Want to stay ahead of threats in 2025? This research report is all you need to stay updated.
Get a Demo

Vulnerabilities

CVE-2025-49704

Critical Remote Code Execution in Microsoft SharePoint Server via Code Injection: CVE-2025-49704 Explained

Vulnerability Overview 

CVE ID: CVE-2025-49704 

CVE Title: Microsoft SharePoint Server Code Injection Vulnerability 

Severity: High 

Exploit Status: Public proof-of-concept (PoC) and active exploitation reported 

Business Risk: Unauthorized code execution risks full server takeover, data loss, and major business impact.  

Compliance Impact: Risk of breaching GDPR and HIPAA due to exposed sensitive data and weak access controls.

Summary

CVE-2025-49704 is a critical SharePoint flaw that lets attackers run malicious code. Combined with CVE-2025-49706, it can bypass authentication and steal keys for ongoing access. It impacts versions before the July 2025 patches. Quick patching, tighter permissions, and monitoring are essential to stop attacks.

Urgent Actions Required

  • Apply the July 2025 SharePoint security updates[5] immediately.
  • Remove any suspicious ASPX files in the \LAYOUTS directory.
  • Rotate ValidationKey and DecryptionKey if compromise is suspected.
  • Review PowerShell and IIS logs for signs of exploitation.
  • Block known malicious IPs (e.g., 96.9.125.147).
  • Disconnect or isolate vulnerable on-premises servers if patching isn’t possible.

Which Systems Are Vulnerable to CVE-2025-49704?

Technical Overview

  • Vulnerability Type: Remote Code Execution via Code Injection (Improper Control of Code Generation, CWE‑94)
  • Affected Software/Versions:
    1. Microsoft SharePoint Server 2016
      Versions prior to 16.0.5508.1000
      Fixed in KB5002744 (July 8, 2025)
    2. Microsoft SharePoint Server 2019
      Versions prior to 16.0.10417.20027
      Fixed in KB5002741 (July 8, 2025)
    3. Microsoft SharePoint Server Subscription Edition
      Versions prior to 16.0.18526.20424
      Fixed in KB5002768 (July 2025 cumulative update)
  • Attack Vector: Network (HTTP/S)
  • CVSS Score: 8.8
  • Exploitability Score: 2.8
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
  • Patch Availability: Yes, available[1] [5]

How Does the CVE-2025-49704 Exploit Work?

The attack typically follows these steps:

What Causes CVE-2025-49704?

Vulnerability Root Cause:  

CVE-2025-49704 is a code injection flaw in Microsoft SharePoint caused by improper input validation. Authenticated attackers can run malicious code on the server. When combined with CVE-2025-49706, it can bypass authentication and allow long-term server access.

How Can You Mitigate CVE-2025-49704?

If immediate patching is delayed or not possible:  

  • Restrict external access to unpatched SharePoint servers. 
  • Monitor for suspicious .ASPX files and unusual PowerShell activity. 
  • Rotate machine-level cryptographic keys if compromise is suspected. 
  • Isolate vulnerable servers from internal and external networks where possible. 
  • Use application-layer filtering to block known exploit paths.

Which Assets and Systems Are at Risk?

Asset Types Affected:

  • SharePoint Server 2016 deployments missing the July 2025 security update
  • SharePoint Server 2019 instances without the July 2025 patch
  • SharePoint Subscription Edition servers not yet updated as of July 2025

Exposure Level:

  • Internetfacing SharePoint Instances – Servers exposed directly to the internet are at immediate and critical risk, as the vulnerability can be exploited remotely.

Will Patching CVE-2025-49704 Cause Downtime?

Patch application impact: Minimal or no downtime for redundant SharePoint setups. Single-server environments may experience a brief outage during patching and reboot. 

Mitigation (if immediate patching is not possible):  

  • Isolate vulnerable servers and block them using firewalls or network rules. 
  • Watch for suspicious activity like web shells or strange requests.

These steps reduce risk but don’t fully fix the issue until the patch is applied.

How Can You Detect CVE-2025-49704 Exploitation?

Exploitation Signatures & Indicators of Compromise

  • Attackers send POST requests to the URL path /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx.
  • These requests often include a Referer header set to /_layouts/SignOut.aspx to bypass authentication.
  • Malicious files such as spinstall0.aspx and info3.aspx (web shells) are uploaded to the SharePoint \LAYOUTS directory.
  • These web shells are used to steal cryptographic machine keys (ValidationKey and DecryptionKey), allowing attackers persistent access.
  • Known malicious IP addresses associated with exploitation activity include: 107.191.58.76, 104.238.159.149, and 96.9.125.147.

Remediation & Response

Patch/Upgrade Instructions:

Mitigation Steps if No Patch:

If patching can’t be done right away, isolate affected SharePoint servers, monitor for unusual activity like suspicious PowerShell or ASPX files, rotate machine keys if needed, and block known malicious IPs (e.g., 96.9.125.147).

Remediation Timeline:

  • Immediate (0–2 hrs): Restrict external access and review logs for suspicious activity.
  • Within 8 hrs: Apply security updates to all affected SharePoint servers.
  • Within 24 hrs: Verify machine key integrity and audit system access logs for anomalies.

Rollback Plan:

If post-patch issues occur, roll back the update only if your environment is isolated and secure. Maintain all firewall and monitoring controls during rollback. Document any changes made and ensure a patch re-application plan is scheduled.

Incident Response Considerations:

  • Isolate servers with signs of compromise like unusual web shells or PowerShell activity.
  • Check IIS logs, machine key access, and security event logs for anything suspicious.
  • If compromise is confirmed:
    • Reset affected credentials.
    • Rotate cryptographic machine keys.
    • Resecure and harden compromised systems before reconnecting them to the network.

Where Can I Find More Information on CVE-2025-49704?

  1. ^Microsoft Security Update Guide – CVE-2025-49704
  2. ^NVD – National Vulnerability Database – CVE-2025-49704
  3. ^CVE.org Record – CVE-2025-49704
  4. ^CVE Details Listing – CVE-2025-49704
  5. ^Microsoft KB5002741 – Security Update for SharePoint Server 2019
  6. ^CISA Alert – Exploitation of SharePoint Vulnerabilities

CVSS Breakdown Table

MetricValue Description
Base Score8.8Critical vulnerability with significant impact on confidentiality, integrity, and availability
Attack VectorNetworkExploitable remotely over the network (e.g., via HTTP requests)
Attack ComplexityLowNo special conditions required; exploitation is straightforward
Privileges RequiredNoneRequires authenticated access (e.g., Site Owner in SharePoint)
User Interaction RequiredNo user action is required for successful exploitation
Scope Unchanged The vulnerability affects only the targeted component (SharePoint), with no impact on others
Confidentiality Impact HighExploit may allow access to sensitive data, such as machine keys
Integrity ImpactHighExploit allows unauthorized changes, including code execution
Availability ImpactHighExploit may lead to system compromise or denial of service

Discover how the Fidelis Network® Web Sensor balances threat prevention with seamless browsing.

Download the Datasheet

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo