Cyber Resilience

CVE-2025-49706

MediumCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 08 July 2025

Published
08 July 2025
Modified
27 October 2025
KEV Added
22 July 2025
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.7379 98.8th percentile
Risk Priority 77 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49706 is a medium-severity Improper Authentication (CWE-287) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2025-49706 is an improper authentication vulnerability in Microsoft Office SharePoint that enables an unauthorized attacker to perform spoofing over a network. Published on 2025-07-08, the issue carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and maps to CWE-287.

The vulnerability can be exploited by any unauthorized attacker with network access, requiring low complexity and no user interaction or privileges. Successful exploitation allows spoofing, resulting in low confidentiality and integrity impacts without affecting availability.

Advisories from Microsoft Security Response Center detail patches and mitigations at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49706. Microsoft's security blog addresses disrupting active exploitation of on-premises SharePoint vulnerabilities at https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/.

This vulnerability has seen real-world exploitation, as evidenced by its inclusion in CISA's catalog and Microsoft's report on active attacks against on-premises SharePoint deployments.

EU & UK References

Vulnerability details

Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

CWE(s)
KEV Date Added
22 July 2025

Related Threats

Threat-Actor AttributionAI

Named in MITRE ATT&CK description for SharePoint ToolShell Exploitation (campaign).
Kimsuky (G0094)
Decoding the Accelerated Cyber Attack Cycle 2026 GLOBAL THREAT LANDSCAPE REPORT 2 CONTENTS Introduction 3 Executive Summary 4 Key findings 5 The Disappearance of Predictive Lead Time 8 The Industrialization of Access 14 Exposure Surfaces as

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct network-accessible improper authentication bypass in public-facing SharePoint server enables initial access via exploitation of the exposed web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20963Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2026-32201Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2025-49704Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2025-53770Same product: Microsoft Sharepoint Serverboth on KEV
CVE-2025-59287Same vendor: Microsoftboth on KEV
CVE-2025-21348Same product: Microsoft Sharepoint Server
CVE-2026-26114Same product: Microsoft Sharepoint Server
CVE-2025-21344Same product: Microsoft Sharepoint Server
CVE-2026-20947Same product: Microsoft Sharepoint Server
CVE-2026-26106Same product: Microsoft Sharepoint Server

Affected Assets

microsoft
sharepoint enterprise server
2016
microsoft
sharepoint server
2019 · ≤ 16.0.18526.20424

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of identified flaws, including applying Microsoft patches for this specific improper authentication vulnerability in SharePoint to prevent spoofing exploitation.

prevent

Mandates robust identification and authentication for organizational users and processes, directly countering the improper authentication mechanism that enables network-based spoofing in SharePoint.

prevent

Enforces approved access authorizations in accordance with policy, ensuring spoofed identities from improper authentication are denied logical access to SharePoint resources.

References