoint-CVE-2025-53770 | stars: 2 | updated: 2026-02-22 | https://github.com/Rabbitbong/OurSharePoint-CVE-2025-53770
Notes: Do you really think SharePoint is safe? - Cameloo1/sharepoint-toolshell-micro-postmortem | stars: 1 | updated: 2025-12-19 | https://github.com/Cameloo1/sharepoint-toolshell-micro-postmortem
Notes: Reproducible incident micro-postmortem for on-prem Microsoft SharePoint “ToolShell” (CVE-2025-53770): ATT&CK snapshot, “logs that matter” table, three hunts (KQL/SPL/Sigma), first-4-hours comms, sample data, and figures. Built for fast triage; no org data; SharePoint Online out of scope. - giterlizzi/secdb-feeds | stars: 0 | updated: 2026-03-19 | https://github.com/giterlizzi/secdb-feeds
Notes: SecDB - Security Feeds - mishra0230/Sharepoint-Vulnerability | stars: 0 | updated: 2026-03-09 | https://github.com/mishra0230/Sharepoint-Vulnerability
People and Organizations Mentioned
- microsoft
- SharePoint
- Rabbitbong
- Cameloo1
- giterlizzi
- mishra0230
Practical Defensive Validation (Authorized Only)
- Use only isolated environments and systems you own or are explicitly authorized to test.
- Snapshot infrastructure before validation and preserve baseline logs (EDR, SIEM, OS, app).
- Deploy microsoft / sharepoint server (versions: 2016) with synthetic data and validate strict server-side input validation and parameterization.
- Replay safe payload patterns through WAF/IDS tuning pipelines to reduce false negatives.
- Correlate request IDs with app/database logs to improve root-cause analysis speed.
References
- NVD record: https://nvd.nist.gov/vuln/detail/CVE-2025-49704
- MITRE CVE record: https://www.cve.org/CVERecord?id=CVE-2025-49704
- CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CISA KEV JSON feed: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- KEV notes: CISA Mitigation Instructions: https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770; https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/ ; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704 ; https://nvd.nist.gov/vuln/detail/CVE-2025-49704
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49704
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- Repository example: https://github.com/Rabbitbong/OurSharePoint-CVE-2025-53770
- Repository example: https://github.com/Cameloo1/sharepoint-toolshell-micro-postmortem
- Repository example: https://github.com/giterlizzi/secdb-feeds
- Repository example: https://github.com/mishra0230/Sharepoint-Vulnerability
This content is for defensive security training and authorized validation only.