CVE-2025-49704

HIGH KEV RANSOMWARE

Microsoft SharePoint Server - Remote Code Execution

Title source: llm

Exploitation Summary

CVE-2025-49704 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 22, 2025, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including Viettel Cyber Security, sfewer-r7, including a Metasploit module exploits/windows/http/sharepoint_toolpane_rce.

AI-analyzed exploit summary This Metasploit module exploits CVE-2025-49704 (unsafe deserialization) and CVE-2025-49706 (authentication bypass) in Microsoft SharePoint Server to achieve unauthenticated RCE. It uses a gadget chain involving DataSet and LosFormatter to execute arbitrary commands.

Description

Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Viettel Cyber Security, sfewer-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/sharepoint_toolpane_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2025-49704 (unsafe deserialization) and CVE-2025-49706 (authentication bypass) in Microsoft SharePoint Server to achieve unauthenticated RCE. It uses a gadget chain involving DataSet and LosFormatter to execute arbitrary commands.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft SharePoint Server (2019, 2016, Subscription Edition, 2013, 2010)

No auth needed

Prerequisites: Network access to SharePoint Server · Vulnerable SharePoint version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 05, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49704

Vendor Advisory

https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/

Scores

CVSS v3 8.8

EPSS 0.9991

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2025-07-22

VulnCheck KEV 2025-07-18

ENISA EUVD EUVD-2025-20554

Ransomware Use Confirmed

CWE

CWE-94

Status published

Products (2)

microsoft/sharepoint_server 2016

microsoft/sharepoint_server 2019

Published Jul 08, 2025

KEV Added Jul 22, 2025

Tracked Since Feb 18, 2026