CVE-2025-59237: 
vulnerability analysis and mitigation

A deserialization of untrusted data vulnerability (CVE-2025-59237) was discovered in Microsoft Office SharePoint, affecting SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. The vulnerability was disclosed on October 14, 2025, and allows an authorized attacker to execute code over a network (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and requires low attack complexity while having a network attack vector (NVD).

If successfully exploited, this vulnerability allows an attacker with low privileges to achieve remote code execution over a network, potentially compromising the confidentiality, integrity, and availability of the affected SharePoint systems (NVD).

Microsoft has released security updates to address this vulnerability. The fixes are available in build 16.0.19127.20262 for SharePoint Server Subscription Edition, build 16.0.10417.20059 for SharePoint Server 2019, and build 16.0.5522.1000 for SharePoint Server 2016. Users are advised to apply these security updates through Microsoft Update, Microsoft Update Catalog, or Microsoft Download Center (Microsoft Support).