EUVD-2025-17736
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Analysis
Critical deserialization vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely without user interaction. The vulnerability affects SharePoint environments where untrusted data is deserialized, enabling network-based code execution with high impact to confidentiality, integrity, and availability. While no public exploit code has been confirmed in open intelligence sources, the CVSS 8.8 rating and low attack complexity suggest this is a high-priority patch for all affected organizations.
Technical Context
This vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a well-known attack vector where SharePoint server-side components fail to properly validate or sanitize serialized objects before deserialization. Microsoft Office SharePoint likely uses .NET serialization (BinaryFormatter, NetDataContractSerializer, or similar) for inter-component communication or data persistence. An attacker with valid SharePoint credentials can craft malicious serialized payloads that, when deserialized by the server, instantiate dangerous object chains leading to arbitrary code execution. This is particularly severe in SharePoint because the service runs with elevated privileges and often has access to backend databases and external resources. The vulnerability requires Low privilege access (PR:L) but has No User Interaction (UI:N) required, meaning it can be triggered programmatically via SharePoint APIs or web services.
Affected Products
Specific affected products are not explicitly detailed in the provided description, but based on the CVE title referencing 'Microsoft Office SharePoint,' the vulnerable scope likely includes: Microsoft SharePoint Server 2019, Microsoft SharePoint Server 2016, Microsoft SharePoint Online (Microsoft 365), and potentially earlier versions. CPE strings would typically follow patterns: cpe:2.3:a:microsoft:sharepoint_server:* or cpe:2.3:a:microsoft:sharepoint_online:*. The vulnerability requires authenticated access, so it affects all deployments where user accounts exist (both on-premises and cloud-hosted). Organizations running third-party SharePoint add-ins or custom workflows may have expanded attack surface if those components also perform unsafe deserialization. Exact version strings and patch versions should be extracted from Microsoft Security Advisory or the corresponding KB article (e.g., KB5XXXXXX). Recommended approach: check Microsoft Security Update Guide or MSRC portal for definitive affected versions and build numbers.
Remediation
Immediate remediation steps: (1) Apply the latest security patch from Microsoft for your SharePoint version immediately—Microsoft typically releases cumulative updates (CUs) and security updates (SUs) monthly; (2) Verify patch installation by checking build numbers against Microsoft's official guidance; (3) If immediate patching is not possible, restrict network access to SharePoint services using firewall rules and network segmentation to limit exposure to trusted users and systems only; (4) Disable or restrict access to SharePoint REST APIs and SOAP web services if not required for business operations; (5) Enforce multi-factor authentication (MFA) for all SharePoint user accounts to reduce the risk of credential compromise enabling the attack; (6) Monitor SharePoint logs and application insights for suspicious deserialization patterns, unusual object instantiation, or authentication anomalies. Consult Microsoft's official advisory and KB article (search 'CVE-2025-47163' on Microsoft Security Update Guide or MSRC portal) for specific patch versions, build numbers, and validated remediation steps. Enterprise customers may reference their Microsoft support contract for prioritized guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today