CVE-2025-49706
Published Jul 8, 2025
Last updated a month ago
AI description
CVE-2025-49706 is a vulnerability affecting Microsoft Office SharePoint. It stems from improper authentication within the software. This vulnerability could allow an authorized attacker to perform spoofing attacks over a network, potentially compromising the integrity of SharePoint services. Microsoft has released a security update (KB5002751) to address this vulnerability.
- Description
- Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
- Source
- secure@microsoft.com
- NVD status
- Analyzed
- Products
- sharepoint_enterprise_server, sharepoint_server
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 2.5
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
Data from CISA
- Vulnerability name
- Microsoft SharePoint Improper Authentication Vulnerability
- Exploit added on
- Jul 22, 2025
- Exploit action due
- Jul 23, 2025
- Required action
- Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
- secure@microsoft.com
- CWE-287
- Hype score
- Not currently trending
CVE-2025-49706 Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view sensitive information and make changes to disclosed information.
@ZeroDayFacts
21 Aug 2025
51 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
【漏洞工具】SharePoint 2025 RCE 图形化漏洞利用工具 相关 CVE 编号为: CVE-2025-53770 CVE-2025-53771 CVE-2025-49704 CVE-2025-49706 https://t.co/8DPcYBYCq4 https://t.co/lts8kW1swv
@cybersecuritysl
19 Aug 2025
1260 Impressions
7 Retweets
18 Likes
16 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-49706
@transilienceai
19 Aug 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-49706
@transilienceai
2 Aug 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Storm-2603 exploits SharePoint flaws CVE-2025-49706/49704 using AK47 C2 framework with DNS and HTTP clients to deploy Warlock and LockBit Black ransomware in Latin America and APAC. #SharePointVulns #LatinAmerica #APAC https://t.co/JtbSBeBj0j
@TweetThreatNews
1 Aug 2025
95 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-49706
@transilienceai
1 Aug 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 BREAKING: #SharePoint Zero-Days Under Active Exploitation “Chinese state actors are exploiting CVE-2025-49706 & CVE-2025-49704 to compromise SharePoint servers worldwide. 400+ orgs affected including US nuclear agencies. Patch NOW! 🔗 security advisory link #CyberSec
@Prashanthblogs
30 Jul 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft SharePoint: Alerta Crítico de Segurança @CISACyber – CVE-2025-49706 e CVE-2025-49704 https://t.co/iH89nUXNsy https://t.co/YwTFKEhz6V
@portalcryptoid
29 Jul 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 New Critical #SharePoint RCE: CVE-2025-53770 Patch bypass of CVE-2025-49706/49704 allows remote, unauthorized code execution on on-prem SharePoint servers, leading to full system compromise. 🔎 Validate your exposure safely with a #NodeZero Rapid Response test: https://t
@Horizon3ai
28 Jul 2025
284 Impressions
6 Retweets
5 Likes
2 Bookmarks
0 Replies
2 Quotes
Actively exploited CVE : CVE-2025-49706
@transilienceai
28 Jul 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
#threatreport #LowCompleteness Inside The ToolShell Campaign | 27-07-2025 Source: https://t.co/Uho9beozwg Key details below ↓ 💀Threats: Toolshell_vuln, Keysiphon, 🎯Victims: Organizations 🔓CVEs: CVE-2025-49706 \[[Vulners](https://t.co/N5B5hYgj6E)] - CVSS V3.1: *6.5
@rst_cloud
28 Jul 2025
94 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
🚨 CVE-2025-49706 | SharePoint Auth Bypass + RCE A spoofed Referer header like /SignOut.aspx tricks PostAuthenticationRequestHandler() due to a logic flaw in Microsoft.Sharepoint.dll. 👇 Here's how attackers chain it:
@KunalChandola
27 Jul 2025
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
4 Replies
0 Quotes
Desde 18/7 el grupo chino Storm-2603 implementa el ransomware Warlock aprovechando las vulnerabilidades de Microsoft SharePoint CVE-2025-49706 y CVE-2025-49704. PARCHEA! https://t.co/SUXkJjurw7
@SeguInfo
27 Jul 2025
423 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🔴 #Microsoft SharePoint, Improper Authentication Vulnerability, #CVE-2025-49706 (Critical) https://t.co/f2EEkv65Jl
@dailycve
27 Jul 2025
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-49706
@transilienceai
26 Jul 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
