CVE-2025-49706

MEDIUM KEV RANSOMWARE NUCLEI

Microsoft SharePoint Enterprise Server - Improper Authentication

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-49706 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 22, 2025, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including AdityaBhatt3010, Viettel Cyber Security, sfewer-r7, including a Metasploit module exploits/windows/http/sharepoint_toolpane_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-49706, a spoofing vulnerability in Microsoft SharePoint Server. It includes root cause analysis, exploitation steps, detection methods, and mitigation strategies, but does not contain functional exploit code.

Description

Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

Exploits (3)

nomisec WRITEUP 15 stars
by AdityaBhatt3010 · remote-auth
https://github.com/AdityaBhatt3010/CVE-2025-49706-SharePoint-Spoofing-Vulnerability-Under-Active-Exploitation

This repository provides a detailed technical analysis of CVE-2025-49706, a spoofing vulnerability in Microsoft SharePoint Server. It includes root cause analysis, exploitation steps, detection methods, and mitigation strategies, but does not contain functional exploit code.

Classification
Writeup 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: Microsoft SharePoint Server 2016, 2019, Subscription Edition
Auth required
Prerequisites: Authenticated SharePoint user access · Burp Suite or MITM proxy · Access to vulnerable endpoints
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WRITEUP 9 stars
by AdityaBhatt3010 · poc
https://github.com/AdityaBhatt3010/CVE-2025-53770-SharePoint-Zero-Day-Variant-Exploited-for-Full-RCE

This repository contains a detailed technical analysis of CVE-2025-53770, an unauthenticated RCE vulnerability in Microsoft SharePoint, including root cause, attack flow, and mitigation strategies.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint Server 2016, 2019, Subscription Edition
No auth needed
Prerequisites: Vulnerable SharePoint instance exposed to the internet · Unpatched system
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Viettel Cyber Security, sfewer-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/sharepoint_toolpane_rce.rb

This Metasploit module exploits CVE-2025-53771, an authentication bypass vulnerability in Microsoft SharePoint Server, combined with unsafe deserialization (CVE-2025-49704) to achieve unauthenticated remote code execution. It targets vulnerable SharePoint versions by leveraging a gadget chain in the DataSetSurrogateSelector class.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint Server (Subscription Edition, 2019, 2016, 2013)
No auth needed
Prerequisites: Network access to SharePoint Server · Vulnerable SharePoint version without patches for CVE-2025-53771 or CVE-2025-49704
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Microsoft SharePoint Server - Authentication Bypass
MEDIUMVERIFIEDby daffainfo
Shodan: http.component:"sharepoint"

References (3)

Core 3

Scores

CVSS v3 6.5
EPSS 0.7379
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2025-07-22
VulnCheck KEV 2025-07-18
ENISA EUVD EUVD-2025-20552
Ransomware Use Confirmed
CWE
CWE-287
Status published
Products (3)
microsoft/sharepoint_enterprise_server 2016
microsoft/sharepoint_server 2019
microsoft/sharepoint_server < 16.0.18526.20424
Published Jul 08, 2025
KEV Added Jul 22, 2025
Tracked Since Feb 18, 2026