External risk intelligence

SharePoint Server Code Injection Vulnerability Allows Network Code Execution.

CVE advisoryKnown Exploit

CVE-2025-49704

An authorized attacker can exploit a code injection vulnerability in Microsoft Office SharePoint to execute code over a network. This impacts affected organizations by potentially compromising systems and data. The realistic business risk involves unauthorized code execution.

4Halo Surface Signal

Code Injection

Microsoft Sharepoint Server

20162019

External exposure likelihood

Halo Surface Signal score for CVE-2025-49704

Microsoft SharePoint Server is commonly deployed as an internet-facing web application, intranet portal, or collaborative gateway. Given its role as a centralized web service intended for distributed access, it is frequently exposed to network traffic in real-world enterprise environments.

Horizon Alert

Summary of the vulnerability and why it matters

Microsoft Office SharePoint is affected by a code injection vulnerability. This flaw allows an authorized attacker to execute code on a network. The potential impact includes unauthorized code execution, which could compromise systems and data.

Vulnerable component: Microsoft Office SharePoint
Core weakness: Improper control of code generation
Main business impact: Unauthorized network code execution

Attack Path

How an attacker could exploit the issue

An attacker can exploit a code injection vulnerability in Microsoft Office SharePoint. This allows an authorized attacker to execute code remotely within the affected system. The vulnerability lies in how the software improperly controls code generation.

Exposure condition: SharePoint Server is accessible.
Attacker starting point: Authorized user gains access.
Trigger and result: Attacker executes code remotely.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Microsoft Office SharePoint could allow an authorized attacker to execute code over a network, potentially leading to significant business impact. The ability for an attacker to inject and execute code poses a severe risk to organizational systems and data. Given the potential for widespread compromise, this issue should be treated with urgency.

Attacker skill: Low
Access required: Authenticated user
Business risk: High/Urgent

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. The risk impacts organizations by potentially compromising systems, data, and business operations. Addressing this requires a structured approach to identify and remediate the vulnerability.

Find affected Microsoft SharePoint assets.
Reduce exposure or isolate risk.
Apply vendor fixes and validate.
Monitor for related issues.

Frequently asked questions

What is Microsoft SharePoint Server?

Microsoft SharePoint Server is a web application used for collaboration and document management within organizations. People use it to create websites, share files, manage projects, and build business applications.

What is CVE-2025-49704 in SharePoint Server?

CVE-2025-49704 is a code injection vulnerability in Microsoft SharePoint Server. This means an attacker can trick the software into running their own malicious code, which is a type of weakness known as CWE-94.

How can an attacker exploit this SharePoint vulnerability?

An attacker needs to be an authorized user with some level of access to the SharePoint Server. Once authenticated, they can trigger the vulnerability to execute code remotely over the network, without further user interaction.

Who should be concerned about CVE-2025-49704?

Organizations using Microsoft SharePoint Server that is accessible from the internet or internal networks should be concerned. Halo Surface Signal indicates this is likely to be exposed externally due to its nature as a web service.

What is the first step to address this SharePoint vulnerability?

The first step is to identify all instances of Microsoft SharePoint Server within your environment. After identification, it's crucial to apply the vendor's official fixes and then validate that the remediation was successful.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.