CVE-2025-49704
Published Jul 8, 2025
Last updated a month ago
AI description
CVE-2025-49704 is a code injection vulnerability in Microsoft Office SharePoint. An authorized attacker could exploit this vulnerability to execute code over a network. To exploit this vulnerability, the attacker needs to be authenticated with at least Site Owner privileges. Successful exploitation of CVE-2025-49704 allows an attacker to write arbitrary code into a vulnerable SharePoint server to gain remote code execution. The attack complexity is low and can be exploited remotely from the internet, potentially leading to complete compromise of affected SharePoint servers.
- Description
- Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- Source
- secure@microsoft.com
- NVD status
- Analyzed
- Products
- sharepoint_server
CVSS 3.1
- Type
- Secondary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Data from CISA
- Vulnerability name
- Microsoft SharePoint Code Injection Vulnerability
- Exploit added on
- Jul 22, 2025
- Exploit action due
- Jul 23, 2025
- Required action
- Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
- secure@microsoft.com
- CWE-94
- Hype score
- Not currently trending
New IOC Alert → CVE-2025-53770 and CVE-2025-53771: Actively Exploited SharePoint Vulnerabilities. ■ Indicator: CVE-2025-49704
@CTI131
21 Aug 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
【漏洞工具】SharePoint 2025 RCE 图形化漏洞利用工具 相关 CVE 编号为: CVE-2025-53770 CVE-2025-53771 CVE-2025-49704 CVE-2025-49706 https://t.co/8DPcYBYCq4 https://t.co/lts8kW1swv
@cybersecuritysl
19 Aug 2025
1260 Impressions
7 Retweets
18 Likes
16 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-49704
@transilienceai
8 Aug 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-49704
@transilienceai
7 Aug 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2002-0741 2 - CVE-2024-27867 3 - CVE-2025-49704 4 - CVE-2025-54135 5 - CVE-2025-54574 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
4 Aug 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A new version of https://t.co/9BofGcFaWh is out, I have updated #SharePoint plugin to: - Fix CVE-2025-49704 exploit against SP2016! 🪲 - Support CVE-2024-38018 as it is very useful.👌 Remember, we should also be able to create folders in Plugin or Generators folders to keep
@irsdl
1 Aug 2025
5983 Impressions
20 Retweets
118 Likes
39 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-49704
@transilienceai
1 Aug 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 BREAKING: #SharePoint Zero-Days Under Active Exploitation “Chinese state actors are exploiting CVE-2025-49706 & CVE-2025-49704 to compromise SharePoint servers worldwide. 400+ orgs affected including US nuclear agencies. Patch NOW! 🔗 security advisory link #CyberSec
@Prashanthblogs
30 Jul 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CISA เตือน! แฮกเกอร์จีนใช้ช่องโหว่ CVE-2025-49704 & 49706 บุก SharePoint จริง องค์กรเร่งแพตช์ด่วน! อ่านต่อ: https://t.co/b9GUG67hhhสั่งแพ
@commencenow
30 Jul 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft SharePoint: Alerta Crítico de Segurança @CISACyber – CVE-2025-49706 e CVE-2025-49704 https://t.co/iH89nUXNsy https://t.co/YwTFKEhz6V
@portalcryptoid
29 Jul 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 #تنبيه_أمني | تُستغل حاليًا ثغرات حرجة في خوادم Microsoft SharePoint المحلية (CVE-2025-49704/49706 وCVE-2025-53770/53771) 🔓 تُتيح للمهاجم تجاوز ضوابط الهوية، الوصول بصلاحيات عالية
@CyberTask
29 Jul 2025
1195 Impressions
1 Retweet
16 Likes
5 Bookmarks
1 Reply
0 Quotes
Exposing on-prem SharePoint to the internet in 2025 is like leaving your front door open and being surprised when someone walks in. CVE-2025-49704 and 49706 are being actively exploited. US federal agencies compromised. Pre-auth web shells are in play. Patch it. Segment it. Or
@John_Pirc
29 Jul 2025
68 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2025-30401 2 - CVE-2025-31200 3 - CVE-2025-49704 4 - CVE-2023-41992 5 - CVE-2025-23266 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
28 Jul 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Does anyone have a payload for CVE-2025-53770 (toolshell++), I have a feeling that what we have seen so far are related to CVE-2025-49704, and CVE-2025-53770 has not been exploited by malicious actors. Please prove me wrong! I'm not interested in the auth bypass part btw.
