CVE-2025-49706

Published Jul 8, 2025

Last updated a month ago

Exploit knownCVSS medium 6.5
Microsoft Office SharePoint
ToolShell

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-49706 is a vulnerability affecting Microsoft Office SharePoint. It stems from improper authentication within the software. This vulnerability could allow an authorized attacker to perform spoofing attacks over a network, potentially compromising the integrity of SharePoint services. Microsoft has released a security update (KB5002751) to address this vulnerability.

Description
Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
Source
secure@microsoft.com
NVD status
Analyzed
Products
sharepoint_enterprise_server, sharepoint_server

Risk scores

CVSS 3.1

Type
Primary
Base score
6.5
Impact score
2.5
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Severity
MEDIUM

Known exploits

Data from CISA

Vulnerability name
Microsoft SharePoint Improper Authentication Vulnerability
Exploit added on
Jul 22, 2025
Exploit action due
Jul 23, 2025
Required action
Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Weaknesses

secure@microsoft.com
CWE-287

Social media

Hype score
Not currently trending
  1. CVE-2025-49706 Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view sensitive information and make changes to disclosed information.

    @ZeroDayFacts

    21 Aug 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 【漏洞工具】SharePoint 2025 RCE 图形化漏洞利用工具 相关 CVE 编号为: CVE-2025-53770 CVE-2025-53771 CVE-2025-49704 CVE-2025-49706 https://t.co/8DPcYBYCq4 https://t.co/lts8kW1swv

    @cybersecuritysl

    19 Aug 2025

    1260 Impressions

    7 Retweets

    18 Likes

    16 Bookmarks

    0 Replies

    0 Quotes

  3. Actively exploited CVE : CVE-2025-49706

    @transilienceai

    19 Aug 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. Actively exploited CVE : CVE-2025-49706

    @transilienceai

    2 Aug 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. Storm-2603 exploits SharePoint flaws CVE-2025-49706/49704 using AK47 C2 framework with DNS and HTTP clients to deploy Warlock and LockBit Black ransomware in Latin America and APAC. #SharePointVulns #LatinAmerica #APAC https://t.co/JtbSBeBj0j

    @TweetThreatNews

    1 Aug 2025

    95 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Actively exploited CVE : CVE-2025-49706

    @transilienceai

    1 Aug 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. 🚨 BREAKING: #SharePoint Zero-Days Under Active Exploitation “Chinese state actors are exploiting CVE-2025-49706 & CVE-2025-49704 to compromise SharePoint servers worldwide. 400+ orgs affected including US nuclear agencies. Patch NOW! 🔗 security advisory link #CyberSec

    @Prashanthblogs

    30 Jul 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Microsoft SharePoint: Alerta Crítico de Segurança @CISACyber – CVE-2025-49706 e CVE-2025-49704 https://t.co/iH89nUXNsy https://t.co/YwTFKEhz6V

    @portalcryptoid

    29 Jul 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨 New Critical #SharePoint RCE: CVE-2025-53770 Patch bypass of CVE-2025-49706/49704 allows remote, unauthorized code execution on on-prem SharePoint servers, leading to full system compromise. 🔎 Validate your exposure safely with a #NodeZero Rapid Response test: https://t

    @Horizon3ai

    28 Jul 2025

    284 Impressions

    6 Retweets

    5 Likes

    2 Bookmarks

    0 Replies

    2 Quotes

  10. Actively exploited CVE : CVE-2025-49706

    @transilienceai

    28 Jul 2025

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  11. #threatreport #LowCompleteness Inside The ToolShell Campaign | 27-07-2025 Source: https://t.co/Uho9beozwg Key details below ↓ 💀Threats: Toolshell_vuln, Keysiphon, 🎯Victims: Organizations 🔓CVEs: CVE-2025-49706 \[[Vulners](https://t.co/N5B5hYgj6E)] - CVSS V3.1: *6.5

    @rst_cloud

    28 Jul 2025

    94 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  12. 🚨 CVE-2025-49706 | SharePoint Auth Bypass + RCE A spoofed Referer header like /SignOut.aspx tricks PostAuthenticationRequestHandler() due to a logic flaw in Microsoft.Sharepoint.dll. 👇 Here's how attackers chain it:

