CVE-2025-64672 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting Microsoft SharePoint Server Subscription Edition version 16.0.0. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows an attacker with authorized access to inject malicious scripts into SharePoint pages. These scripts execute in the context of other users viewing the compromised pages, enabling spoofing attacks and potentially unauthorized actions or data disclosure. The vulnerability requires the attacker to have some level of privileges (PR:L) but does not require user interaction (UI:N), making it easier to exploit remotely over the network (AV:N). The CVSS v3.1 base score is 8.8, indicating high severity with high impact on confidentiality, integrity, and availability. The scope remains unchanged (S:U), meaning the vulnerability affects only the SharePoint component. No known exploits have been reported in the wild as of the publication date, but the vulnerability is publicly disclosed and should be considered a significant risk. The lack of an available patch at the time of disclosure necessitates immediate mitigation efforts by organizations relying on this SharePoint version.

The vulnerability allows attackers to execute arbitrary scripts in the context of other users, potentially leading to theft of sensitive information such as authentication tokens, session cookies, or confidential data stored in SharePoint. It can also enable attackers to perform actions on behalf of legitimate users, leading to data manipulation or disruption of services. Given SharePoint's widespread use in enterprises and governments for document management and collaboration, exploitation could result in significant operational disruption, data breaches, and loss of trust. The network-exploitable nature and lack of user interaction requirement increase the risk of automated or large-scale attacks. Organizations with high-value intellectual property or sensitive data stored in SharePoint are particularly vulnerable. The vulnerability could also be leveraged as a foothold for further lateral movement within corporate networks.

Organizations should monitor Microsoft’s official channels for patches and apply them immediately once available. In the interim, restrict access to SharePoint Server Subscription Edition to trusted users and networks only, minimizing exposure. Implement strict input validation and sanitization on all user inputs within SharePoint customizations or extensions to reduce injection risks. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Use web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting SharePoint. Regularly audit SharePoint configurations and user permissions to ensure least privilege principles are enforced. Educate users about the risks of phishing and social engineering that could leverage this vulnerability. Finally, consider isolating SharePoint servers in segmented network zones to limit potential lateral movement in case of compromise.