CVE Alert: CVE-2025-49704 – Microsoft – Microsoft SharePoint Enterprise Server 2016
CVE-2025-49704
Improper control of generation of code (‘code injection’) in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
AI Summary Analysis
Risk verdict
Active exploitation is confirmed (KEV-listed) and exploitation is marked as active; treat as priority 1.
Why this matters
Remote code execution on on‑prem SharePoint servers can yield full system compromise and data exposure with low attacker effort. Given total impact and network-based access, an attacker could pivot to adjacent services and escalate privileges, threatening confidentiality, integrity and availability of business-critical data.
Most likely attack path
- Attacker targets exposed SharePoint endpoints on vulnerable 2016/2019 servers with network access and low privileges, no user interaction required.
- Successful code injection leads to full compromise of the web app and potential lateral movement within domain trust boundaries.
- Privilege-limited initial access may still yield administrator-like control on the compromised host due to the high impact of the injection.
Who is most exposed
Organizations running on-premises Microsoft SharePoint Server (2016/2019) with internet-facing endpoints or broad internal network access are at highest risk, especially where patching or change windows are delayed.
Detection ideas
- Unusual process spawning from IIS/web worker processes (e.g., cmd/PowerShell) tied to SharePoint paths.
- Sudden spikes in network traffic from SharePoint servers to unknown destinations or rapid file/registry changes.
- Anomalous HTTP requests or web app activity patterns indicative of code-injection attempts.
- WAF/IDS alerts for suspicious payloads or known exploit patterns targeting SharePoint.
- Authentication/authorization anomalies on admin endpoints or sudden privilege-equivalent activity.
Mitigation and prioritisation
- Apply patches to all affected servers to reach safe versions (16.0.5508.1000+ for 2016; 16.0.10417.20027+ for 2019).
- If patching is delayed, implement compensating controls: restrict external access to SharePoint, enable web application firewall rules, segment networks, and enforce least-privilege for service accounts.
- Schedule a formal patch window with testing in a staging environment; verify rollback plan and backups.
- Monitor and alert on flagged indicators (as above) and conduct targeted audit of web/app logs after patching.
- Treat as priority 1 given KEV presence and active exploitation state.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
