CVE-2025-49706

CVE-2025-49706 is a medium-severity vulnerability in Microsoft Sharepoint Enterprise Server with a CVSS 3.x base score of 6.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-07-22). The underlying weakness is classified as CWE-287.

Key facts

Description

Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

CVE-2025-49706: Improper Authentication in Microsoft SharePoint Enables Spoofing Attacks

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2025-49706
CVSS v3.1 6.5 (MEDIUM)
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE CWE-287 — Improper Authentication
EPSS 0.99879 (99.963rd percentile)
KEV Yes — added 2025-07-22
EU Exploited Yes — since 2025-07-22 (EUVD-2025-20552)
Ransomware Confirmed association
Assigner [email protected]

Summary

A critical authentication flaw in on-premises Microsoft SharePoint Server allows remote, unauthenticated attackers to perform spoofing attacks over the network. The vulnerability has been actively exploited in the wild since July 2025, prompting inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog and Microsoft's active disruption efforts against exploitation campaigns.

Background

In July 2025, Microsoft disclosed multiple vulnerabilities affecting on-premises SharePoint Server installations. CVE-2025-49706 specifically targets the authentication layer of SharePoint, enabling attackers to bypass or circumvent proper identity verification. Microsoft subsequently published a security blog detailing active exploitation campaigns and disruption efforts targeting these SharePoint vulnerabilities, highlighting the severity and real-world impact on enterprise environments.

Root Cause

CWE-287 — Improper Authentication

The vulnerability stems from improper authentication mechanisms within SharePoint's handling of network requests. Under specific conditions, the application fails to adequately validate or enforce authentication requirements, allowing an attacker to present a falsified identity or omit authentication credentials entirely while still being processed by the server. The low attack complexity (AC:L) and lack of required privileges (PR:N) indicate this is a design or implementation flaw in the authentication verification path rather than a configuration-dependent issue.

Impact

The CVSS v3.1 score of 6.5 (MEDIUM) reflects a network-accessible vulnerability with the following characteristics:

  • Attack Vector (AV): Network — exploitable remotely over the internet or internal network
  • Attack Complexity (AC): Low — no special conditions or advanced techniques required
  • Privileges Required (PR): None — unauthenticated attackers can exploit this
  • User Interaction (UI): None — no victim action required
  • Scope (S): Unchanged — exploitation does not cross security boundaries
  • Confidentiality (C): Low — limited information disclosure
  • Integrity (I): Low — limited data modification or spoofing possible
  • Availability (A): None — no direct impact on service availability

The practical impact centers on identity spoofing: an attacker can impersonate legitimate users or system components, potentially leading to unauthorized access to SharePoint content, data manipulation, or lateral movement within the enterprise environment. The confirmed ransomware association elevates the operational risk significantly.

Exploitation Walkthrough

Ethics caveat: This section describes the defensive understanding of attack mechanics only. No weaponized exploit code is provided. Security teams should use this knowledge to improve detection and remediation.

  1. Reconnaissance: The attacker identifies an on-premises SharePoint Server instance (typically exposed via HTTPS on port 443 or HTTP on port 80).

  2. Authentication Gap Identification: The attacker sends crafted requests to SharePoint endpoints that fail to properly validate authentication tokens or session state. The flaw resides in the authentication middleware's failure to reject unauthenticated or malformed identity assertions.

  3. Spoofing Execution: By exploiting the improper authentication handling, the attacker constructs requests that the server processes as coming from a legitimate user or system account, without possessing valid credentials.

  4. Post-Exploitation: With spoofed identity access, the attacker may enumerate document libraries, access sensitive organizational data, or establish persistence for further lateral movement.

The exploit maturity rating of 4 and EPSS score of 0.99879 indicate that reliable exploitation methods are widely available and the probability of active exploitation is near-certain.

Affected and Patched Versions

Affected Products (per NVD CPE data):

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server (Subscription Edition)

Patched Versions:

Specific patch information is not provided in the available data. Organizations should consult the Microsoft Security Response Center advisory for the definitive list of patched versions and security update deployment guidance.

Remediation

  1. Apply Security Updates: Install the latest SharePoint security updates from Microsoft as soon as possible. Given active exploitation and KEV status, patching should be treated as an emergency change.

  2. Network Segmentation: Restrict SharePoint server access to authorized internal networks only. Avoid exposing on-premises SharePoint directly to the internet unless absolutely necessary.

  3. Web Application Firewall (WAF): Deploy WAF rules to detect and block anomalous authentication requests targeting SharePoint endpoints.

  4. Multi-Factor Authentication (MFA): Enforce MFA for all SharePoint user accounts where supported to reduce the impact of spoofed identity attacks.

  5. Compensating Controls: Until patches can be applied, consider temporarily disabling affected SharePoint services or placing them behind a VPN with strong authentication requirements.

Detection

Security teams should monitor for:

  • Unusual authentication patterns against SharePoint endpoints, including successful access from unexpected source IPs or without corresponding login events.
  • Anomalous HTTP requests to SharePoint _api/ or /_layouts/ endpoints with missing or malformed authentication headers.
  • Unexpected document access or download patterns from service accounts or privileged users.
  • Correlation of SharePoint access logs with the CISA KEV catalog and threat intelligence feeds indicating CVE-2025-49706 exploitation.

Assessment

With an EPSS score of 0.99879 (99.963rd percentile) and confirmed KEV status with exploitation observed since July 2025, CVE-2025-49706 represents a near-certain, actively exploited threat. The medium CVSS score understates the urgency because the vulnerability is unauthenticated, network-accessible, and actively used in ransomware campaigns. The EU vulnerability database (EUVD-2025-20552) independently confirms exploitation.

Key lessons:

  1. Authentication flaws in enterprise collaboration platforms carry disproportionate risk due to the high value of stored organizational data.
  2. EPSS and KEV status should be prioritized over CVSS severity alone when triaging vulnerabilities for emergency patching.

References

Frequently asked questions

What is CVE-2025-49706?
Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
How severe is CVE-2025-49706?
CVE-2025-49706 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
Is CVE-2025-49706 being actively exploited?
Yes. CVE-2025-49706 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-07-22, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2025-49706?
CVE-2025-49706 primarily affects Microsoft Sharepoint Enterprise Server. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2025-49706?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2025-49706 have an EU (EUVD) identifier?
Yes. CVE-2025-49706 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-20552. It is also flagged as exploited in the EUVD (since 2025-07-22).
When was CVE-2025-49706 published?
CVE-2025-49706 was published on 2025-07-08 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Microsoft Sharepoint Enterprise Server

All CVEs affecting Microsoft Sharepoint Enterprise Server →

Other CWE-287 (Improper Authentication) vulnerabilities

Browse all CWE-287 (Improper Authentication) vulnerabilities →