CVE-2025-59228 Overview
CVE-2025-59228 is an improper input validation vulnerability [CWE-20] in Microsoft Office SharePoint Server. The flaw allows an authorized attacker to execute arbitrary code over a network against affected SharePoint instances. Microsoft published the advisory on October 14, 2025, covering SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016.
The vulnerability requires low-privilege authentication but no user interaction. Successful exploitation impacts the confidentiality, integrity, and availability of the SharePoint server and any content it hosts.
Critical Impact
An authenticated attacker can execute code remotely on a SharePoint server, gaining the ability to access, modify, or destroy SharePoint content and pivot deeper into the corporate network.
Affected Products
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016 (Enterprise)
Discovery Timeline
- 2025-10-14 - CVE-2025-59228 published to NVD with Microsoft advisory
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2025-59228
Vulnerability Analysis
The vulnerability stems from improper input validation within Microsoft SharePoint Server. SharePoint fails to correctly sanitize attacker-controlled input before processing it within a server-side execution context. An authenticated user with low privileges on the SharePoint site can submit crafted input that the server processes as executable logic.
Because SharePoint runs server-side workflows, web parts, and various extensibility components under privileged service accounts, code execution typically occurs in the security context of the SharePoint application pool identity. This enables full compromise of the SharePoint farm, including access to content databases, configuration stores, and credentials cached on the host.
The attack requires network reach to the SharePoint web front end and valid credentials with site-level access. No user interaction is required from a second party. See the Microsoft Security Response Center advisory for product-specific technical details.
Root Cause
The root cause is missing or insufficient input validation [CWE-20] in a SharePoint server-side code path. SharePoint accepts attacker-supplied data and uses it in an operation that resolves to code execution without first verifying the data conforms to safe expectations. The exact internal component has not been disclosed publicly by Microsoft.
Attack Vector
The attack vector is network-based. An attacker authenticates to a SharePoint site using any valid account that has at least the minimal permission set required to reach the vulnerable code path. The attacker then issues a crafted HTTP request to the SharePoint endpoint that triggers the unsafe processing of input and executes attacker-controlled code on the server.
No verified public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The current EPSS exploitation probability is 0.219%.
Detection Methods for CVE-2025-59228
Indicators of Compromise
- Unexpected w3wp.exe child processes such as cmd.exe, powershell.exe, or rundll32.exe spawned by the SharePoint application pool identity
- New or modified files under SharePoint web application directories, including _layouts, _app_bin, or the TEMPLATE hive
- Anomalous outbound network connections originating from SharePoint front-end servers to untrusted destinations
- IIS logs showing successful authenticated requests to SharePoint endpoints followed by elevated server-side activity
Detection Strategies
- Monitor for process lineage where SharePoint worker processes spawn scripting interpreters or LOLBins
- Inspect IIS request logs for crafted parameters targeting SharePoint handlers immediately preceding suspicious host activity
- Hunt for new scheduled tasks, services, or WMI persistence created on SharePoint servers after authenticated user activity
- Correlate authentication events with subsequent server-side file writes to SharePoint installation paths
Monitoring Recommendations
- Forward Windows Security, Sysmon, and IIS logs from all SharePoint front-end and application servers to a centralized SIEM
- Enable PowerShell Script Block Logging and Module Logging on SharePoint hosts
- Alert on creation of executable content under SharePoint LAYOUTS and BIN directories outside maintenance windows
- Track logon activity and privilege use for SharePoint service accounts and farm administrator accounts
How to Mitigate CVE-2025-59228
Immediate Actions Required
- Apply the security update referenced in the Microsoft advisory for CVE-2025-59228 to all affected SharePoint Server installations
- Inventory SharePoint farms and confirm patch level on every front-end, application, and search server in the farm
- Audit existing SharePoint user accounts and remove unused or stale low-privilege accounts that could be abused for authentication
- Review recent authenticated activity on SharePoint servers for indicators of prior exploitation
Patch Information
Microsoft has released security updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Administrators should obtain the build-specific updates listed in the Microsoft Security Response Center advisory and apply them through the standard SharePoint patching workflow, including running the SharePoint Products Configuration Wizard or PSConfig on each farm server after binary installation.
Workarounds
- Restrict network access to SharePoint web front ends so that only required client networks can authenticate
- Enforce strong authentication and conditional access policies on accounts that can reach SharePoint endpoints
- Apply the principle of least privilege to SharePoint site permissions and remove anonymous or broad-access configurations until patches are deployed
- Place SharePoint servers behind a web application firewall configured to inspect and constrain request parameters to expected formats
# Verify SharePoint farm build and configuration status after patching
Get-SPFarm | Select-Object BuildVersion
Get-SPProduct -Local
psconfig.exe -cmd upgrade -inplace b2b -wait -force
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
