CVE Alert: CVE-2025-49706 - Microsoft - Microsoft SharePoint Enterprise Server 2016

CVE-2025-49706

MEDIUMCISA KEVExploitation active

Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

CVSS v3.1 (6.5)

Vendor

Microsoft, Microsoft, Microsoft

Product

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition

Versions

16.0.0 lt 16.0.5508.1000 | 16.0.0 lt 16.0.10417.20027 | 16.0.0 lt 16.0.18526.20424

CWE

CWE-287, CWE-287: Improper Authentication

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C

Published

2025-07-08T16:58:07.343Z

Updated

2025-08-18T17:51:32.166Z

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706

CISA KEV reference

AI Summary Analysis

Risk verdict

Active exploitation is underway according to the KEV; treat as priority 1.

Why this matters

Spoofing the authentication flow enables an unauthorised actor to impersonate legitimate users over the network, potentially accessing confidential SharePoint resources. With on‑premises deployments still common in enterprises, the impact includes data exposure, content tampering, and disruption of collaboration workloads, prioritised by exposed internet‑facing or poorly segmented endpoints.

Most likely attack path

Remotely exploitable without user interaction or privileges required; network access suffices. An attacker can spoof identities to gain access to SharePoint assets, with partial technical impact and no prerequisites on user action, making rapid lateral movement within affected environments plausible if initial access is successful.

Who is most exposed

On‑premises SharePoint Server installations (2016, 2019, and Subscription Edition) that are reachable from untrusted networks or lack current patches; older, unsegmented deployments are highest risk.

Detection ideas

Sudden successful authentications or session creations from unusual or new source IPs for known accounts.
Reused or anomalous tokens/sessions consistent with spoofing activity.
Access to sensitive libraries or documents from unexpected origins or outside normal working patterns.
Unexplained privilege-level changes or atypical authentication methods seen in logs.
Alerts triggered by atypical authentication sequences around SharePoint endpoints.

Mitigation and prioritisation

Apply the official fix for all affected versions; validate in staging prior to wide deployment.
If patching is delayed, restrict access to SharePoint servers from untrusted networks or enforce strict allowlists and MFA on remote access.
Enhance network segmentation, monitor for token anomalies, and strengthen identity/GW controls (SIEM/EDR coverage).
Verify patch application with regression checks on authentication flows and content access.
Because exploitation is active, treat as priority 1. Note: EPSS not provided in this dataset; would inform broader urgency if available.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-49706, microsoft, microsoft-sharepoint-enterprise-server-2016, microsoft-sharepoint-server-2019, microsoft-sharepoint-server-subscription-edition, OSINT, threatintel

CVE Alert: CVE-2025-49706 – Microsoft – Microsoft SharePoint Enterprise Server 2016