The U.S. Cybersecurity and Infrastructure Security Agency (CISA) declared on July 22, 2025, that two vulnerabilities in Microsoft SharePoint, CVE-2025-49704 and CVE-2025-49706, have been incorporated into its Known Exploited Vulnerabilities (KEV) catalog due to verified instances of active exploitation.

Consequently, agencies within the Federal Civilian Executive Branch (FCEB) must address the noted vulnerabilities by July 23, 2025.

“CISA is