Spoofing Vulnerability in Microsoft Office SharePoint
CVE-2025-49706
Key Information:
- Vendor
Microsoft
- Status
- Vendor
- CVE Published:
- 8 July 2025
Badges
What is CVE-2025-49706?
CVE-2025-49706 is a spoofing vulnerability identified in Microsoft Office SharePoint, a widely used web-based collaboration platform that aids organizations in document management, storage, and project coordination. This specific vulnerability arises from improper authentication mechanisms within SharePoint, enabling an authorized attacker to exploit these shortcomings and perform spoofing attacks over the network. Such attacks can allow the adversary to impersonate other users or services, potentially leading to unauthorized access to sensitive information and resources. The implications for organizations can be severe, as the integrity and confidentiality of data may be compromised, risking both operational disruption and reputational damage.
Potential impact of CVE-2025-49706
-
Unauthorized Access: Attackers can exploit this vulnerability to impersonate legitimate users, gaining unauthorized access to confidential information and sensitive resources within SharePoint.
-
Data Integrity Risks: By spoofing other users, adversaries could manipulate or corrupt documents and projects, leading to significant issues related to data integrity and trustworthiness.
-
Reputational Damage: Successful exploitation can result in data breaches that undermine stakeholder trust, causing long-lasting reputational harm to organizations, and potentially leading to legal or financial repercussions.
CISA has reported CVE-2025-49706
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-49706 as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Affected Version(s)
Microsoft SharePoint Enterprise Server 2016 x64-based Systems 16.0.0 < 16.0.5508.1000
Microsoft SharePoint Server 2019 x64-based Systems 16.0.0 < 16.0.10417.20027
Microsoft SharePoint Server Subscription Edition x64-based Systems 16.0.0 < 16.0.18526.20424
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 29)
Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization. Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization.
3 weeks ago
ToolShell: Uncovering Five Critical Vulnerabilities in Microsoft SharePoint
Security researchers from Kaspersky have detailed a sophisticated exploit chain dubbed "ToolShell," actively targeting on-premise.
3 weeks ago
ToolShell: a story of five vulnerabilities in Microsoft SharePoint
Explaining the ToolShell vulnerabilities in SharePoint: how the POST request exploit works, why initial patches can be easily bypassed, and how to stay protected.
4 weeks ago
References
EPSS Score
18% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 💰
Used in Ransomware
- 🦅
CISA Reported
- 📰
First article discovered by The Hacker News
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
Vulnerability published
Vulnerability Reserved