⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.. Due date: 2025-07-23.

CVE-2025-49706

CWE-287Improper Authentication23 documents16 sources
Severity
6.5MEDIUM
EPSS
71.6%
top 1.27%
CISA KEV
KEVRansomware
Added 2025-07-22
Due 2025-07-23
Exploit
PoC available
Public exploit / PoC exists
Affected products
5
Microsoft Microsoft Sharepoint Enterprise Server 2016Microsoft Microsoft Sharepoint Server 2019Microsoft Microsoft Sharepoint Server Subscription Edition+2 more
Timeline
PublishedJul 8
KEV addedJul 22
KEV dueJul 23
Latest updateDec 3
CISA Required Action: Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Description

Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages5 packages

NVDmicrosoft/sharepoint_server< 16.0.18526.20424+1
CVEListV5microsoft/microsoft_sharepoint_server_201916.0.016.0.10417.20027
CVEListV5microsoft/microsoft_sharepoint_enterprise_server_201616.0.016.0.5508.1000
CVEListV5microsoft/microsoft_sharepoint_server_subscription_edition16.0.016.0.18526.20424

🔴Vulnerability Details

3
CVEList
Microsoft SharePoint Server Spoofing Vulnerability2025-07-08
GHSA
GHSA-j67g-r75f-8hgp: Improper authentication in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network2025-07-08
VulnCheck
Microsoft SharePoint Improper Authentication Vulnerability2025

💥Exploits & PoCs

2
Nuclei
Microsoft SharePoint Server - Authentication Bypass
Metasploit
Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)

🔍Detection Rules

2
Suricata
ET EXPLOIT Microsoft SharePoint ToolPane Authentication Bypass (CVE-2025-49706)2025-07-08
Sigma
Suspicious File Write to SharePoint Layouts Directory

📋Vendor Advisories

2
CISA
Microsoft SharePoint Improper Authentication Vulnerability2025-07-22
Microsoft
Microsoft SharePoint Server Spoofing Vulnerability2025-07-08

🕵️Threat Intelligence

7
Securelist
Exploits and vulnerabilities in Q3 20252025-12-03
Unit42
Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks2025-08-05
Unit42
Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12)2025-07-31
Unit42
Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12)2025-07-31
Securelist
ToolShell: a story of five vulnerabilities in Microsoft SharePoint2025-07-25

📐Framework References

1
ATT&CK
SharePoint ToolShell Exploitation