The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding two critical vulnerabilities in Microsoft SharePoint Server—CVE-2025-49704 and CVE-2025-49706—that are currently being actively exploited by malicious actors. These vulnerabilities pose significant risks to organizations utilizing on-premises SharePoint servers, necessitating immediate remediation efforts.
Understanding the Vulnerabilities
CVE-2025-49704: Code Injection Vulnerability
This vulnerability allows authenticated attackers to execute arbitrary code on the affected SharePoint server. By injecting malicious code into the SharePoint application, attackers can gain control over the server, potentially leading to data exfiltration and further system compromise. This flaw is classified under CWE-94, which pertains to the improper control of code generation.
CVE-2025-49706: Improper Authentication Vulnerability
This security flaw enables attackers to perform spoofing attacks by impersonating legitimate users, thereby bypassing authentication controls. Successful exploitation grants unauthorized access to sensitive information and allows modifications to data, compromising the integrity and confidentiality of SharePoint environments. This vulnerability falls under CWE-287, related to improper authentication mechanisms.
The Combined Threat
When exploited together, these vulnerabilities create a potent attack vector. Attackers can first leverage CVE-2025-49706 to bypass authentication mechanisms through spoofing techniques. Subsequently, they can exploit CVE-2025-49704 to inject and execute malicious code on the compromised server. This combination can lead to full system compromise, data theft, and potential lateral movement within the network.
CISA’s Immediate Response
In response to the active exploitation of these vulnerabilities, CISA has added both CVE-2025-49704 and CVE-2025-49706 to its Known Exploited Vulnerabilities (KEV) catalog as of July 22, 2025. An unprecedented 24-hour remediation deadline was set for July 23, 2025, underscoring the critical nature of these security flaws. This directive mandates federal agencies to promptly address these vulnerabilities to mitigate potential threats.
Recommended Actions for Organizations
Organizations, especially those operating end-of-life (EOL) or end-of-service (EOS) SharePoint versions such as SharePoint Server 2013 and earlier, are at heightened risk. CISA strongly advises the following actions:
1. Immediate Patching: Apply the latest security updates provided by Microsoft to address these vulnerabilities.
2. System Isolation: Disconnect legacy SharePoint systems from public-facing networks to prevent exploitation.
3. Enable Security Features: Configure the Antimalware Scan Interface (AMSI) within SharePoint environments and deploy Microsoft Defender Antivirus on all SharePoint servers to enhance detection and prevention capabilities.
4. Credential Management: Rotate cryptographic keys and credentials to mitigate potential unauthorized access resulting from previous exploitation.
Broader Implications and Industry Response
The exploitation of these vulnerabilities has had widespread implications. Reports indicate that Chinese state-sponsored groups, including Linen Typhoon and Violet Typhoon, have been actively targeting these flaws to infiltrate corporations and government agencies. The breaches have affected sectors such as auditing, banking, healthcare, industry, and governmental bodies, with notable incidents involving the U.S. National Nuclear Security Administration. While no classified data is believed to have been compromised, the potential for significant data breaches remains high.
Microsoft has acknowledged the severity of the situation and has released additional patches to address the vulnerabilities. The company emphasizes the importance of timely updates and has provided guidance on implementing security measures to protect SharePoint environments.
Conclusion
The active exploitation of CVE-2025-49704 and CVE-2025-49706 in Microsoft SharePoint Server underscores the critical need for organizations to prioritize cybersecurity measures. Immediate action is required to apply patches, isolate vulnerable systems, and implement robust security configurations. By adhering to CISA’s directives and Microsoft’s guidance, organizations can mitigate the risks associated with these vulnerabilities and safeguard their systems against potential threats.
