Editorial coverage · CVE-2025-49706
The 6.5 that was the door.
A spoofable Referer check on SharePoint's ToolPane endpoint scored CVSS 6.5 — Medium. Chained with CVE-2025-49704 it produced unauthenticated RCE across 400 SharePoint servers in a fortnight. CVSS measures the bug in isolation. Mass exploitation does not.
What we say
The 6.5 was the door. The 8.8 was what walked through it. Both numbers are correct on their own terms, and triaging the patch queue by either of them in isolation produced the same outcome the post-mortems described: the door was open the day the eight-point-eight bug got patched, and the door is what the ransomware operators needed.
CVSS scores a vulnerability against itself. CVE-2025-49706 — an
unauthenticated Referer-header spoof against SharePoint’s ToolPane
access check — confers limited information disclosure on its own and
scores accordingly. Six-point-five. Medium. The score is not wrong.
The score is answering a different question than the one the patch
queue is asking. The patch queue wants to know which item to do first
on a Wednesday morning when an operations team has bandwidth for two
of the eight items in this month’s Microsoft list. CVSS answers “which
of these is the most damaging bug in isolation,” and the auth bypass
loses that question every time. The bug it removes the authentication
requirement from is what mass-exploitation campaigns are built out of.
This is not a SharePoint observation. ProxyShell in 2021 was three Exchange CVEs, none of them unauthenticated RCE individually, that collectively produced unauthenticated RCE. Ivanti Connect Secure in January 2024 was an 8.2 auth bypass paired with a 9.1 command injection, exploited weeks before public disclosure. Palo Alto PAN-OS in November 2024 was an auth bypass on the management interface paired with a privilege escalation, against thirteen thousand internet-exposed appliances. The pattern repeats annually. The score on the auth-bypass component lands in the Medium bucket annually. The score on the downstream code-execution component lands in High or Critical annually. The triage process that sorts by the score does the expected thing annually.
The compliance dimension is where this stops being a tooling observation and becomes an audit problem. BOD 22-01 measures whether KEV-listed vulnerabilities were remediated inside the catalog’s deadline. KEV is the corrective signal that surfaces what CVSS cannot — it is, structurally, CISA’s response to exactly the gap that CVE-2025-49706 represents. CVE-2025-49706 sat at 6.5 on the patch queue through July 8 and into the July 19 exploitation window before KEV moved it on July 22. An organization sorting by CVSS would have patched 49704 on the eighth, left 49706 for next month, and met its internal patching SLA while the chain was being walked through the access check the SLA didn’t surface.
The narrow lesson is product-specific: any SharePoint farm exposed to the internet between July 8 and July 21 needs the post-incident review that 53770 demands, because the access-bypass piece was reachable the whole time. The wider one is structural. CVSS measures the bug; KEV measures the exploitation; the patch queue still mostly sorts by CVSS. A scoring system that cannot represent compounded severity is the floor on what the triage process can see. The auth bypass is where the cost of that floor lands, year after year, on the same pattern.
What NVD says
CWE-287 — improper authentication. CVSS 3.1 base 6.5, vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. Microsoft SharePoint Server treats requests carrying a `Referer` header pointing to `/_layouts/SignOut.aspx` as if they originated from inside the application's authenticated session, even when no session cookie is present. NVD names the spoofing surface and the impact correctly. The record carries no field for compounded severity — what the score becomes when a co-resident High-rated code-execution bug (CVE-2025-49704) is reachable through the same access check. The 6.5 reflects the bug. The operational risk is what the bug enables.
What the vendor says
Microsoft's MSRC entry for CVE-2025-49706 categorizes it as a spoofing vulnerability in on-premises SharePoint Server (2016, 2019, Subscription Edition) and shipped the original fix in the July 8, 2025 update. The first patch was itself bypassed by CVE-2025-53771 (CVSS 6.3) before the July 21 out-of-band update replaced the access check with a more restrictive design. The advisory text frames the bug as `Referer`-header spoofing and lists the patch. It does not carry the dependency on CVE-2025-49704 that makes 49706 the precondition for unauthenticated RCE, and it does not direct operators to triage 49706 ahead of higher-scored items in the same Patch Tuesday queue.
Compliance impact
- FEDRAMP
- CISA added CVE-2025-49704 to the KEV catalog on July 17 and CVE-2025-53770 on July 20 with a 24-hour deadline; CVE-2025-49706 followed on July 22. KEV's purpose is to surface what CVSS does not — the auth-bypass component sat in BOD 22-01 backlogs at Medium severity until KEV elevated it. FedRAMP-authorized SharePoint environments that triaged July 8 by CVSS would have closed the 8.8 first and left the 6.5 open through the chain's most active exploitation week.
- SOX
- SharePoint document libraries that hold SOX-relevant control evidence — change-management approvals, access-review attestations, vendor SOC reports — are reachable to anyone who can produce the spoofed `Referer` once the 49704 endpoint is also reachable. A Section 404 ITGC review of SharePoint patching that relies on a CVSS-sorted patch queue cannot demonstrate that 49706 was prioritized appropriately, because CVSS alone does not surface the chaining.
Sources
- NVD — CVE-2025-49706
- MSRC — CVE-2025-49706 Security Update Guide
- Unit 42 — Microsoft SharePoint CVE-2025-49704, CVE-2025-49706, CVE-2025-53770
- Microsoft Security Blog — Disrupting Active Exploitation of On-Premises SharePoint Vulnerabilities
- Eye Security — SharePoint Under Siege
- Trellix — ToolShell Unleashed: Decoding the SharePoint Attack Chain
- CISA Known Exploited Vulnerabilities Catalog
Every source on this list has been read by the editorial team. We do not cite something we have not opened.
Deeper read
Coverage in PatchDay Alert
One email, every weekday morning.
You're in. Check your inbox.