    @KunalChandola

    27 Jul 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    4 Replies

    0 Quotes

  13. Desde 18/7 el grupo chino Storm-2603 implementa el ransomware Warlock aprovechando las vulnerabilidades de Microsoft SharePoint CVE-2025-49706 y CVE-2025-49704. PARCHEA! https://t.co/SUXkJjurw7

    @SeguInfo

    27 Jul 2025

    423 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  14. 🔴 #Microsoft SharePoint, Improper Authentication Vulnerability, #CVE-2025-49706 (Critical) https://t.co/f2EEkv65Jl

    @dailycve

    27 Jul 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Actively exploited CVE : CVE-2025-49706

    @transilienceai

    26 Jul 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  16. オンプレSharePoint勢は要注意⚠️ ゼロデイ(CVE-2025-49706/49704)を突く「ToolShell」バックドアが拡散中。大学や州政府でも被害が出てて、攻撃者はファイルも設定もフルアクセス可能というヤバさ💥

    @log_sho_dev

    26 Jul 2025

    120 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. 🔻 Update: ToolShell exploits hit 300+ orgs globally and now dropping WARLOCK Ransomware ! Chinese APT Storm-2603 has escalated the ToolShell SharePoint exploit chain (CVE-2025-49706 + CVE-2025-49704) into a global ransomware operation. With 4,600+ attacks across 300+ https://

    @cytexsmb

    25 Jul 2025

    239 Impressions

    2 Retweets

    3 Likes

    2 Bookmarks

    1 Reply

    2 Quotes

  18. SharePoint flaws exploited in Warlock ransomware attacks China-based hacking group Storm-2603 is exploiting the ToolShell zero-day chain (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770) to deploy Warlock ransomware on unpatched Microsoft SharePoint servers. Over 420 servers http

    @dCypherIO

    25 Jul 2025

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. Actively exploited CVE : CVE-2025-49706

    @transilienceai

    25 Jul 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  20. 米国サイバーセキュリティ・社会基盤安全保障庁(CISA)が既知の悪用された脆弱性カタログを更新。SharePointの脆弱性CVE-2025-49704とCVE-2025-49706が、ランサムウェア攻撃に悪用されたことを観測した旨。 https://t.co/tWx

    @__kokumoto

    24 Jul 2025

    1999 Impressions

    4 Retweets

    17 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  21. 🚨 U.S. DHS reportedly breached via Microsoft SharePoint zero-days (CVE-2025-49704 & CVE-2025-49706). NIH & 12+ gov entities may also be hit. @Microsoft confirms: Linen Typhoon, Violet Typhoon & Storm-2603 exploited the flaws. Storm-2603 later deployed Warlock ran

    @TechNadu

    24 Jul 2025

    86 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 📢 GÜNCELLEME DUYURUSU – Microsoft SharePoint Kritik Güvenlik Açıkları (CVE-2025-49704, CVE-2025-49706) Microsoft SharePoint’in şirket içi (on-prem) sürümlerinde tespit edilen kritik güvenlik açıkları, saldırganların sistemlerde kimlik sahtekârlığı yapmas

    @GMDestekMerkezi

    24 Jul 2025

    30 Impressions

    0 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Microsoft Threat Intelligence team share details of Storm-2603 activity that leads to the deployment of Warlock ransomware by exploitation of on-premises SharePoint vulnerabilities CVE-2025-49706 & CVE-2025-49704. https://t.co/ZjVX7XqI5o https://t.co/x3RZ6Q9ifc

    @virusbtn

    24 Jul 2025

    2793 Impressions

    19 Retweets

    57 Likes

    20 Bookmarks

    0 Replies

    0 Quotes

  24. Microsoft SharePointの深刻な脆弱性に対する攻撃が活発化 PoCも公開(CVE-2025-53770,CVE-2025-53771,CVE-2025-49704,CVE-2025-49706)|セキュリティとITのニュース-セキュリティ対策Lab https://t.co/enCPPrwlcM

    @Luke06121

    24 Jul 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. 🚨 CISA Orders Urgent SharePoint Patching Amid Active Exploits by Chinese APTs 🚨 📅 Update as of July 22, 2025 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-49704 and CVE-2025-49706 to its Known Exploited Vulnerabilities (KEV) catalog

    @SachinCyberSec

    23 Jul 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  26. 🚨 NNSA breached in a SharePoint zero-day attack. Targets: On-prem servers - Vulnerables: CVE-2025-49706 & CVE-2025-49704 - Nuclear oversight at risk - No classified data accessed, but dozens of servers impacted - Patches released; CISA added flaws to the KEV list 🧵 Re