オンプレSharePoint勢は要注意⚠️ ゼロデイ(CVE-2025-49706/49704)を突く「ToolShell」バックドアが拡散中。大学や州政府でも被害が出てて、攻撃者はファイルも設定もフルアクセス可能というヤバさ💥
@log_sho_dev
26 Jul 2025
120 Impressions
0 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes
🔻 Update: ToolShell exploits hit 300+ orgs globally and now dropping WARLOCK Ransomware ! Chinese APT Storm-2603 has escalated the ToolShell SharePoint exploit chain (CVE-2025-49706 + CVE-2025-49704) into a global ransomware operation. With 4,600+ attacks across 300+ https://
@cytexsmb
25 Jul 2025
239 Impressions
2 Retweets
3 Likes
2 Bookmarks
1 Reply
2 Quotes
SharePoint flaws exploited in Warlock ransomware attacks China-based hacking group Storm-2603 is exploiting the ToolShell zero-day chain (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770) to deploy Warlock ransomware on unpatched Microsoft SharePoint servers. Over 420 servers http
@dCypherIO
25 Jul 2025
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-49706
@transilienceai
25 Jul 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
米国サイバーセキュリティ・社会基盤安全保障庁(CISA)が既知の悪用された脆弱性カタログを更新。SharePointの脆弱性CVE-2025-49704とCVE-2025-49706が、ランサムウェア攻撃に悪用されたことを観測した旨。 https://t.co/tWx
@__kokumoto
24 Jul 2025
1999 Impressions
4 Retweets
17 Likes
2 Bookmarks
0 Replies
0 Quotes
🚨 U.S. DHS reportedly breached via Microsoft SharePoint zero-days (CVE-2025-49704 & CVE-2025-49706). NIH & 12+ gov entities may also be hit. @Microsoft confirms: Linen Typhoon, Violet Typhoon & Storm-2603 exploited the flaws. Storm-2603 later deployed Warlock ran
@TechNadu
24 Jul 2025
86 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📢 GÜNCELLEME DUYURUSU – Microsoft SharePoint Kritik Güvenlik Açıkları (CVE-2025-49704, CVE-2025-49706) Microsoft SharePoint’in şirket içi (on-prem) sürümlerinde tespit edilen kritik güvenlik açıkları, saldırganların sistemlerde kimlik sahtekârlığı yapmas
@GMDestekMerkezi
24 Jul 2025
30 Impressions
0 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft Threat Intelligence team share details of Storm-2603 activity that leads to the deployment of Warlock ransomware by exploitation of on-premises SharePoint vulnerabilities CVE-2025-49706 & CVE-2025-49704. https://t.co/ZjVX7XqI5o https://t.co/x3RZ6Q9ifc
@virusbtn
24 Jul 2025
2793 Impressions
19 Retweets
57 Likes
20 Bookmarks
0 Replies
0 Quotes
Microsoft SharePointの深刻な脆弱性に対する攻撃が活発化 PoCも公開(CVE-2025-53770,CVE-2025-53771,CVE-2025-49704,CVE-2025-49706)|セキュリティとITのニュース-セキュリティ対策Lab https://t.co/enCPPrwlcM
@Luke06121
24 Jul 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CISA Orders Urgent SharePoint Patching Amid Active Exploits by Chinese APTs 🚨 📅 Update as of July 22, 2025 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-49704 and CVE-2025-49706 to its Known Exploited Vulnerabilities (KEV) catalog
@SachinCyberSec
23 Jul 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 NNSA breached in a SharePoint zero-day attack. Targets: On-prem servers - Vulnerables: CVE-2025-49706 & CVE-2025-49704 - Nuclear oversight at risk - No classified data accessed, but dozens of servers impacted - Patches released; CISA added flaws to the KEV list 🧵 Re
@TechNadu
23 Jul 2025
109 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Today's top 5 cybersecurity news - July 23, 2025 1. Microsoft has released guidance on two actively exploited SharePoint vulnerabilities, CVE-2025-49704 (remote code execution) and CVE-2025-49706 (network spoofing), which allow attackers to gain unauthorized access to on-premise
@NewsNerdie
23 Jul 2025
31 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
CISA has added two actively exploited SharePoint flaws (CVE-2025-49704 and CVE-2025-49706) to its KEV list after Chinese hacking groups Linen Typhoon and Violet Typhoon targeted on-premise servers since July. Remediation needed by July 23, 2025. #SharePo… https://t.co/gbJeWI0PP
@TweetThreatNews
23 Jul 2025
43 Impressions
1 Retweet
0 Likes
1 Bookmark
0 Replies
0 Quotes
🚨 @SharePoint RCE exploited in 100+ orgs. CVE-2025-49706 + 49704 chained (ToolShell). 🧵 What we know: - Affected: U.S., Germany gov orgs - Attack start: Coordinated Friday rollout - CISA adds to KEV Gained cryptographic keys, re-entry possible even after patching 📣 Da
@TechNadu
23 Jul 2025
90 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CISA has added two Microsoft SharePoint vulnerabilities, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities catalog after reports of active exploitation by Chinese hackers.
