What is the CVSS score of CVE-2025-47166?

CVE-2025-47166 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 8.6%.

Which versions of Exchange are affected by CVE-2025-47166?

Microsoft Office SharePoint is vulnerable to authenticated remote code execution (CVE-2025-47166) via unsafe deserialization, allowing any user with valid credentials to execute arbitrary code with…. A patch is available.

Is there a public PoC exploit available for CVE-2025-47166?

Yes, a public proof-of-concept exploit is available for CVE-2025-47166. Prioritise patching immediately. EPSS: 8.6%.

How to fix or mitigate CVE-2025-47166?

Within 24 hours: Identify all SharePoint deployments (on-premises and online) and inventory current versions. Within 7 days: Apply vendor-released patch to all affected SharePoint instances; for organizations unable to patch immediately, restrict SharePoint access to essential personnel only and implement network segmentation. Within 30 days: Conduct forensic review of SharePoint audit logs for evidence of deserialization attacks, review user access controls to minimize authenticated user population, and validate patch application across all environments.

Exchange CVE-2025-47166

EUVD-2025-17733 HIGH

Deserialization of Untrusted Data (CWE-502)

2025-06-10 secure@microsoft.com

Microsoft Deserialization Exchange RCE Sharepoint Server Sharepoint Enterprise Server

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:40 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

16.0.18526.20396,16.0.5504.1001,16.0.10417.20018

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17733

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

PoC Detected

Jul 09, 2025 - 14:02 vuln.today

Public exploit code

CVE Published

Jun 10, 2025 - 17:23 nvd

HIGH 8.8

DescriptionCVE.org

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

AnalysisAI

Critical deserialization vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely with high impact to confidentiality, integrity, and availability. The vulnerability affects SharePoint environments where an authorized user can submit malicious serialized objects, bypassing input validation due to unsafe deserialization practices (CWE-502). While the attack requires valid credentials (PR:L), the network-accessible attack vector (AV:N), low attack complexity (AC:L), and high CVSS score of 8.8 indicate significant real-world risk, particularly in organizations with broad internal user bases or federated access.

Technical ContextAI

This vulnerability stems from unsafe deserialization of untrusted data in Microsoft Office SharePoint's object handling mechanisms. CWE-502 (Deserialization of Untrusted Data) occurs when SharePoint deserializes serialized objects without proper validation, allowing attackers to instantiate arbitrary classes and execute malicious payloads. The vulnerability likely affects SharePoint's web services, document processing, or configuration serialization layers that accept user-supplied input. The attack surface includes SharePoint's SOAP/REST APIs, document upload handlers, or workflow engines where serialized .NET objects are processed. Affected components typically involve System.Runtime.Serialization.Formatters (BinaryFormatter, NetDataContractSerializer) or similar deserialization methods that evaluate untrusted object graphs. The vulnerability is specific to authenticated contexts within SharePoint farms or hybrid deployments where principals have document upload, list modification, or workflow authoring permissions.

RemediationAI

PATCH IMMEDIATELY: Apply Microsoft security updates for CVE-2025-47166 to all affected SharePoint installations. Patch releases vary by version (Server 2019 vs. 2016 vs. Online); consult Microsoft's official patch KB article for your deployment. 2. WORKAROUNDS (if patch unavailable): Restrict SharePoint site collection access to trusted users; disable or isolate SharePoint web services (SPUserCodeService, SPListWebService) if not required; enforce IP-based access controls to SharePoint front-end servers. 3. DETECTION & MONITORING: Audit SharePoint ULS logs for deserialization exceptions or unexpected object instantiation; monitor network traffic for anomalous SOAP/REST requests to document upload or list modification endpoints; enable SharePoint diagnostic logging at verbose level. 4. SSVC MITIGATION: If exploitation in-the-wild is confirmed (KEV status), treat as IMMEDIATE. Coordinate patching across multiple farms in a staged approach to avoid service disruption. 5. VENDOR ADVISORY: Reference Microsoft Security Update Guide (https://msrc.microsoft.com) and search for CVE-2025-47166 KB articles for build numbers and download links.

CVE-2025-47166 vulnerability details – vuln.today

Back

Exchange CVE-2025-47166

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code