The 6.5 that enabled 400 compromises: authentication bypasses and the CVSS blind spot

The obvious read

CVE-2025-49706 is a Microsoft SharePoint authentication bypass scored CVSS 6.5, Medium severity. A Referer header check treats requests appearing to come from SharePoint’s logout page as already authenticated. Spoofing the header is trivial. On its own, the bug allows limited information disclosure and spoofing. Not nothing, but not the kind of thing that dominates a threat briefing.

CVE-2025-49704, a code injection in SharePoint’s ToolPane endpoint, scored CVSS 8.8, High. That one got the attention. High severity, code execution, clear operational risk. If you triaged by score alone, you patched 49704 first and maybe got around to 49706 later.

What actually happened: three threat groups chained the two together for unauthenticated remote code execution across 400+ servers in 150+ organizations. CISA set a 24-hour remediation deadline. The 6.5 was the door. The 8.8 was what walked through it.

The pattern underneath

Authentication bypasses are the most consistently underscored vulnerability class in CVSS, and the most consistently present in mass-exploitation campaigns.

The reason is structural, not accidental. CVSS 3.1 scores a vulnerability in isolation. It evaluates confidentiality, integrity, and availability impact for that single bug. CVE-2025-49706, on its own, allows spoofing and some information disclosure. Low confidentiality impact, low integrity impact, no availability impact. The math produces 6.5, and the math is not wrong on its own terms.

The problem is that the terms are wrong. CVSS has no mechanism to express what happens when two CVEs compound. A 6.5 auth bypass that removes the authentication requirement from an 8.8 code injection produces operational risk equivalent to a 9.8 unauthenticated RCE. That composite severity exists nowhere in either score. It exists nowhere in any scoring system in common use.

The downstream effect on triage is predictable. Organizations that sort their patch queues by CVSS score will consistently deprioritize the exact vulnerability class that enables mass exploitation. The auth bypass lands in the Medium bucket. The code execution bug it enables lands in High or Critical. By the time the code execution bug is patched, the auth bypass that made it remotely exploitable may still be sitting in next month’s maintenance window.

The evidence

The SharePoint ToolShell chain is not an outlier. It is the latest instance of a pattern that repeats roughly annually.

ProxyShell, 2021. Three Exchange vulnerabilities chained together: CVE-2021-34473 (SSRF), CVE-2021-34523 (privilege escalation via token deserialization), and CVE-2021-31207 (arbitrary file write). None delivered unauthenticated RCE individually. The three collectively stripped authentication from the request path. Mandiant documented mass exploitation within weeks of proof-of-concept publication.

Ivanti Connect Secure, January 2024. CVE-2023-46805, an authentication bypass scored CVSS 8.2, paired with CVE-2024-21887, a command injection scored 9.1. The bypass made the injection reachable without credentials. Volexity identified exploitation as early as December 3, 2023, weeks before public disclosure. CISA issued Emergency Directive 24-01.

Palo Alto PAN-OS, November 2024. CVE-2024-0012, an authentication bypass in the management interface, combined with CVE-2024-9474, a privilege escalation. Together they produced unauthenticated root access across 13,000+ exposed management interfaces. CrowdStrike’s post-incident note was blunt: “Adversaries circumvent severity ratings by chaining vulnerabilities together.”

Fortinet FortiOS, January 2025. CVE-2024-55591, an authentication bypass via Node.js websocket, scored 9.8 because in this case the auth bypass itself was terminal, granting super-admin privileges directly. Exploited since mid-November 2024. The high score is the exception that clarifies the rule: when an auth bypass is sufficient on its own, it scores high. When it merely opens the door for another bug, it scores medium. Attackers do not distinguish between the two.

In every case, the authentication bypass was the precondition for mass exploitation. Remove it, and the downstream vulnerability requires credentials, internal network access, or both. The attack surface shrinks from “everyone on the internet” to “someone who already has a foothold.”

Why auth bypasses break the scoring model

Most vulnerability classes have a roughly linear relationship between score and operational impact. A high-scoring RCE is worse than a medium-scored one. A critical injection is worse than a high one. Authentication bypasses break this pattern because their operational impact is a function of what they enable, not what they do.

CVE-2025-49706 demonstrates this precisely. SharePoint’s application-layer access check evaluates the Referer header on incoming requests. If the header points to /_layouts/SignOut.aspx, the check passes. The assumption is that a request referencing the logout page must have originated from within the SharePoint application. The Referer header is trivially forgeable by any HTTP client. That single conditional branch was the difference between “requires authentication” and “reachable by anyone on the internet.” The first patch was itself bypassed (CVE-2025-53771, CVSS 6.3), because the original design assumed a client-controlled header was trustworthy. That assumption, once embedded in the access check, was difficult to fully excise.

What the data shows at scale

CISA added 245 vulnerabilities to the Known Exploited Vulnerabilities catalog in 2025. CWE-287 (Improper Authentication) accounted for roughly 6 of those entries, about 2.4% of the total. A small share.

But look at which campaigns those entries belong to. Ivanti Connect Secure. Fortinet FortiOS. SharePoint ToolShell. These were not minor exploitation events. They were the mass-exploitation campaigns that generated emergency directives, industry-wide threat briefs, and 24-hour remediation deadlines. A small number of auth bypass CVEs correlated with a disproportionate share of the year’s highest-impact incidents.

This is the scoring gap in practice. Authentication bypasses are rare enough in the KEV catalog that they look like noise in aggregate statistics. They are common enough in mass-exploitation campaigns that ignoring them is a reliable way to be caught unprepared.

What this means for prioritization

If your patch triage workflow sorts by CVSS score and works top-down, authentication bypasses will consistently land below the line. That is not a tooling failure. It is a design limitation in the scoring system itself.

The data suggests CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function) affecting internet-facing services carry operational risk closer to Critical than their base scores indicate. The score reflects the bug in isolation. Exposure is never in isolation.

This does not mean ignoring CVSS. It means recognizing that CVSS measures one axis of risk, and authentication bypasses reliably score low on that axis while scoring high on the axis CVSS does not measure: enabling other bugs to become remotely exploitable.

CCCS made a related observation in their advisory on ToolShell: hunting only for named indicators (the specific web shells Microsoft published) misses custom .NET payloads that accomplish the same objective. A similar dynamic applies to scoring. The indicators that matter most do not always carry the highest numbers.

What to watch

The pattern has a cadence. ProxyShell in 2021, Ivanti in 2024, PAN-OS in late 2024, FortiOS in early 2025, SharePoint in mid-2025. The next enterprise appliance or server product shipping an auth bypass chained with a downstream execution flaw is not a question of if. The question is whether triage processes will flag it before the score says to.

Until CVSS accounts for chaining, the gap between a 6.5 and 400 compromises will keep appearing in post-incident reports.