@irsdl
27 Jul 2025
9527 Impressions
8 Retweets
76 Likes
24 Bookmarks
2 Replies
0 Quotes
Desde 18/7 el grupo chino Storm-2603 implementa el ransomware Warlock aprovechando las vulnerabilidades de Microsoft SharePoint CVE-2025-49706 y CVE-2025-49704. PARCHEA! https://t.co/SUXkJjurw7
@SeguInfo
27 Jul 2025
423 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🔴 #Microsoft Office SharePoint, Code Injection, #CVE-2025-49704 (Critical) https://t.co/kgNqxgqXOx
@dailycve
27 Jul 2025
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
I have launched YSoNet (https://t.co/9BofGcFaWh) and added #SharePoint CVE-2025-49704 payload generator to it as the first thing. Here is how this can work: Running command: ``` ysonet.exe -p sharepoint --cve=CVE-2025-49704 -var 1 -c "calc" ``` Running C# code: ``` ysonet.exe
@irsdl
26 Jul 2025
21915 Impressions
93 Retweets
351 Likes
193 Bookmarks
4 Replies
0 Quotes
🔻 Update: ToolShell exploits hit 300+ orgs globally and now dropping WARLOCK Ransomware ! Chinese APT Storm-2603 has escalated the ToolShell SharePoint exploit chain (CVE-2025-49706 + CVE-2025-49704) into a global ransomware operation. With 4,600+ attacks across 300+ https://
@cytexsmb
25 Jul 2025
239 Impressions
2 Retweets
3 Likes
2 Bookmarks
1 Reply
2 Quotes
In our latest #vulnerability review, we analyze critical vulnerabilities in Microsoft #SharePoint and #CrushFTP, including CVE-2025-53770, CVE-2025-49704, and CVE-2025-54309, which expose systems to unauthorized access and RCE. More below: https://t.co/lfZGnEHUGw
@NetizenCorp
25 Jul 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
SharePoint flaws exploited in Warlock ransomware attacks China-based hacking group Storm-2603 is exploiting the ToolShell zero-day chain (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770) to deploy Warlock ransomware on unpatched Microsoft SharePoint servers. Over 420 servers http
@dCypherIO
25 Jul 2025
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-49704
@transilienceai
25 Jul 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
米国サイバーセキュリティ・社会基盤安全保障庁(CISA)が既知の悪用された脆弱性カタログを更新。SharePointの脆弱性CVE-2025-49704とCVE-2025-49706が、ランサムウェア攻撃に悪用されたことを観測した旨。 https://t.co/tWx
@__kokumoto
24 Jul 2025
1999 Impressions
4 Retweets
17 Likes
2 Bookmarks
0 Replies
0 Quotes
🚨 U.S. DHS reportedly breached via Microsoft SharePoint zero-days (CVE-2025-49704 & CVE-2025-49706). NIH & 12+ gov entities may also be hit. @Microsoft confirms: Linen Typhoon, Violet Typhoon & Storm-2603 exploited the flaws. Storm-2603 later deployed Warlock ran
@TechNadu
24 Jul 2025
86 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📢 GÜNCELLEME DUYURUSU – Microsoft SharePoint Kritik Güvenlik Açıkları (CVE-2025-49704, CVE-2025-49706) Microsoft SharePoint’in şirket içi (on-prem) sürümlerinde tespit edilen kritik güvenlik açıkları, saldırganların sistemlerde kimlik sahtekârlığı yapmas
@GMDestekMerkezi
24 Jul 2025
30 Impressions
0 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft Threat Intelligence team share details of Storm-2603 activity that leads to the deployment of Warlock ransomware by exploitation of on-premises SharePoint vulnerabilities CVE-2025-49706 & CVE-2025-49704. https://t.co/ZjVX7XqI5o https://t.co/x3RZ6Q9ifc
@virusbtn
24 Jul 2025
2793 Impressions
19 Retweets
57 Likes
20 Bookmarks
0 Replies
0 Quotes
