CVE-2025-47166

HIGH

Microsoft SharePoint Enterprise Server - Remote Code Execution via Untrusted Data Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-47166. PoCs published by nu11secur1ty.

AI-analyzed exploit summary This exploit demonstrates NTLM authentication bypass in Microsoft SharePoint 2019, allowing low-privileged or brute-forced domain accounts to access the `_api/web` endpoint and enumerate SharePoint metadata. The PoC uses NTLM authentication to disclose sensitive information such as user group relationships and file system structures.

Description

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Exploits (1)

exploitdb WORKING POC
by nu11secur1ty · textremotewindows
https://www.exploit-db.com/exploits/52349

This exploit demonstrates NTLM authentication bypass in Microsoft SharePoint 2019, allowing low-privileged or brute-forced domain accounts to access the `_api/web` endpoint and enumerate SharePoint metadata. The PoC uses NTLM authentication to disclose sensitive information such as user group relationships and file system structures.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint 2019
Auth required
Prerequisites: Network access to SharePoint Central Administration · Valid or brute-forcable domain credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.1035
EPSS Percentile 93.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-502
Status published
Products (3)
microsoft/sharepoint_enterprise_server 2016
microsoft/sharepoint_server 2019
microsoft/sharepoint_server < 16.0.18526.20396
Published Jun 10, 2025
Tracked Since Feb 18, 2026