Microsoft SharePoint Server ↗
ℹ On-premises SharePoint Server only. SharePoint Online (Microsoft 365) is a cloud service patched by Microsoft and is not covered here.
Summary iPlain-English security verdict for Microsoft SharePoint Server, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.
Microsoft SharePoint Server currently scores 5/100 — critical, with active exploitation. 15 of its known vulnerabilities are being actively exploited in the wild (CISA KEV), including CVE-2019-0604. The latest supported release is 16.0.19725.20280. Upgrade immediately and review your exposure to the actively-exploited CVEs below. Note: this product is assessed at the product level on recent (365-day) activity rather than an exact per-version match, so it is never marked a confident "healthy".
Disclosure trend iNew CVEs published for Microsoft SharePoint Server each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.
⚠ 7 of its known vulnerabilities are linked to ransomware campaigns (CISA KEV).
Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.
Most urgent first — actively exploited, then likeliest to be exploited.
CVE-2019-0604 CRITICAL ● exploited ⚠ ransomware Improper input validation EPSS 94% → see advisory CVE-2023-29357 CRITICAL ● exploited ⚠ ransomware CWE-303 EPSS 94% → see advisory CVE-2015-1641 HIGH ● exploited Out-of-bounds write EPSS 94% → see advisory CVE-2020-1147 HIGH ● exploited EPSS 93% → see advisory CVE-2014-1761 HIGH ● exploited Out-of-bounds write EPSS 93% → see advisory CVE-2012-1889 HIGH ● exploited Out-of-bounds write EPSS 93% → see advisory CVE-2023-24955 HIGH ● exploited ⚠ ransomware Code injection EPSS 92% → see advisory CVE-2017-11826 HIGH ● exploited Memory corruption EPSS 92% → see advisory CVE-2025-53770 CRITICAL ● exploited ⚠ ransomware Insecure deserialization EPSS 88% → fixed in 16.0.18526.20508 CVE-2012-2539 HIGH ● exploited Out-of-bounds write EPSS 84% → see advisory CVE-2025-49706 MEDIUM ● exploited ⚠ ransomware Improper authentication EPSS 74% → fixed in 16.0.18526.20424 CVE-2024-38094 HIGH ● exploited ⚠ ransomware Insecure deserialization EPSS 70% → see advisoryVersions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.
How long each Microsoft SharePoint Server release line is supported — and when it sunsets.
ℹ product-level posture (last 365d); exact per-version verdict pending precise version mapping