CVE-2025-49704

Published Jul 8, 2025

Last updated 2 days ago

CVSS high 8.8
Microsoft Office SharePoint

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-49704 is a code injection vulnerability in Microsoft Office SharePoint. An authorized attacker could exploit this vulnerability to execute code over a network. To exploit this vulnerability, the attacker needs to be authenticated with at least Site Owner privileges. Successful exploitation of CVE-2025-49704 allows an attacker to write arbitrary code into a vulnerable SharePoint server to gain remote code execution. The attack complexity is low and can be exploited remotely from the internet, potentially leading to complete compromise of affected SharePoint servers.

Description
Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Source
secure@microsoft.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

secure@microsoft.com
CWE-94

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

14

  1. 🚨Alert🚨 CVE-2025-49704 : Microsoft SharePoint Remote Code Execution Vulnerability 📊24.9K Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/EDWFkA2tPf 👇Query HUNTER : https://t.co/q9rtuGgxk7="SharePoint Server" 📰Refer:https://t.c

    @HunterMapping

    11 Jul 2025

    4496 Impressions

    42 Retweets

    111 Likes

    40 Bookmarks

    0 Replies

    0 Quotes

  2. [ZDI-25-581|CVE-2025-49704] (Pwn2Own) Microsoft SharePoint DataSetSurrogateSelector Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVSS 8.8; Credit: Viettel Cyber Security) https://t.co/BXcsWGlZkE

    @TheZDIBugs

    9 Jul 2025

    9869 Impressions

    12 Retweets

    63 Likes

    15 Bookmarks

    1 Reply

    2 Quotes

  3. CVE-2025-49704 Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. https://t.co/x3GW5nFwou

    @CVEnew

    8 Jul 2025

    108 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.