August 15, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
High-Severity Chrome Bugs Enable Arbitrary Code Execution
July 23, 2025
Hackers Breach US Nuclear Agency via SharePoint 0-Day
July 23, 2025
High-Severity Chrome Bugs Enable Arbitrary Code Execution
July 23, 2025
Hackers Breach US Nuclear Agency via SharePoint 0-Day
July 23, 2025
Severity
High
Analysis Summary
CISA has issued an urgent alert for two actively exploited vulnerabilities in Microsoft SharePoint CVE-2025-49704 (code injection) and CVE-2025-49706 (improper authentication). Both have been added to the Known Exploited Vulnerabilities (KEV) catalog with a strict remediation deadline of July 23, 2025, under Binding Operational Directive (BOD) 22-01. These vulnerabilities pose a major threat to organizations using on-premises SharePoint servers, especially outdated versions like SharePoint Server 2013, which no longer receive security updates.
CVE-2025-49704 is a code injection flaw (CWE-94) that allows authorized attackers to execute arbitrary code over a network. Exploiting this can give attackers control over the SharePoint server using the privileges of the service account, resulting in full system compromise and potential data theft. Meanwhile, CVE-2025-49706 is an improper authentication vulnerability (CWE-287) that enables attackers to spoof legitimate users and bypass authentication measures, granting unauthorized access to sensitive SharePoint data and enabling data manipulation.
These vulnerabilities are especially dangerous when chained together threat actors first exploit CVE-2025-49706 to impersonate users and then use CVE-2025-49704 to inject and execute malicious code. This creates a powerful attack chain capable of bypassing authentication and gaining control over SharePoint environments. Microsoft notes that a recent patch for CVE-2025-53770 offers broader architectural protections than the individual patches for these two flaws, suggesting a more secure and comprehensive fix is available.
CISA urges organizations to immediately patch supported SharePoint versions and disconnect legacy systems like SharePoint Server 2013 from public-facing networks. Agencies should also adopt a multi-layered defense strategy, including applying Microsoft’s security guidance, using network segmentation, enhancing access controls, and enabling continuous monitoring. These steps are vital as browser- and platform-based exploitation continues to rise, and SharePoint remains a critical asset in enterprise IT infrastructure.
Impact
- Code Execution
- Unauthorized Access
- Data Manipulation
- Security Bypass
Indicators of Compromise
CVE
CVE-2025-49704
CVE-2025-49706
Affected Vendors
- Microsoft
Affected Products
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server Subscription Edition
Remediation
- Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches of CVE-2025-49704 and CVE-2025-49706.
- Disconnect end-of-life (EOL) or unsupported SharePoint versions (e.g., SharePoint Server 2013) from all public-facing networks immediately.
- Follow Microsoft’s official mitigation guidance and advisories from the Microsoft Security Response Center (MSRC).
- Implement network segmentation to isolate critical SharePoint infrastructure from internet-facing systems.
- Enforce strong access controls and authentication mechanisms to prevent unauthorized access.
- Monitor SharePoint environments continuously for signs of suspicious activity or exploitation attempts.
- Review and update internal patch management policies to meet CISA’s 24-hour remediation deadlines for KEV vulnerabilities.