๐Ÿ”ด CVE-2025-49706

CVE-2025-49706 is an improper authentication vulnerability in Microsoft SharePoint Server that allows network-based spoofing attacks without authentication. The vulnerability is actively exploited in the wild and enables attackers to bypass authentication by manipulating HTTP headers.

โ† Back to Overview
HIGH_RISK
Risk Level
6.5
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 โ€” Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
Yes (+207d)
Ransomware

๐Ÿ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-07-08

Added to CISA KEV: 2025-07-22 14 DAYS BETWEEN CVE AND KEV

๐ŸŽฏ Recommendations:

๐Ÿ” Web Intelligence (Kagi ยท 2025-09-06)

Here's what is known about the CVE-2025-49706 vulnerability:

  • Affected Applications/Services: CVE-2025-49706 affects on-premises Microsoft SharePoint Server versions [1].
  • Active Exploitation: There is evidence of active exploitation in the wild [2][3].
  • Attack Vectors/Exploitation Methods:
* The vulnerability is an improper authentication issue that allows an attacker to perform spoofing over a network [4]. * Attackers can manipulate HTTP requests, specifically the Referer header, to bypass authentication and gain access to restricted SharePoint functionality [5][6].
  • Targeted Attacks: CVE-2025-49706 is being exploited in attacks that lead to stealthy web shell deployment and privilege escalation [3].
  • CISA KEV Status: CISA added CVE-2025-49706 to its Known Exploited Vulnerabilities Catalog on July 22, 2025 [7].
  • Technical Details/Internet Exploitability:
* CVE-2025-49706 is related to a more critical vulnerability, CVE-2025-53770, which is a zero-authentication remote code execution (RCE) vulnerability in Microsoft SharePoint [3][8]. CVE-2025-53770 is a variant of CVE-2025-49706 [2][8]. * Exploitation involves manipulating HTTP requests to ```/ToolPane.aspx```, specifically forging the ```Referer``` header [5].

Sources

  1. Active Exploitation of Microsoft SharePoint Vulnerabilities

    Active attacks are targeting on-premises SharePoint Server customers by exploiting a variant of CVE-2025-49706. This new variant has been ...

  2. GitHub - AdityaBhatt3010/CVE-2025-49706-SharePoint-Spoofing...

    CVEโ€‘2025โ€‘49706, a spoofing vulnerability in SharePoint Server, has evolved from medium-severity to real-world weaponization, with a variant (CVEโ€‘2025โ€‘53770) now actively exploited in the wild.

  3. cve-2025-49706 ยท GitHub Topics ยท GitHub

    A deep dive into CVE-2025-49706 โ€” the SharePoint spoofing flaw now exploited in the wild for stealthy web shell deployment and privilege escalation.

  4. CVE-2025-49706 Detail - NVD

    Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. Metrics. CVSS Version 4.0. CVSS ...

  5. ToolShell Unleashed: Decoding the SharePoint Attack Chain - Trellix

    CVE-2025-49706: An authentication bypass (spoofing) vulnerability that allows unauthenticated attackers to access restricted SharePoint functionality. Attackers manipulate HTTP requests to the /ToolPane.aspx, specifically, by forging the Referer header.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

๐Ÿ“„ Download JSON Data | ๐Ÿ“ก RSS Feed