CVE-2025-62204 Overview
CVE-2025-62204 is a deserialization of untrusted data vulnerability in Microsoft Office SharePoint Server. An authenticated attacker can submit crafted serialized objects to a vulnerable SharePoint endpoint and execute arbitrary code over the network. The flaw is tracked under CWE-502: Deserialization of Untrusted Data and affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Microsoft published the advisory on November 11, 2025. Successful exploitation compromises the confidentiality, integrity, and availability of the SharePoint farm and any data it hosts.
Critical Impact
An authenticated attacker can achieve remote code execution on the SharePoint server, enabling lateral movement, data theft, and persistent access across collaboration infrastructure.
Affected Products
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016 (Enterprise)
Discovery Timeline
- 2025-11-11 - CVE-2025-62204 published to NVD
- 2025-11-11 - Microsoft releases security advisory and patch
- 2025-11-17 - Last updated in NVD database
Technical Details for CVE-2025-62204
Vulnerability Analysis
The vulnerability resides in SharePoint Server code that deserializes attacker-controlled input without sufficient type validation. SharePoint accepts serialized objects through one of its server-side processing paths and reconstructs them into live .NET objects. When the deserializer instantiates a gadget chain, attacker-supplied data drives object construction and method invocation. This produces arbitrary code execution under the identity of the SharePoint application pool. The CWE-502 classification reflects insecure object reconstruction rather than a traditional memory corruption flaw. The EPSS probability of 2.13% (84.4th percentile) indicates above-average likelihood of exploitation activity compared to typical CVEs.
Root Cause
The root cause is unsafe deserialization of untrusted input within a SharePoint server component. The deserializer does not enforce a strict allow-list of expected types before instantiating objects. Common .NET gadget chains, such as those abusing TypeConfuseDelegate or ObjectDataProvider, can be embedded in the serialized payload to trigger code execution during the deserialization process.
Attack Vector
The attack vector is network-based and requires low-privilege authentication plus user interaction. An attacker with a valid SharePoint account submits a crafted serialized payload to a vulnerable endpoint. The server deserializes the payload and executes attacker-chosen code in the SharePoint worker process, typically w3wp.exe. From this foothold, attackers can read site content, harvest service account credentials, plant web shells in the _layouts directory, or pivot to connected backend systems.
No public proof-of-concept exploit code is currently available. Refer to the Microsoft CVE-2025-62204 Advisory for vendor technical details.
Detection Methods for CVE-2025-62204
Indicators of Compromise
- Unexpected child processes spawned from w3wp.exe running under the SharePoint application pool identity, such as cmd.exe, powershell.exe, or csc.exe.
- New or modified .aspx, .ashx, or .asmx files in SharePoint TEMPLATE\LAYOUTS or _layouts\15 directories.
- Outbound network connections from SharePoint front-end servers to unfamiliar external hosts shortly after authenticated HTTP POST requests.
- IIS logs showing authenticated POSTs to SharePoint handlers with abnormally large request bodies or binary content types.
Detection Strategies
- Hunt for serialized .NET gadget signatures, including System.Windows.Data.ObjectDataProvider and System.Workflow.ComponentModel.Serialization strings, inside captured HTTP request bodies.
- Monitor for SharePoint ULS log entries indicating deserialization exceptions or unexpected type-load events tied to authenticated sessions.
- Correlate authenticated SharePoint sessions with subsequent process-creation telemetry showing scripting interpreters launched by IIS worker processes.
Monitoring Recommendations
- Forward IIS, ULS, and Windows Security event logs to a central analytics platform to baseline normal SharePoint behavior.
- Alert on any process tree where w3wp.exe is the parent of LOLBins such as certutil.exe, bitsadmin.exe, or rundll32.exe.
- Track changes to SharePoint web.config files and farm solutions for unauthorized modifications.
How to Mitigate CVE-2025-62204
Immediate Actions Required
- Apply the November 2025 Microsoft security updates to all SharePoint Server Subscription Edition, 2019, and 2016 instances without delay.
- Inventory all SharePoint farms, including development and disaster recovery environments, to confirm complete patch coverage.
- Rotate machine keys and service account credentials on SharePoint servers if compromise is suspected.
Patch Information
Microsoft released patches concurrent with the November 11, 2025 advisory publication. Administrators must download and install the relevant cumulative or security update package for each SharePoint version from the Microsoft CVE-2025-62204 Advisory. After installing binaries, run the SharePoint Products Configuration Wizard or PSConfig.exe to complete the upgrade on every server in the farm.
Workarounds
- Restrict SharePoint access to authenticated, trusted users only by enforcing strong authentication and removing anonymous access policies.
- Place SharePoint front-end servers behind a web application firewall configured to inspect and block serialized .NET payloads in POST bodies.
- Apply least-privilege principles to SharePoint application pool accounts to limit blast radius if exploitation occurs.
# Verify SharePoint patch level on each farm server (PowerShell)
Get-SPFarm | Select-Object BuildVersion
Get-SPProduct -Local | Format-List ProductName, PatchableUnitDisplayName, Patches
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