Microsoft SharePointの深刻な脆弱性に対する攻撃が活発化 PoCも公開(CVE-2025-53770,CVE-2025-53771,CVE-2025-49704,CVE-2025-49706)|セキュリティとITのニュース-セキュリティ対策Lab https://t.co/enCPPrwlcM
@Luke06121
24 Jul 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CISA Orders Urgent SharePoint Patching Amid Active Exploits by Chinese APTs 🚨 📅 Update as of July 22, 2025 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-49704 and CVE-2025-49706 to its Known Exploited Vulnerabilities (KEV) catalog
@SachinCyberSec
23 Jul 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 NNSA breached in a SharePoint zero-day attack. Targets: On-prem servers - Vulnerables: CVE-2025-49706 & CVE-2025-49704 - Nuclear oversight at risk - No classified data accessed, but dozens of servers impacted - Patches released; CISA added flaws to the KEV list 🧵 Re
@TechNadu
23 Jul 2025
109 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Today's top 5 cybersecurity news - July 23, 2025 1. Microsoft has released guidance on two actively exploited SharePoint vulnerabilities, CVE-2025-49704 (remote code execution) and CVE-2025-49706 (network spoofing), which allow attackers to gain unauthorized access to on-premise
@NewsNerdie
23 Jul 2025
31 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
CISA has added two actively exploited SharePoint flaws (CVE-2025-49704 and CVE-2025-49706) to its KEV list after Chinese hacking groups Linen Typhoon and Violet Typhoon targeted on-premise servers since July. Remediation needed by July 23, 2025. #SharePo… https://t.co/gbJeWI0PP
@TweetThreatNews
23 Jul 2025
43 Impressions
1 Retweet
0 Likes
1 Bookmark
0 Replies
0 Quotes
CISA has added two Microsoft SharePoint vulnerabilities, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities catalog after reports of active exploitation by Chinese hackers.
@oxhak
23 Jul 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft SharePointの深刻な脆弱性に対する攻撃が活発化 PoCも公開 CVE-2025-53770,CVE-2025-53771,CVE-2025-49704,CVE-2025-49706 #セキュリティ対策Lab #セキュリティ #Security https://t.co/N8UBX4LzCk
@securityLab_jp
23 Jul 2025
131 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Chinese APTs have been exploiting SharePoint zero-days with ToolShell since July 7, targeting CVE-2025-49706 and CVE-2025-49704. Nations such as Linen Typhoon and Violet Typhoon are actively involved in ongoing exploitation. #China #SharePoint #APT https://t.co/WukXWg6A1A
@TweetThreatNews
22 Jul 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft, 19 Temmuz 2025’te yayımladığı bir blogda, sadece kurum içi (on-premises) SharePoint sunucularını etkileyen iki kritik güvenlik açığına karşı uyarıda bulundu: CVE-2025-49706 (spoofing/sahtecilik açığı) ve CVE-2025-49704 (uzaktan kod çalıştırma a
@PvtSakarium
22 Jul 2025
375 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
1 Quote
🛡️ $MSFT Microsoft, Çinli hackerların SharePoint yazılımındaki güvenlik açıklarını kötüye kullandığını açıkladı. ⚠️ Hedefte, internet erişimine açık on-premises SharePoint sunucuları var; bu açıklar CVE-2025-49706 (spoofing) ve CVE-2025-49704 (uz
@ILKERFIRENZE
22 Jul 2025
126 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Active exploitation alert: Microsoft warns of ongoing attacks targeting on-prem SharePoint servers via CVE-2025-49706 & CVE-2025-49704. Chinese threat actors (Linen Typhoon, Violet Typhoon, Storm-2603) observed deploying web shells via spoofed POST requests.
