CVE-2025-49706

What is Microsoft SharePoint?

Microsoft SharePoint is an enterprise collaboration and document management platform used extensively across government agencies, corporations, and educational institutions for intranet portals, file sharing, and workflow automation. SharePoint Server is the on-premises version, deployed within an organization's own data center. Because SharePoint is a central repository for sensitive documents, internal communications, and business processes, it is a high-value target for both espionage-motivated and ransomware threat actors. On-premises SharePoint deployments — particularly older, internet-facing versions — represent a particularly exposed attack surface.

Overview

Microsoft SharePoint Server contains an improper authentication vulnerability (CWE-287) that allows an unauthenticated network attacker to perform spoofing operations against the server. Successful exploitation allows an attacker to view sensitive information and make limited changes to disclosed information. The vulnerability is significant in context because:

1. It chains with CVE-2025-49704 — the two vulnerabilities together provide a more impactful attack path
2. CVE-2025-53771 is a patch bypass — the July 2025 patch for CVE-2025-49706 was subsequently bypassed; organizations should apply the CVE-2025-53771 update, which provides more robust protection

CISA issued an alert on July 20, 2025 (before the formal KEV addition on July 22) and set an unusually short remediation deadline of one day, indicating active exploitation at scale. The required action specifically calls for disconnecting public-facing EOL/EOS versions (SharePoint Server 2013 and earlier).

Affected Versions

Technical Details

The vulnerability is an improper authentication flaw (CWE-287) in SharePoint Server's authentication handling. Under specific conditions, a remote unauthenticated attacker can bypass authentication checks and be treated as a legitimate user by the server, enabling:

• Reading sensitive SharePoint content the attacker is not authorized to access
• Making limited modifications to content accessible under the spoofed identity
• Providing a foothold for further exploitation when chained with CVE-2025-49704

The exploitation chain:

CVE-2025-49706 is frequently chained with CVE-2025-49704 to increase impact. CVE-2025-49704 provides an additional exploitation capability that, combined with the authentication bypass in CVE-2025-49706, creates a more damaging attack path — potentially enabling unauthorized data access or modification beyond what either vulnerability achieves alone.

CVE-2025-53771 (patch bypass): The initial July 2025 patch for CVE-2025-49706 was found to be incomplete. CVE-2025-53771 was assigned for the bypass, and Microsoft released an updated fix that provides more robust protection. Organizations should ensure they apply the CVE-2025-53771 patch, not only the original CVE-2025-49706 patch.

Attack characteristics:

• No authentication required — accessible to unauthenticated internet users if SharePoint is internet-facing
• Low complexity — no special conditions beyond network access
• Ransomware-associated — CISA flagged this as known to be used in ransomware attacks

Discovery

Microsoft reported active exploitation at the time of the July 8, 2025 advisory publication. CISA issued pre-KEV guidance on July 20, 2025, before formally adding the CVE to the catalog, indicating rapid escalation of exploitation activity.

Exploitation Context

Actively exploited at the time of public disclosure, with CISA issuing emergency guidance. The one-day KEV remediation deadline (July 22–23) is among the shortest ever assigned, reflecting the severity of ongoing attacks. Ransomware operators have leveraged SharePoint Server vulnerabilities for initial access into enterprise networks, using SharePoint as a beachhead for lateral movement.

The specific call-out of EOL SharePoint versions (2013 and earlier) in CISA's required action reflects the significant number of organizations still running unsupported, public-facing SharePoint installations — particularly in government and older enterprise environments.

Remediation

1. Disconnect EOL SharePoint versions immediately — SharePoint Server 2013 and earlier should be removed from any public-facing network position. These versions will not receive a patch.
2. Apply the CVE-2025-53771 update — do not stop at the CVE-2025-49706 patch; the subsequent CVE-2025-53771 update provides more complete protection. Install the latest July 2025 Cumulative Update for your SharePoint version.
3. Follow CISA and Microsoft guidance — review the CISA alert and the Microsoft Security Blog post for specific mitigation steps applicable to your environment.
4. Move to SharePoint Online — for long-term risk reduction, migrate on-premises SharePoint to Microsoft 365/SharePoint Online, which is managed by Microsoft and receives automatic security updates.
5. Review SharePoint logs — audit SharePoint Unified Logging Service (ULS) logs and web server logs for signs of unauthenticated access or unusual activity prior to patching.
6. Restrict internet exposure — if on-premises SharePoint must remain deployed, place it behind a WAF or reverse proxy that requires pre-authentication before reaching SharePoint.