Login Sign Up

CVE-2025-21344

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Microsoft SharePoint Server by sending specially crafted requests. It affects organizations running vulnerable SharePoint Server versions, potentially enabling attackers to take control of affected systems.

💻 Affected Systems

Products:
  • Microsoft SharePoint Server
Versions: Specific versions as listed in Microsoft advisory
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Requires SharePoint Server with default configurations; exact affected versions should be verified via Microsoft advisory.

📦 What is this software?

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

Sharepoint Server by Microsoft

View all CVEs affecting Sharepoint Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SharePoint Server leading to data theft, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive SharePoint data, privilege escalation, and limited system compromise.

🟢

If Mitigated

Attack blocked at network perimeter or by authentication requirements, limiting impact to authenticated users only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires sending specially crafted requests; authentication status may affect exploitability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: As specified in Microsoft's security update

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21344

Restart Required: No

Instructions:

1. Download the security update from Microsoft Update Catalog. 2. Apply the patch to all affected SharePoint Servers. 3. Verify installation via SharePoint Central Administration.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to SharePoint Server to trusted networks only

Authentication Enforcement

all

Ensure all SharePoint access requires authentication

🧯 If You Can't Patch

  • Implement strict network access controls to limit SharePoint Server exposure
  • Enable enhanced logging and monitoring for suspicious SharePoint activity

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version against Microsoft's affected versions list

Check Version:

Get-SPFarm | Select BuildVersion

Verify Fix Applied:

Verify patch installation via SharePoint Central Administration or Windows Update history

📡 Detection & Monitoring

Log Indicators:

  • Unusual SharePoint request patterns
  • Failed authentication attempts followed by successful exploitation

Network Indicators:

  • Anomalous HTTP requests to SharePoint endpoints
  • Unexpected outbound connections from SharePoint Server

SIEM Query:

source="sharepoint" AND (event_id=6398 OR event_id=6399) AND request_uri CONTAINS suspicious_pattern

📊 Metadata

CVE ID: CVE-2025-21344
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20
EPSS Score: 0.71% exploit probability (71.8th percentile)
Published: January 14, 2025
Last Updated: January 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21344, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)