@0x534c
22 Jul 2025
599 Impressions
0 Retweets
5 Likes
4 Bookmarks
0 Replies
0 Quotes
MSTIC blog on Sharepoint exploitation At least 3 actors exploiting CVE-2025-49706 & CVE-2025-49704 as early as July 7: Linen Typhoon Violet Typhoon Storm-2603 (CN-based actor deployed Warlock & Lockbit ransomware in past - current motivation unknown) https://t.co/IgEp6
@cglyer
22 Jul 2025
23770 Impressions
56 Retweets
137 Likes
42 Bookmarks
2 Replies
2 Quotes
ToolShell: A SharePoint RCE chain actively exploited ToolPane exploit - CVE-2025-49704 POC as shared by kaizensecurity Spingstall0.aspx web shell https://t.co/CyLxt3Ri0F
@freedomhack101
22 Jul 2025
331 Impressions
0 Retweets
2 Likes
1 Bookmark
0 Replies
0 Quotes
If you have on-premises SharePoint Server 2016, 2019 or SharePoint Server Subscription Edition (SE). Be sure to install latest patches to solve CVE-2025-49704 vulnerability. https://t.co/SV0waKwTTU #Security #CVE #Microsoft #SharePoint #Vulnerability https://t.co/PSQNM6ErKw
@EduardsGrebezs
21 Jul 2025
146 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-49704: This vulnerability arises from the implementation of the SurrogateSelector interface. CVE-2025-49706 authentication bypass, allows import/update operations on SharePoint WebPart components via the ToolPane endpoint. Accordingly, you can contact the @hawktrace
@hawktrace
20 Jul 2025
488 Impressions
5 Retweets
9 Likes
0 Bookmarks
0 Replies
0 Quotes
If you're trying to figure out active exploit against those SharePoint / ToolShell vulns (CVE-2025-49706 + CVE-2025-49704), we released a free SharePoint decoy template on Defused. It flags a high severity alert automatically if an adverasary tries to leverage the vuln. https
@DefusedCyber
20 Jul 2025
2099 Impressions
3 Retweets
11 Likes
6 Bookmarks
1 Reply
1 Quote
🚨 Active Exploitation Alert DarkAtlas Squad are tracking widespread, in-the-wild exploitation of critical Microsoft SharePoint vulnerabilities: CVE-2025-49704 and CVE-2025-49706. Organizations globally are being targeted. These flaws are actively weaponized and pose a severe h
@DarkAtlasSquad
20 Jul 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
هجمات إلكترونية نشطة تستغل ثغرتين حرجتين في Microsoft SharePoint وتتيح تنفيذ أوامر عن بُعد. - CVE-2025-49704 - CVE-2025-49706 🎯 مايكروسوفت توصي بتفعيل AMSI وعزل الخوادم. https://t.co/NJl
@cyberscastx
20 Jul 2025
5405 Impressions
2 Retweets
35 Likes
31 Bookmarks
2 Replies
0 Quotes
CVE-2025-49704 , CVE-2025-49706 # SharePoint 0-Day RCE Vulnerability: https://t.co/tQgsee0YRq
@Iambivash007
20 Jul 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Active Exploitation Alert — Microsoft SharePoint Vulnerabilities 🚨 Unit 42 is observing active global exploitation of two critical Microsoft SharePoint vulnerabilities: CVE-2025-49704 and CVE-2025-49706. According to Shodan, there are 811 instances that are internet fa
@0x534c
20 Jul 2025
10577 Impressions
36 Retweets
165 Likes
119 Bookmarks
2 Replies
1 Quote
🚨 Critical Alert: Active Exploitation of #Microsoft SharePoint Vulnerabilities (#CVE-2025-49704 & #CVE-2025-49706) https://t.co/EXiDVoAzFS Educational Purposes!
@UndercodeUpdate
19 Jul 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
We are observing active global exploitation of critical Microsoft SharePoint vulns CVE-2025-49704 and CVE-2025-49706. Orgs worldwide are being targeted. Patch immediately. The exploits are real, in-the-wild and pose a serious threat. IoCs we've seen: https://t.co/Yp3KaWRtCz ht
@Unit42_Intel
19 Jul 2025
47731 Impressions
104 Retweets
249 Likes
134 Bookmarks
5 Replies
9 Quotes
"Improper input validation in SQL Server allows an unauthorized attacker to disclose information over a network," explains Microsoft. CVE-2025-49704 that can be exploited remotely over the Internet as long as they have an account on the platform. Remedy: Update the SQL to date
@HarrisonMutuk10
17 Jul 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to @mwulftange https://t.co/sPHVVBal3K
@codewhitesec
14 Jul 2025
22521 Impressions
77 Retweets
303 Likes
106 Bookmarks
3 Replies
3 Quotes
🚨🚨CVE-2025-49704 (CVSS 8.8) lets attackers hijack Microsoft SharePoint with remote code execution. Authenticated hackers can inject and run malicious code over the network. Search by vul.cve Filter👉vul.cve="CVE-2025-49704" ZoomEye Dork👉app="Microsoft SharePoint" 65.
@zoomeye_team
12 Jul 2025
740 Impressions
5 Retweets
13 Likes
4 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F815EF1D-7B60-47BE-9AC2-2548F99F10E4"
},
{
"criteria": "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "6122D014-5BF1-4AF4-8B4D-80205ED7785E"
}
],
"operator": "OR"
}
]
}
]