CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 are a set of vulnerabilities that impact Microsoft SharePoint. CVE-2025-49704 and CVE-2025-49706, or CVE-2025-53770 and CVE-2025-53771, may be chained together, allowing unauthenticated threat actors to access functionality that is normally restricted, to run arbitrary commands on vulnerable instances of Microsoft SharePoint.
Vulnerability Overview
Platform Affected: Microsoft SharePoint Server 2016 / 2019 / Subscription Edition
CVE IDs:
- CVE-2025-49706 – Improper authentication in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
- CVE-2025-49704 – Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- CVE-2025-53770 – Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network.
- CVE-2025-53771 – Improper limitation of a pathname to a restricted directory (path traversal) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVSS Scores: 7.1, 8.8, 9.8 ,7.1
Impact:When chained together, they allow an attacker to run arbitrary commands on vulnerable instances of Microsoft SharePoint.
These flaws enable an attacker to:
- Spoof authentication
- Bypass security boundaries
- Gain remote execution
Mitigation & Recommendations
Apply Patches Immediately:
Harden SharePoint diagnostic/debug endpoints
Rotate SharePoint Server ASP.NET machine keys
Check IIS logs for suspicious activity
Disable/Isolate unnecessary SharePoint services or endpoints (at least until those servers are patched)
