CVE-2025-49704 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-07-08

Added to CISA KEV: 2025-07-22 14 DAYS BETWEEN CVE AND KEV

⚠️ CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity before patching
Apply security patches immediately for affected SharePoint versions
Monitor SharePoint servers for suspicious POST requests and uploaded files (especially spinstall0.aspx)
Implement network segmentation to limit SharePoint server exposure
Review authentication logs for unauthorized access attempts

Active Exploitation of Microsoft SharePoint Vulnerabilities
CVE-2025-49704 and CVE-2025-49706 are a critical set of vulnerabilities that impact Microsoft SharePoint, allowing unauthenticated threat actors to access ...
Known Exploited Vulnerabilities Catalog | CISA
This vulnerability could be chained with CVE-2025-49706. The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704.
SharePoint Under Siege: ToolShell Exploit (CVE-2025-49706 & CVE-2025-49704)
CVE-2025-49706 and CVE-2025-49704, also referred to as ToolShell, are critical vulnerabilities in on-premises SharePoint that enable attackers to gain control of servers without authentication. Microsoft has confirmed active exploitation and released patches on July 8th 2025.
Disrupting active exploitation of on-premises SharePoint ... - Microsoft
The following Attack Surface Insights may indicate vulnerable but not necessarily exploited services: CVE-2025-49704 – SharePoint RCE; CVE-2025- ...
CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-49704

🔴 CVE-2025-49704