RedShield has developed a patch for this CVE, if you think you might be vulnerable get in touch with us via support@redshield.co and we can assist.
Summary
CVE-2025-49704 is a code injection vulnerability affecting Microsoft SharePoint Server 2016 and 2019, disclosed and patched in the July 2025 Patch Tuesday. The vulnerability allows an authenticated attacker with Site Owner privileges to inject and execute arbitrary code remotely via crafted payloads submitted to SharePoint web services or API endpoints.
CVE-2025-53770 is an unauthenticated remote code execution entry point, with CVSS score of 9.8 (critical). This vulnerability is an evolution of CVE-2025-49706. In exploits observed so far in the wild, the authentication bypass can be triggered when an attacker sends a specially crafted POST request to the /_layouts/15/ToolPane.aspx endpoint. The attack includes a spoofed HTTP Referer header pointing to /_layouts/SignOut.aspx. This specific Referer appears to trick the SharePoint application into an insecure state where it processes and deserializes user-supplied data without performing the necessary authentication checks, leading directly to unauthenticated remote code execution.
Which System Versions are Vulnerable
Based on the active exploits observed in the wild, the zero-day vulnerability (CVE-2025-53770) impacts on-premises (self-hosted) versions of Microsoft SharePoint Server.
The specific supported versions confirmed to be vulnerable are:
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016
- Microsoft SharePoint Server Subscription Edition
Microsoft has released a security update to address this for SharePoint Subscription Edition (tracked under CVE-2025-53771). However, at the time of this report, security updates for SharePoint Server 2019 and 2016 are still being developed.
It is also important to note that while the primary focus is on these supported versions, Microsoft's vulnerability management tools have flagged older, unsupported versions such as SharePoint Server 2010 and 2013 as being impacted by the vulnerabilities in this exploit chain.
SharePoint Online in Microsoft 365 is not affected by this vulnerability.
Comments