CVE-2025-49706 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-07-08

Added to CISA KEV: 2025-07-22 14 DAYS BETWEEN CVE AND KEV

⚠️ CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity before patching
Apply Microsoft security updates immediately for all SharePoint Server versions
Monitor SharePoint servers for suspicious HTTP requests to /ToolPane.aspx
Implement network segmentation to limit SharePoint server exposure
Review and audit SharePoint authentication configurations
Deploy web application firewall rules to detect header manipulation attacks

Active Exploitation of Microsoft SharePoint Vulnerabilities
Active attacks are targeting on-premises SharePoint Server customers by exploiting a variant of CVE-2025-49706. This new variant has been ...
GitHub - AdityaBhatt3010/CVE-2025-49706-SharePoint-Spoofing...
CVE‑2025‑49706, a spoofing vulnerability in SharePoint Server, has evolved from medium-severity to real-world weaponization, with a variant (CVE‑2025‑53770) now actively exploited in the wild.
cve-2025-49706 · GitHub Topics · GitHub
A deep dive into CVE-2025-49706 — the SharePoint spoofing flaw now exploited in the wild for stealthy web shell deployment and privilege escalation.
CVE-2025-49706 Detail - NVD
Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. Metrics. CVSS Version 4.0. CVSS ...
ToolShell Unleashed: Decoding the SharePoint Attack Chain - Trellix
CVE-2025-49706: An authentication bypass (spoofing) vulnerability that allows unauthenticated attackers to access restricted SharePoint functionality. Attackers manipulate HTTP requests to the /ToolPane.aspx, specifically, by forging the Referer header.

🔴 CVE-2025-49706