    @TechNadu

    23 Jul 2025

    109 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. Today's top 5 cybersecurity news - July 23, 2025 1. Microsoft has released guidance on two actively exploited SharePoint vulnerabilities, CVE-2025-49704 (remote code execution) and CVE-2025-49706 (network spoofing), which allow attackers to gain unauthorized access to on-premise

    @NewsNerdie

    23 Jul 2025

    31 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  28. CISA has added two actively exploited SharePoint flaws (CVE-2025-49704 and CVE-2025-49706) to its KEV list after Chinese hacking groups Linen Typhoon and Violet Typhoon targeted on-premise servers since July. Remediation needed by July 23, 2025. #SharePo… https://t.co/gbJeWI0PP

    @TweetThreatNews

    23 Jul 2025

    43 Impressions

    1 Retweet

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  29. 🚨 @SharePoint RCE exploited in 100+ orgs. CVE-2025-49706 + 49704 chained (ToolShell). 🧵 What we know: - Affected: U.S., Germany gov orgs - Attack start: Coordinated Friday rollout - CISA adds to KEV Gained cryptographic keys, re-entry possible even after patching 📣 Da

    @TechNadu

    23 Jul 2025

    90 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. CISA has added two Microsoft SharePoint vulnerabilities, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities catalog after reports of active exploitation by Chinese hackers.

    @oxhak

    23 Jul 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. Microsoft SharePointの深刻な脆弱性に対する攻撃が活発化 PoCも公開 CVE-2025-53770,CVE-2025-53771,CVE-2025-49704,CVE-2025-49706 #セキュリティ対策Lab #セキュリティ #Security https://t.co/N8UBX4LzCk

    @securityLab_jp

    23 Jul 2025

    131 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. Chinese APTs have been exploiting SharePoint zero-days with ToolShell since July 7, targeting CVE-2025-49706 and CVE-2025-49704. Nations such as Linen Typhoon and Violet Typhoon are actively involved in ongoing exploitation. #China #SharePoint #APT https://t.co/WukXWg6A1A

    @TweetThreatNews

    22 Jul 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. Multiple China-based groups Linen Typhoon and Violet Typhoon are exploiting SharePoint vulnerabilities (CVE-2025-49706/49704) and bypass bugs to target global government, military, and corporate sectors. #China #Espionage #Vulnerabilities https://t.co/J8RmJX9HhC

    @TweetThreatNews

    22 Jul 2025

    96 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Microsoft, 19 Temmuz 2025’te yayımladığı bir blogda, sadece kurum içi (on-premises) SharePoint sunucularını etkileyen iki kritik güvenlik açığına karşı uyarıda bulundu: CVE-2025-49706 (spoofing/sahtecilik açığı) ve CVE-2025-49704 (uzaktan kod çalıştırma a

    @PvtSakarium

    22 Jul 2025

    375 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    1 Quote

  35. 🛡️ $MSFT Microsoft, Çinli hackerların SharePoint yazılımındaki güvenlik açıklarını kötüye kullandığını açıkladı. ⚠️ Hedefte, internet erişimine açık on-premises SharePoint sunucuları var; bu açıklar CVE-2025-49706 (spoofing) ve CVE-2025-49704 (uz

    @ILKERFIRENZE

    22 Jul 2025

    126 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. 🚨 Active exploitation alert: Microsoft warns of ongoing attacks targeting on-prem SharePoint servers via CVE-2025-49706 & CVE-2025-49704. Chinese threat actors (Linen Typhoon, Violet Typhoon, Storm-2603) observed deploying web shells via spoofed POST requests.

    @0x534c

    22 Jul 2025

    599 Impressions

    0 Retweets

    5 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  37. MSTIC blog on Sharepoint exploitation At least 3 actors exploiting CVE-2025-49706 & CVE-2025-49704 as early as July 7: Linen Typhoon Violet Typhoon Storm-2603 (CN-based actor deployed Warlock & Lockbit ransomware in past - current motivation unknown) https://t.co/IgEp6

    @cglyer

    22 Jul 2025

    23770 Impressions

    56 Retweets

    137 Likes

    42 Bookmarks

    2 Replies

    2 Quotes

  38. GitHub - AdityaBhatt3010/CVE-2025-49706-SharePoint-Spoofing-Vulnerability-Under-Active-Exploitation: A deep dive into CVE-2025-49706 — the SharePoint spoofing flaw now exploited in the wild for stealthy web shell deployment and privilege escalation. https://t.co/rXmAOehSIF

