High

Microsoft SharePoint Remote Code Execution Vulnerability

IdentifiersCVE-2025-49701CWE-285· Improper Authorization

CVE-2025-49701 is an Important remote code execution vulnerability in Microsoft Office SharePoint caused by improper authorization. Microsoft states that the flaw allows an authorized attacker to execute code over a network. Supporting content further indicates that an attacker authenticated to SharePoint, with at least Site Owner privileges, can write arbitrary code that is then injected and executed remotely on the SharePoint server. The issue is remotely exploitable, requires no user interaction, and has a CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in remote code execution on the SharePoint server. Microsoft rates the confidentiality, integrity, and availability impacts as High, indicating that an attacker could potentially fully compromise affected SharePoint content and server-side processing in the context of the vulnerable component, including unauthorized access to data, modification of content or configuration, and service disruption.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting SharePoint access to trusted users and networks, minimizing the number of accounts with Site Owner or similar elevated site-level privileges, and closely monitoring SharePoint for suspicious authenticated activity and code/content changes. Because exploitation requires authenticated access and no specific vendor workaround is provided in the content, the primary mitigation is limiting reachable attack surface and privileged SharePoint roles until the official fix can be applied.

Remediation

Patch, then assume compromise.

Apply Microsoft's official security update for the affected SharePoint product/version. The provided content states that Microsoft released an official fix and specifically references a SharePoint Enterprise Server 2016 security update (KB5002744, build 16.0.5508.1000) that addresses CVE-2025-49701 among other issues. Organizations should deploy the relevant vendor patch for their affected SharePoint release and verify installation through normal patch management and build validation processes.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationSharepoint Serverapplication

Microsoft CorporationSharepoint Server 2016application

Microsoft CorporationSharepoint Server 2019application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

expel blogNews

Jan 14, 2026

Patch Tuesday: January 2026 (Expel’s version) | Expel

A remote code execution vulnerability in Microsoft SharePoint.

sophos threat researchNews

Jan 1, 2026

July Patch Tuesday offers 127 fixes | SOPHOS

A Microsoft SharePoint remote code execution vulnerability assessed as more likely to be exploited within 30 days.

thecyberexpress com vulnerabilitiesNews

Jul 8, 2025

Microsoft Patch Tuesday July 2025: 130 Vulnerabilities Fixed

A high-risk improper authorization vulnerability affecting Microsoft SharePoint.

handlers diary fullNews

Jul 8, 2025

Microsoft Patch Tuesday, July 2025

A remote code execution vulnerability in Microsoft SharePoint, rated as more likely to be exploited.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-49701

NVD

nvd.nist.gov/vuln/detail/CVE-2025-49701

MITRE CWE · CWE-285

Improper Authorization

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49701