@oxhak
23 Jul 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft SharePointの深刻な脆弱性に対する攻撃が活発化 PoCも公開 CVE-2025-53770,CVE-2025-53771,CVE-2025-49704,CVE-2025-49706 #セキュリティ対策Lab #セキュリティ #Security https://t.co/N8UBX4LzCk
@securityLab_jp
23 Jul 2025
131 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Chinese APTs have been exploiting SharePoint zero-days with ToolShell since July 7, targeting CVE-2025-49706 and CVE-2025-49704. Nations such as Linen Typhoon and Violet Typhoon are actively involved in ongoing exploitation. #China #SharePoint #APT https://t.co/WukXWg6A1A
@TweetThreatNews
22 Jul 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Multiple China-based groups Linen Typhoon and Violet Typhoon are exploiting SharePoint vulnerabilities (CVE-2025-49706/49704) and bypass bugs to target global government, military, and corporate sectors. #China #Espionage #Vulnerabilities https://t.co/J8RmJX9HhC
@TweetThreatNews
22 Jul 2025
96 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Microsoft, 19 Temmuz 2025’te yayımladığı bir blogda, sadece kurum içi (on-premises) SharePoint sunucularını etkileyen iki kritik güvenlik açığına karşı uyarıda bulundu: CVE-2025-49706 (spoofing/sahtecilik açığı) ve CVE-2025-49704 (uzaktan kod çalıştırma a
@PvtSakarium
22 Jul 2025
375 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
1 Quote
🛡️ $MSFT Microsoft, Çinli hackerların SharePoint yazılımındaki güvenlik açıklarını kötüye kullandığını açıkladı. ⚠️ Hedefte, internet erişimine açık on-premises SharePoint sunucuları var; bu açıklar CVE-2025-49706 (spoofing) ve CVE-2025-49704 (uz
@ILKERFIRENZE
22 Jul 2025
126 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Active exploitation alert: Microsoft warns of ongoing attacks targeting on-prem SharePoint servers via CVE-2025-49706 & CVE-2025-49704. Chinese threat actors (Linen Typhoon, Violet Typhoon, Storm-2603) observed deploying web shells via spoofed POST requests.
