EUVD-2025-17733
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Analysis
Critical deserialization vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely with high impact to confidentiality, integrity, and availability. The vulnerability affects SharePoint environments where an authorized user can submit malicious serialized objects, bypassing input validation due to unsafe deserialization practices (CWE-502). While the attack requires valid credentials (PR:L), the network-accessible attack vector (AV:N), low attack complexity (AC:L), and high CVSS score of 8.8 indicate significant real-world risk, particularly in organizations with broad internal user bases or federated access.
Technical Context
This vulnerability stems from unsafe deserialization of untrusted data in Microsoft Office SharePoint's object handling mechanisms. CWE-502 (Deserialization of Untrusted Data) occurs when SharePoint deserializes serialized objects without proper validation, allowing attackers to instantiate arbitrary classes and execute malicious payloads. The vulnerability likely affects SharePoint's web services, document processing, or configuration serialization layers that accept user-supplied input. The attack surface includes SharePoint's SOAP/REST APIs, document upload handlers, or workflow engines where serialized .NET objects are processed. Affected components typically involve System.Runtime.Serialization.Formatters (BinaryFormatter, NetDataContractSerializer) or similar deserialization methods that evaluate untrusted object graphs. The vulnerability is specific to authenticated contexts within SharePoint farms or hybrid deployments where principals have document upload, list modification, or workflow authoring permissions.
Affected Products
Microsoft Office SharePoint (specific versions require vendor advisory cross-reference, typically): SharePoint Server 2019, SharePoint Server 2016, SharePoint Online (Microsoft 365), and potentially earlier versions. Affected components include SharePoint Foundation, SharePoint Enterprise, and cloud-hosted variants. CPE data would be of the form: cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:*:*:*:* (versions and editions vary). Organizations should consult Microsoft Security Advisory and KB articles specific to CVE-2025-47166 for exact version matrices. Likely affected configurations include on-premises farms with document libraries, list web services, and workflow execution enabled. Hybrid and cloud-only deployments (SharePoint Online) may have different exposure based on Microsoft's mitigation controls.
Remediation
1. PATCH IMMEDIATELY: Apply Microsoft security updates for CVE-2025-47166 to all affected SharePoint installations. Patch releases vary by version (Server 2019 vs. 2016 vs. Online); consult Microsoft's official patch KB article for your deployment. 2. WORKAROUNDS (if patch unavailable): Restrict SharePoint site collection access to trusted users; disable or isolate SharePoint web services (SPUserCodeService, SPListWebService) if not required; enforce IP-based access controls to SharePoint front-end servers. 3. DETECTION & MONITORING: Audit SharePoint ULS logs for deserialization exceptions or unexpected object instantiation; monitor network traffic for anomalous SOAP/REST requests to document upload or list modification endpoints; enable SharePoint diagnostic logging at verbose level. 4. SSVC MITIGATION: If exploitation in-the-wild is confirmed (KEV status), treat as IMMEDIATE. Coordinate patching across multiple farms in a staged approach to avoid service disruption. 5. VENDOR ADVISORY: Reference Microsoft Security Update Guide (https://msrc.microsoft.com) and search for CVE-2025-47166 KB articles for build numbers and download links.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today