๐Ÿ”ด CVE-2025-49704

CVE-2025-49704 is a critical code injection vulnerability in Microsoft SharePoint that allows remote code execution over the network with only low-privilege authentication required. SharePoint servers are commonly deployed as internet-facing enterprise applications, making this vulnerability highly exploitable via T1190.

โ† Back to Overview
HIGH_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 โ€” Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
Yes (+207d)
Ransomware

๐Ÿ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-07-08

Added to CISA KEV: 2025-07-22 14 DAYS BETWEEN CVE AND KEV

๐ŸŽฏ Recommendations:

๐Ÿ” Web Intelligence (Kagi ยท 2025-09-06)

CVE-2025-49704 is a critical code injection vulnerability affecting Microsoft SharePoint and is often chained with CVE-2025-49706 [1][2].

Here's a breakdown of what is known about its exploitation:

  • Internet-facing applications or services: CVE-2025-49704 impacts on-premises SharePoint servers, which are often internet-facing [1][3].
  • Active exploitation: Microsoft has confirmed active exploitation of CVE-2025-49704 in the wild since at least July 7, 2025 [4][3].
  • Attack vectors and exploitation methods:
* The vulnerability is a code injection flaw that allows attackers to execute code remotely [1][5]. * A crafted POST request is sent to the SharePoint server to upload a malicious script, often named ```spinstall0.aspx``` [4]. * The vulnerability is often exploited in conjunction with CVE-2025-49706, an improper authentication vulnerability, to allow unauthenticated threat actors to gain control of servers [1][6]. This exploit chain is sometimes referred to as "ToolShell" [6].
  • Targeted attacks: Cyber threat actors use CVE-2025-49704 and CVE-2025-49706 to gain unauthorized access to on-premises SharePoint servers [6].
  • CISA Known Exploited Vulnerabilities (KEV) status: CISA added CVE-2025-49704 to its Known Exploited Vulnerabilities Catalog on July 22, 2025 [6][5]. Federal agencies are required to remediate this vulnerability by a specific date [5].
  • Technical details about internet exploitability: CVE-2025-49704 can lead to remote code execution (RCE), allowing unauthenticated attackers to gain control of vulnerable SharePoint servers [1][3]. Successful exploitation allows attackers to execute arbitrary code on the server [7].

Sources

  1. Active Exploitation of Microsoft SharePoint Vulnerabilities

    CVE-2025-49704 and CVE-2025-49706 are a critical set of vulnerabilities that impact Microsoft SharePoint, allowing unauthenticated threat actors to access ...

  2. Known Exploited Vulnerabilities Catalog | CISA

    This vulnerability could be chained with CVE-2025-49706. The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704.

  3. SharePoint Under Siege: ToolShell Exploit (CVE-2025-49706 & CVE-2025-49704)

    CVE-2025-49706 and CVE-2025-49704, also referred to as ToolShell, are critical vulnerabilities in on-premises SharePoint that enable attackers to gain control of servers without authentication. Microsoft has confirmed active exploitation and released patches on July 8th 2025.

  4. Disrupting active exploitation of on-premises SharePoint ... - Microsoft

    The following Attack Surface Insights may indicate vulnerable but not necessarily exploited services: CVE-2025-49704 โ€“ SharePoint RCE; CVE-2025- ...

  5. CISA Adds Two Known Exploited Vulnerabilities to Catalog

    CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-49704โ€ฆ

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

๐Ÿ“„ Download JSON Data | ๐Ÿ“ก RSS Feed