Risk averted for millions of Microsoft users! The critical vulnerability in Microsoft SharePoint 9.8

Segurança matemática: da teoria dos números ao hacking e pentesting - Against Invaders - Notícias de CyberSecurity para humanos.

Risk averted for millions of Microsoft users! The critical vulnerability in Microsoft SharePoint 9.8

Redazione RHC:21 November 2025 16:44

Microsoft has disclosed a critical vulnerability in SharePoint Online (discovered by RHC through our ongoing monitoring of critical CVEs on our portal), identified as CVE‑2025‑59245 , with a CVSS v3.1 score of 9.8/10 .

The flaw affects the deserialization of untrusted data (CWE‑502) and allows a remote attacker to gain elevation of privilege without requiring credentials or user interaction, putting data confidentiality, integrity, and availability at high risk.

Method and impact of the attack

The vulnerability exploits the deserialization of data from untrusted sources. This allows an attacker to manipulate serialized objects that SharePoint Online deserializes insecurely, allowing them to execute arbitrary code or elevate their privileges. This allows administrative control over the platform, compromising documents, business flows, and sensitive data. The CVSS score reflects both the ease of exploitation and the severe impact on confidentiality, integrity, and availability .

Diffusion and business context

SharePoint Online is a cloud service widely used by businesses, public administrations, and international organizations for document management and collaboration. A compromised tenant can lead to unauthorized data access, document manipulation, and operational disruptions , with potential legal and reputational consequences. The lack of authentication and user interaction requirements further increases the risk of remote exploitation.

The vulnerability was classified on NVD in September 2025 and officially published on November 20, 2025 , with an update on November 21. Microsoft included it in its Security Update Guide, but no public exploits or patches were available at the time of publication. Being cloud-based, mitigations and updates are managed directly by the provider, making it crucial for organizations to monitor it.

Recommended protective measures

While SharePoint Online is a cloud service and Microsoft will apply server-side patches directly, organizations should remain vigilant. It’s essential to verify the health of their tenant , monitor for suspicious activity, and ensure access controls, privileges, and API integrations are properly configured . These measures reduce residual risk from misconfigurations or potential exploitation attempts prior to patching, thus ensuring the security of corporate data even in managed cloud environments.

Conclusion: urgency and prevention

CVE‑2025‑59245 highlights how critical enterprise cloud security is.

With a score of 9.8 and remotely exploitable without authentication, the vulnerability poses a real threat to data confidentiality, integrity, and availability. Organizations and administrators must act immediately, implementing controls, mitigations, and constant monitoring to prevent unauthorized access and potential operational or reputational damage.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.