    @akaclandestine

    22 Jul 2025

    2054 Impressions

    8 Retweets

    40 Likes

    19 Bookmarks

    0 Replies

    0 Quotes

  39. CVE-2025-49706 Microsoft SharePoint Server Spoofing Vulnerability https://t.co/RVfHemXHve #cybersecurity #cyberrisk

    @SecQube

    22 Jul 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. ToolShell exploits multiple SharePoint vulnerabilities, including CVE-2025-49706 and CVE-2025-53770, to achieve remote code execution and silently extract cryptographic keys. Unpatched SharePoint 2016 and earlier are at high risk. #ToolShell #UK https://t.co/r6wxwdzE8N

    @TweetThreatNews

    22 Jul 2025

    149 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  41. CVE Record: CVE-2025-49706 A variant of a recent CVE assessed as MEDIUM level threat, you see. “Improper authentication in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.” https://t.co/s5OrvHq2Yg

    @wontonimobae

    21 Jul 2025

    64 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  42. Cyberattaque importante en cours aux EU : CVE-2025-53770 ("ToolShell") CVE-2025-49706 https://t.co/TpGfi80H99

    @lhommedesforet

    20 Jul 2025

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. CVE-2025-49704: This vulnerability arises from the implementation of the SurrogateSelector interface. CVE-2025-49706 authentication bypass, allows import/update operations on SharePoint WebPart components via the ToolPane endpoint. Accordingly, you can contact the @hawktrace

    @hawktrace

    20 Jul 2025

    488 Impressions

    5 Retweets

    9 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. CVE-2025-53770 - A variant of CVE-2025-49706 submitted to the @thezdi and shown at Pwn2Own Berlin by @ViettelCyberSec variants are the devil, narrow/incomplete patches a catastrophe https://t.co/fHNVXzqLXm https://t.co/CkILJB0H1F

    @gothburz

    20 Jul 2025

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. If you're trying to figure out active exploit against those SharePoint / ToolShell vulns (CVE-2025-49706 + CVE-2025-49704), we released a free SharePoint decoy template on Defused. It flags a high severity alert automatically if an adverasary tries to leverage the vuln. https

    @DefusedCyber

    20 Jul 2025

    2099 Impressions

    3 Retweets

    11 Likes

    6 Bookmarks

    1 Reply

    1 Quote

  46. 🚨 Active Exploitation Alert DarkAtlas Squad are tracking widespread, in-the-wild exploitation of critical Microsoft SharePoint vulnerabilities: CVE-2025-49704 and CVE-2025-49706. Organizations globally are being targeted. These flaws are actively weaponized and pose a severe h

    @DarkAtlasSquad

    20 Jul 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. Sharepointにおける未修正の重大(Critical)なゼロデイ脆弱性CVE-2025-53770が悪用されており、世界の75組織以上が被害に遭っている。CVSSスコア9.8で、7月の定例更新で修正されたCVE-2025-49706の亜種。MS公式は緩和策とし

    @__kokumoto

    20 Jul 2025

    4646 Impressions

    6 Retweets

    35 Likes

    12 Bookmarks

    3 Replies

    1 Quote

  48. 📌 ثغرة أمنية حرجة في خادم Microsoft SharePoint تم استغلالها في حملة كبيرة تؤثر على أكثر من 75 منظمة عالمية. تُعرف الثغرة، CVE-2025-53770، بتقييم 9.8، وتعد نوعًا من ثغرة CVE-2025

    @Cybercachear

    20 Jul 2025

    159 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. هجمات إلكترونية نشطة تستغل ثغرتين حرجتين في Microsoft SharePoint وتتيح تنفيذ أوامر عن بُعد. - CVE-2025-49704 - CVE-2025-49706 🎯 مايكروسوفت توصي بتفعيل AMSI وعزل الخوادم. https://t.co/NJl

    @cyberscastx

    20 Jul 2025

    5405 Impressions

    2 Retweets

    35 Likes

    31 Bookmarks

    2 Replies

    0 Quotes

  50. CVE-2025-49704 , CVE-2025-49706 # SharePoint 0-Day RCE Vulnerability: https://t.co/tQgsee0YRq

    @Iambivash007

    20 Jul 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations