Microsoft SharePoint Code Injection and Authentication Vulnerabilities Actively Exploited, CISA Issues Warning

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Microsoft SharePoint vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning organizations that the security vulnerability is being actively exploited by threat actors in the wild.

The vulnerability, tracked as CVE-2025-49706, represents a significant security risk for organizations running public-facing SharePoint installations, particularly those using end-of-life versions of the collaboration platform.

CVE-2025-49706 is classified as an improper authentication vulnerability that enables authorized attackers to perform spoofing attacks over network connections. Key aspects of this security vulnerability include:

• Authentication bypass capability: The vulnerability allows malicious actors to circumvent SharePoint’s authentication mechanisms, potentially gaining unauthorized access to sensitive organizational data.
  
• Network-based exploitation: Attackers can exploit this vulnerability remotely over network connections, increasing the potential attack surface for organizations with internet-facing SharePoint deployments.
  
• Data exposure risks: Successful exploitation enables attackers to view confidential information stored within SharePoint environments and make unauthorized modifications to disclosed data.
  
• Vulnerability chaining potential: The security vulnerability can be combined with another SharePoint vulnerability (CVE-2025-49704), potentially amplifying the impact of successful attacks and suggesting sophisticated attack strategies.
  
• Technical classification: The vulnerability falls under CWE-287, which relates to improper authentication mechanisms that fail to adequately verify user identities or credentials.

This chaining capability is particularly concerning as it indicates that threat actors may be developing complex attack methodologies that leverage multiple vulnerabilities simultaneously to maximize their access and persistence within targeted environments.

Immediate Disconnection

CISA has issued urgent guidance recommending that organizations immediately disconnect public-facing SharePoint Server installations that have reached their end-of-life or end-of-service status.

The agency specifically highlighted SharePoint Server 2013 and earlier versions, which are no longer supported by Microsoft and should be discontinued immediately if still in production use.

These legacy systems pose significant security risks as they no longer receive security updates or patches from Microsoft.

For organizations running supported versions of SharePoint Server, CISA emphasizes the importance of following both agency and vendor-provided mitigation instructions.

The guidance references the agency’s Binding Operational Directive (BOD) 22-01, which provides specific requirements for federal agencies regarding cloud services security.

Organizations are advised to either implement available mitigations promptly or discontinue use of affected SharePoint products if adequate protections cannot be deployed.

CISA also noted that Microsoft’s update for CVE-2025-53771 includes more robust security protections compared to the patch addressing CVE-2025-49706, suggesting that organizations should prioritize comprehensive security updates across their SharePoint environments.

Unknown Ransomware Connections

While CISA has not yet confirmed whether CVE-2025-49706 is being utilized in ransomware campaigns, the agency’s inclusion of this information in their advisory reflects growing concerns about the vulnerability’s potential for exploitation by ransomware operators.

The “unknown” status regarding ransomware usage indicates that security researchers are actively investigating potential connections between this vulnerability and ongoing ransomware activities.

The KEV catalog serves as the authoritative source for vulnerabilities confirmed to be exploited in real-world attacks, making its inclusion a critical signal for network defenders.

Organizations are strongly encouraged to integrate KEV catalog updates into their vulnerability management prioritization frameworks, ensuring that confirmed exploited vulnerabilities receive immediate attention and remediation efforts.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.