CISA Expands KEV Catalog with Critical Microsoft SharePoint Vulnerabilities CVE-2025-49704 & CVE-2025-49706

The cybersecurity landscape is once again on high alert as the Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding two critical Microsoft SharePoint vulnerabilities—CVE-2025-49704 and CVE-2025-49706. This development underscores not only the persistent targeting of enterprise collaboration platforms by malicious actors, but also the urgent need for all organizations—both federal and private sector—to rapidly tighten their defenses against emerging threats.

Understanding CISA’s Known Exploited Vulnerabilities Catalog​

The KEV Catalog is a dynamic resource managed by CISA, designed to spotlight vulnerabilities that are actively being exploited in the wild. Established through Binding Operational Directive (BOD) 22-01, this catalog provides federal agencies and, by extension, the broader IT community with an evolving list of Common Vulnerabilities and Exposures (CVEs) that pose significant danger if left unaddressed. According to CISA, inclusion in the KEV Catalog is not arbitrary; each entry is backed by credible evidence of exploitation, and the catalog is updated as soon as new threats emerge.
Federal Civilian Executive Branch (FCEB) agencies are mandated under BOD 22-01 to remediate all KEV-listed vulnerabilities by specified due dates. However, CISA’s stance is clear: All organizations, regardless of sector or regulatory requirements, should treat this catalog as a high-priority reference for patch management and vulnerability remediation.

The Newly Identified Microsoft SharePoint Flaws​

CVE-2025-49704: Code Injection Vulnerability​

CVE-2025-49704 has been categorized as a code injection vulnerability within Microsoft SharePoint, a platform widely used for document management, internal collaboration, and content sharing. While as of publication, detailed technical specifics on the exploit remain limited, code injection vulnerabilities generally allow attackers to insert malicious code into otherwise trusted processes.
Exploiting this flaw could enable a cybercriminal to execute arbitrary commands or deploy malware on an affected SharePoint server, potentially leading to further lateral movement across the network, data exfiltration, or even ransomware deployment. Prior high-profile SharePoint vulnerabilities have demonstrated how attackers can use such weaknesses to achieve unauthorized access and persistence deep within enterprise environments.

CVE-2025-49706: Improper Authentication Vulnerability​

The second vulnerability, CVE-2025-49706, relates to improper authentication mechanisms within Microsoft SharePoint. Improper authentication flaws typically occur when systems inadequately verify user credentials or fail to properly restrict access to sensitive resources. Attackers who exploit this type of weakness may bypass user authentication, elevate privileges, or impersonate legitimate users, granting them unauthorized access to restricted information and administrative functions.
The potential impact is severe, as improper authentication might serve as an entry point for further attacks, compromise of confidential data, and undermining of trust boundaries within the organization.

Why SharePoint is a Prime Target for Cybercriminals​

Microsoft SharePoint is deeply entrenched in both government and enterprise IT environments. Its very purpose—facilitating collaboration and document sharing—means it often holds sensitive business information, intellectual property, and even credentials to downstream systems.
Several factors make SharePoint an attractive target:

• High Value Data: Repositories for contracts, sensitive communications, and project documentation.
• Common Misconfigurations: SharePoint environments are frequently complex, with many organizations struggling to lock down permissions or keep up with patch cycles.
• Internet-facing Instances: Many companies expose SharePoint portals directly to the internet, increasing exposure to opportunistic scanning and attacks.

Given this prominent role, the exploitation of SharePoint vulnerabilities has frequently been observed as a vector for initial compromise in cyberattacks against governments, critical infrastructure, and the private sector alike.

Analyzing the Real-World Impact​

Both newly flagged vulnerabilities have potential for serious, real-world consequences:

1. Large Attack Surface​

SharePoint’s widespread deployment, particularly in FCEB agencies and Fortune 500 businesses, equates to a large, diverse attack surface. Even a modest adoption rate by threat actors can result in thousands of exposed organizations.

2. Attack Chain Enablement​

A successful exploitation of either vulnerability may not, in isolation, allow complete compromise. However, when chained with other vulnerabilities or misconfigurations (for example, unpatched Windows servers, poor credential hygiene, or insecure integrations), the risks multiply rapidly.

3. Variety of Threat Actors​

Both sophisticated nation-state hackers and commodity cybercriminal groups have a long history of targeting SharePoint. Ransomware operators, in particular, use vulnerabilities in public-facing servers as a means of gaining a foothold before deploying destructive payloads.

4. Risk to Sensitive Agencies​

With federal agencies explicitly targeted by this alert, the implications for national security, the continuity of government operations, and the protection of sensitive information are clear and present.

The Critical Role of BOD 22-01​

CISA’s Binding Operational Directive 22-01 is a cornerstone of the United States’ modern cyber defense posture. The directive stipulates not merely advisories, but enforceable timelines within which identified KEV vulnerabilities must be patched by FCEB agencies. Its objectives include:

• Reducing exploitability window: Mandating swift patching or mitigation measures narrows the time adversaries have to take advantage of newly discovered flaws.
• Standardizing remediation efforts: Clear due dates centralize and focus response efforts across agencies, driving consistency.
• Raising private sector standards: Even though BOD 22-01 is not legally binding on private enterprises, the KEV Catalog’s regular updates and prominence have led many in the private sector to adopt its list as a pragmatic baseline for their vulnerability management programs.

