Spoofing Vulnerability in Microsoft Office SharePoint
CVE-2025-49706
Key Information:
- Vendor
Microsoft
- Status
- Vendor
- CVE Published:
- 8 July 2025
Badges
What is CVE-2025-49706?
CVE-2025-49706 is a spoofing vulnerability identified in Microsoft Office SharePoint, a widely used web-based collaboration platform that aids organizations in document management, storage, and project coordination. This specific vulnerability arises from improper authentication mechanisms within SharePoint, enabling an authorized attacker to exploit these shortcomings and perform spoofing attacks over the network. Such attacks can allow the adversary to impersonate other users or services, potentially leading to unauthorized access to sensitive information and resources. The implications for organizations can be severe, as the integrity and confidentiality of data may be compromised, risking both operational disruption and reputational damage.
Potential impact of CVE-2025-49706
-
Unauthorized Access: Attackers can exploit this vulnerability to impersonate legitimate users, gaining unauthorized access to confidential information and sensitive resources within SharePoint.
-
Data Integrity Risks: By spoofing other users, adversaries could manipulate or corrupt documents and projects, leading to significant issues related to data integrity and trustworthiness.
-
Reputational Damage: Successful exploitation can result in data breaches that undermine stakeholder trust, causing long-lasting reputational harm to organizations, and potentially leading to legal or financial repercussions.
CISA has reported CVE-2025-49706
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-49706 as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: CISA recommends disconnecting public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS). For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use. For supported versions, please follow the mitigations according to CISA and vendor instructions. Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Affected Version(s)
Microsoft SharePoint Enterprise Server 2016 x64-based Systems 16.0.0 < 16.0.5508.1000
Microsoft SharePoint Server 2019 x64-based Systems 16.0.0 < 16.0.10417.20027
Microsoft SharePoint Server Subscription Edition x64-based Systems 16.0.0 < 16.0.18526.20424
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
@SecurelistToolShell: a story of five vulnerabilities in Microsoft SharePoint
Explaining the ToolShell vulnerabilities in SharePoint: how the POST request exploit works, why initial patches can be easily bypassed, and how to stay protected.
4 days ago
Chinese nation-state groups exploiting SharePoint vulnerability, Microsoft confirms
Microsoft said previously known Chinese nation-state operations that it tracks as Linen Typhoon and Violet Typhoon β as well as a third, less-known group β were among those exploiting serious bugs in SharePoint server software.
6 days ago
3 China Nation-State Actors Target SharePoint Bugs
Hackers and cybercrime groups are part of a virtual feeding frenzy, after Microsoft's recent disclosure of new vulnerabilities in on-premises editions of SharePoint Server.
6 days ago
References
CVSS V3.1
Timeline
- π°
Used in Ransomware
- π¦
CISA Reported
- π°
First article discovered by The Hacker News
- π‘
Public PoC available
- πΎ
Exploit known to exist
- π₯
Vulnerability reached the number 1 worldwide trending spot
- π
Vulnerability started trending
Vulnerability published
Vulnerability Reserved