CVE-2025-49706

MediumCISA KEVActive ExploitationRansomware-linked

Published: 08 July 2025

Published

08 July 2025

Modified

27 October 2025

KEV Added

22 July 2025

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Score 0.7499 98.9th percentile

Risk Priority 78 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49706 is a medium-severity Improper Authentication (CWE-287) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of identified flaws, including applying Microsoft patches for this specific improper authentication vulnerability in SharePoint to prevent spoofing exploitation.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Mandates robust identification and authentication for organizational users and processes, directly countering the improper authentication mechanism that enables network-based spoofing in SharePoint.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations in accordance with policy, ensuring spoofed identities from improper authentication are denied logical access to SharePoint resources.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct network-accessible improper authentication bypass in public-facing SharePoint server enables initial access via exploitation of the exposed web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

Deeper analysisAI

CVE-2025-49706 is an improper authentication vulnerability in Microsoft Office SharePoint that enables an unauthorized attacker to perform spoofing over a network. Published on 2025-07-08, the issue carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and maps to CWE-287.

The vulnerability can be exploited by any unauthorized attacker with network access, requiring low complexity and no user interaction or privileges. Successful exploitation allows spoofing, resulting in low confidentiality and integrity impacts without affecting availability.

Advisories from Microsoft Security Response Center detail patches and mitigations at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49706. Microsoft's security blog addresses disrupting active exploitation of on-premises SharePoint vulnerabilities at https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/.

This vulnerability has seen real-world exploitation, as evidenced by its inclusion in CISA's catalog and Microsoft's report on active attacks against on-premises SharePoint deployments.

Details

CWE(s): CWE-287
KEV Date Added: 22 July 2025

Affected Products

microsoft

sharepoint enterprise server

2016

microsoft

sharepoint server

2019 · ≤ 16.0.18526.20424

CVEs Like This One

CVE-2025-53770Same product: Microsoft Sharepoint Serverboth on KEV

CVE-2026-20963Same product: Microsoft Sharepoint Serverboth on KEV

CVE-2025-49704Same product: Microsoft Sharepoint Serverboth on KEV

CVE-2026-32201Same product: Microsoft Sharepoint Serverboth on KEV

CVE-2026-26106Same product: Microsoft Sharepoint Server

CVE-2025-54897Same product: Microsoft Sharepoint Server

CVE-2025-49712Same product: Microsoft Sharepoint Server

CVE-2025-59287Same vendor: Microsoftboth on KEV

CVE-2025-49701Same product: Microsoft Sharepoint Server

CVE-2025-59228Same product: Microsoft Sharepoint Server

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706
Vendor Advisory · secure@microsoft.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49706
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
Press/Media Coverage, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0