CVE-2025-64672 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting Microsoft SharePoint Server Subscription Edition version 16.0.0. The vulnerability stems from improper neutralization of user-supplied input during web page generation, which allows an attacker with authorized access to inject malicious scripts into SharePoint pages. These scripts can be executed in the context of other users’ browsers, enabling spoofing attacks and potentially leading to full compromise of confidentiality, integrity, and availability of SharePoint data and services. The vulnerability is remotely exploitable over the network without requiring user interaction, but it does require the attacker to have some level of privileges (PR:L). The CVSS v3.1 score of 8.8 indicates high severity, with network attack vector (AV:N), low attack complexity (AC:L), and no user interaction (UI:N). The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no known exploits are currently in the wild, the critical role of SharePoint in enterprise collaboration and document management makes this vulnerability a significant threat. The lack of an official patch link suggests that remediation is pending, emphasizing the need for immediate defensive measures.

For European organizations, this vulnerability poses a substantial risk due to the widespread use of Microsoft SharePoint Server Subscription Edition in government, finance, healthcare, and critical infrastructure sectors. Successful exploitation could lead to unauthorized disclosure of sensitive information, manipulation or deletion of critical documents, and disruption of collaborative workflows. The ability to perform spoofing attacks can facilitate further social engineering or phishing campaigns within affected networks. Given the high confidentiality, integrity, and availability impacts, organizations could face regulatory penalties under GDPR for data breaches, operational downtime, and reputational damage. The remote exploitability without user interaction increases the urgency for mitigation, especially in environments where SharePoint is exposed to internal or external networks. The requirement for attacker privileges means insider threats or compromised accounts are primary vectors, highlighting the importance of strict access controls and monitoring.

1. Apply official security patches from Microsoft immediately once available to remediate the vulnerability. 2. Until patches are released, implement strict input validation and sanitization on all SharePoint web parts and custom code to prevent injection of malicious scripts. 3. Restrict SharePoint administrative and editing privileges to the minimum necessary users to reduce the risk of privilege abuse. 4. Enable and monitor detailed logging and alerting for unusual activities related to SharePoint page modifications or script injections. 5. Use Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting SharePoint endpoints. 6. Conduct regular security assessments and penetration testing focused on SharePoint environments to identify and remediate similar vulnerabilities. 7. Educate users and administrators about phishing and spoofing risks that could leverage this vulnerability. 8. Segment SharePoint servers from general network access where possible to limit exposure.