CVE-2025-49706

Name of the Vulnerable Software and Affected Versions Microsoft SharePoint Server (affected versions not specified) Microsoft SharePoint Server Subscription Edition (affected versions not specified) Microsoft SharePoint Foundation (affected versions not specified)

Description An improper authentication vulnerability exists in Microsoft Office SharePoint, allowing an authorized attacker to perform spoofing over a network. This vulnerability, also known as “ToolShell”, has been actively exploited by multiple China-based groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, to target global government, military, and corporate sectors. The exploitation of this issue has resulted in the deployment of web shells and, in some cases, ransomware (Warlock). Over 100 organizations worldwide, including U.S. government agencies, have been targeted. The vulnerability allows attackers to bypass authentication with a single request, potentially gaining persistent access through stolen MachineKey configurations.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.