@0x534c
22 Jul 2025
599 Impressions
0 Retweets
5 Likes
4 Bookmarks
0 Replies
0 Quotes
MSTIC blog on Sharepoint exploitation At least 3 actors exploiting CVE-2025-49706 & CVE-2025-49704 as early as July 7: Linen Typhoon Violet Typhoon Storm-2603 (CN-based actor deployed Warlock & Lockbit ransomware in past - current motivation unknown) https://t.co/IgEp6
@cglyer
22 Jul 2025
23770 Impressions
56 Retweets
137 Likes
42 Bookmarks
2 Replies
2 Quotes
GitHub - AdityaBhatt3010/CVE-2025-49706-SharePoint-Spoofing-Vulnerability-Under-Active-Exploitation: A deep dive into CVE-2025-49706 — the SharePoint spoofing flaw now exploited in the wild for stealthy web shell deployment and privilege escalation. https://t.co/rXmAOehSIF
@akaclandestine
22 Jul 2025
2054 Impressions
8 Retweets
40 Likes
19 Bookmarks
0 Replies
0 Quotes
CVE-2025-49706 Microsoft SharePoint Server Spoofing Vulnerability https://t.co/RVfHemXHve #cybersecurity #cyberrisk
@SecQube
22 Jul 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
ToolShell exploits multiple SharePoint vulnerabilities, including CVE-2025-49706 and CVE-2025-53770, to achieve remote code execution and silently extract cryptographic keys. Unpatched SharePoint 2016 and earlier are at high risk. #ToolShell #UK https://t.co/r6wxwdzE8N
@TweetThreatNews
22 Jul 2025
149 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE Record: CVE-2025-49706 A variant of a recent CVE assessed as MEDIUM level threat, you see. “Improper authentication in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.” https://t.co/s5OrvHq2Yg
@wontonimobae
21 Jul 2025
64 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
Cyberattaque importante en cours aux EU : CVE-2025-53770 ("ToolShell") CVE-2025-49706 https://t.co/TpGfi80H99
@lhommedesforet
20 Jul 2025
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-49704: This vulnerability arises from the implementation of the SurrogateSelector interface. CVE-2025-49706 authentication bypass, allows import/update operations on SharePoint WebPart components via the ToolPane endpoint. Accordingly, you can contact the @hawktrace
@hawktrace
20 Jul 2025
488 Impressions
5 Retweets
9 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-53770 - A variant of CVE-2025-49706 submitted to the @thezdi and shown at Pwn2Own Berlin by @ViettelCyberSec variants are the devil, narrow/incomplete patches a catastrophe https://t.co/fHNVXzqLXm https://t.co/CkILJB0H1F
@gothburz
20 Jul 2025
72 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
If you're trying to figure out active exploit against those SharePoint / ToolShell vulns (CVE-2025-49706 + CVE-2025-49704), we released a free SharePoint decoy template on Defused. It flags a high severity alert automatically if an adverasary tries to leverage the vuln. https
@DefusedCyber
20 Jul 2025
2099 Impressions
3 Retweets
11 Likes
6 Bookmarks
1 Reply
1 Quote
🚨 Active Exploitation Alert DarkAtlas Squad are tracking widespread, in-the-wild exploitation of critical Microsoft SharePoint vulnerabilities: CVE-2025-49704 and CVE-2025-49706. Organizations globally are being targeted. These flaws are actively weaponized and pose a severe h
@DarkAtlasSquad
20 Jul 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Sharepointにおける未修正の重大(Critical)なゼロデイ脆弱性CVE-2025-53770が悪用されており、世界の75組織以上が被害に遭っている。CVSSスコア9.8で、7月の定例更新で修正されたCVE-2025-49706の亜種。MS公式は緩和策とし
@__kokumoto
20 Jul 2025
4646 Impressions
6 Retweets
35 Likes
12 Bookmarks
3 Replies
1 Quote
📌 ثغرة أمنية حرجة في خادم Microsoft SharePoint تم استغلالها في حملة كبيرة تؤثر على أكثر من 75 منظمة عالمية. تُعرف الثغرة، CVE-2025-53770، بتقييم 9.8، وتعد نوعًا من ثغرة CVE-2025
@Cybercachear
20 Jul 2025
159 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
هجمات إلكترونية نشطة تستغل ثغرتين حرجتين في Microsoft SharePoint وتتيح تنفيذ أوامر عن بُعد. - CVE-2025-49704 - CVE-2025-49706 🎯 مايكروسوفت توصي بتفعيل AMSI وعزل الخوادم. https://t.co/NJl
@cyberscastx
20 Jul 2025
5405 Impressions
2 Retweets
35 Likes
31 Bookmarks
2 Replies
0 Quotes
CVE-2025-49704 , CVE-2025-49706 # SharePoint 0-Day RCE Vulnerability: https://t.co/tQgsee0YRq
@Iambivash007
20 Jul 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9C082CC4-6128-475D-BC19-B239E348FDB2"
},
{
"criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B006E0D5-DEDF-490A-9BC6-D2DC34DF98B2",
"versionEndExcluding": "16.0.18526.20424"
},
{
"criteria": "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "6122D014-5BF1-4AF4-8B4D-80205ED7785E"
}
],
"operator": "OR"
}
]
}
]