CISA’s Broader Recommendations – A Call to Action​

CISA’s recommendations extend beyond federal entities. The agency is unequivocal: regardless of compliance mandates, all organizations should urgently review and address the vulnerabilities listed in the KEV Catalog.

Action Steps for Organizations​

• Review and Prioritize: Immediately audit your environment for any deployment of Microsoft SharePoint, paying particular attention to software versions referenced in the CVEs.
• Patch and Update: Apply all relevant updates from Microsoft to address CVE-2025-49704 and CVE-2025-49706. Monitor Microsoft’s official advisories for further detail as they become available.
• Audit Configurations: Conduct a configuration review for exposed SharePoint instances, both internally and externally facing, to minimize permissions and reduce attack surface.
• Monitor for Indicators of Compromise (IOCs): Review security logs, enable advanced threat detection, and check for signs of suspicious code injection or unauthorized authentication attempts.
• Educate and Prepare: Train relevant IT staff on emerging threats and ensure incident response teams are briefed on both the nature of the vulnerabilities and the steps for rapid containment and remediation.

Technical and Strategic Considerations​

Strengths of CISA’s Approach​

• Transparency: By publishing an up-to-date, evidence-based catalog, CISA enables broad, industry-wide awareness of critical vulnerabilities.
• Proactivity: Mandating and recommending swift remediation helps create a culture of security resilience.
• Holistic View: The inclusion of both code injection and authentication flaws illustrates how threat actors often exploit a variety of weaknesses—not just one class of bugs—to achieve their ends.

Risks and Limitations​

Despite these strengths, several challenges loom:

• Patching Gaps Remain: Even with clear directives, organizations may lag in patching due to internal bureaucracy, testing concerns, or resource constraints. Smaller organizations may lack sufficient personnel to promptly remediate.
• Unverified Threat Intelligence: In some cases, limited technical detail or proof-of-concept code is available on newly listed vulnerabilities. While CISA bases inclusion on “evidence of exploitation,” the specifics are often undisclosed for operational security, leaving some ambiguity for defenders looking to assess risk.
• Legacy and Unsupported Systems: Many environments still operate end-of-life software lacking official patch support, heightening exposure to KEV-listed vulnerabilities.
• Third-party Integrations: SharePoint is frequently tied into a web of custom and vendor-built applications. These integrations may break following a patch—creating operational resistance to timely updates.

Independent Verification and Cross-Referencing​

Both CVE-2025-49704 and CVE-2025-49706 are listed in the official CVE database, corroborating their validity and status as vulnerabilities of concern. At the time of writing, exploit details are confined mainly to security advisories; independent third-party exploit analysis remains limited, likely due to the ongoing risk of weaponization and the standard industry practice of delaying public proofs until a majority of targets have patched.
Microsoft’s own security portals reflect a heightened focus on SharePoint flaws, and prior cases (including CVE-2023-29357 and CVE-2023-24955) serve as historical evidence for how critical such issues can be when exploited in the wild.
Security researchers, including those at Rapid7 and Mandiant, continually affirm that exploitation of SharePoint vulnerabilities is a favorite initial-access technique, often featured in post-compromise investigations.

What to Expect Next​

CISA is expected to continue its cadence of regular KEV Catalog updates, especially as attackers refine their arsenals and supply chains of exploits for high-value platforms like SharePoint. As the nature of threat campaigns becomes more complex, defenders must remain agile and proactive.
All organizations are urged not only to focus on the current vulnerabilities but to build systematic, repeatable processes for:

• Continuous monitoring of KEV Catalog changes
• Rapid risk assessment and internal communication upon new CVE disclosures
• Integration of vulnerability intelligence with automated patch management solutions
• Engagement with incident response partners to ensure readiness for exploitation attempts

Conclusion​

The latest CISA alert, triggered by the exploitation of CVE-2025-49704 and CVE-2025-49706 in Microsoft SharePoint, is a timely and critical reminder of the ever-present risk posed by unpatched software and complex enterprise applications. Federal mandates offer an operational model for reducing exposure, but the ultimate defense lies in rapid, organization-wide action—bridging the gap between awareness and remediation.
The KEV Catalog continues to provide a credible, prioritized lens through which risk managers, network defenders, and business leaders alike must view their patching strategies. Taking immediate steps to mitigate these vulnerabilities isn’t simply about compliance; it’s about ensuring business continuity, protecting sensitive data, and staying ahead of cybercriminal innovation.
As attackers grow more sophisticated and vulnerabilities emerge with increasing frequency, organizations that embed KEV Catalog monitoring and rapid response into their core cybersecurity routines will be best positioned to stave off the latest exploits—and those yet to surface on the threat horizon.

---

Source: CISA CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA