CVE-2025-49706: 
vulnerability analysis and mitigation

CVE-2025-49706 is a spoofing vulnerability in Microsoft Office SharePoint that allows an unauthorized attacker to perform spoofing over a network. The vulnerability was initially disclosed on July 8, 2025, and has been actively exploited in the wild. It affects multiple versions of SharePoint, including SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition (NVD, CISA Alert).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-287 (Improper Authentication). When chained with CVE-2025-49704, a remote code execution vulnerability, it enables unauthorized access to on-premise SharePoint servers (NVD, Microsoft Security).

The vulnerability, when exploited, allows attackers to gain unauthorized access to systems and perform network spoofing. When combined with CVE-2025-49704, attackers can fully access SharePoint content, including file systems and internal configurations, and execute code over the network. The vulnerability chain has been observed being used in ransomware attacks (CISA Alert).

Microsoft has released comprehensive security updates for all supported versions of SharePoint Server. Organizations should immediately apply these updates, configure Antimalware Scan Interface (AMSI) in SharePoint, enable Full Mode, and deploy Microsoft Defender AV on all SharePoint servers. Additional mitigations include rotating ASP.NET machine keys, restarting IIS on all SharePoint servers, and disconnecting public-facing versions of SharePoint Server that have reached their end-of-life from the internet (CISA Alert, Microsoft Security).