Threats / Microsoft / CVE-2025-49706
CVE-2025-49706
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Microsoft SharePoint vulnerability
Microsoft SharePoint contains an improper authentication vulnerability (CWE-287) allowing authorized attackers to spoof identity over a network, potentially viewing sensitive information and modifying disclosed data.
Verdict
Today item, not a backlog item.
An authenticated attacker can bypass authentication controls in SharePoint to impersonate other users or escalate privileges, gaining unauthorized access to sensitive information and making unauthorized modifications. This vulnerability is actively exploited in ransomware campaigns.
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Public proof-of-concept exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
56 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2025-07-22), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.99879 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Microsoft, SharePoint. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-287 Improper Authentication — weakness family: Authentication.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I authenticate to SharePoint with valid credentials and exploit the improper authentication mechanism to spoof my identity as a higher-privileged user.
Business
Unauthorized access to sensitive SharePoint data and potential lateral movement within the organization increases breach risk and data exfiltration exposure.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I use my spoofed identity to access restricted documents and information repositories that should be protected from my actual privilege level.
Business
Confidential business information, intellectual property, and strategic documents are exposed to unauthorized disclosure and competitive harm.
3
Lateral reach — past segmentation narrative 3
Attacker
I modify or delete critical SharePoint content while appearing as a trusted administrator or authorized user, covering my tracks.
Business
Data integrity is compromised, audit trails are obscured, and business continuity is disrupted through unauthorized modifications or deletions of critical information.
4
Data at risk — exfiltration narrative 4
Attacker
I chain this vulnerability with CVE-2025-49704 to escalate my access and establish persistence within the SharePoint environment.
Business
The organization faces sustained compromise, enabling ransomware deployment, data encryption, and extortion demands from threat actors.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05