PatchSiren cyber security CVE debrief
CVE-2025-49706 Microsoft CVE debrief
CVE-2025-49706 is a Microsoft SharePoint improper authentication vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on the day it was published. CISA marks it as known to be used in ransomware campaigns and directs defenders to urgently remove exposure from public-facing SharePoint Server installations that are end-of-life or end-of-service, including SharePoint Server 2013 and earlier. For supported versions, follow Microsoft’s guidance and CISA’s mitigation instructions; if mitigations are not available, discontinue use.
- Vendor
- Microsoft
- Product
- SharePoint
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2025-07-22
- Original CVE updated
- 2025-07-22
- Advisory published
- 2025-07-22
- Advisory updated
- 2025-07-22
Who should care
Security teams responsible for Microsoft SharePoint, especially internet-facing SharePoint Server deployments, unsupported SharePoint versions, and organizations that must meet CISA KEV remediation deadlines.
Technical summary
The supplied corpus identifies the issue as an improper authentication vulnerability in Microsoft SharePoint. CISA’s KEV entry does not provide exploit mechanics in the source corpus, but it does confirm known exploitation and known ransomware campaign use. The highest-risk scenario called out by CISA is public-facing SharePoint Server deployments that have reached end-of-life or end-of-service. Supported versions should be handled according to vendor and CISA mitigation guidance.
Defensive priority
Urgent. Treat as an actively exploited SharePoint issue with ransomware-campaign association; prioritize exposed environments and complete remediation by the CISA due date.
Recommended defensive actions
- Disconnect any public-facing SharePoint Server installation that is end-of-life or end-of-service, including SharePoint Server 2013 and earlier.
- For supported SharePoint versions, follow the Microsoft security guidance and update guide referenced in the official Microsoft advisory.
- Apply the CISA mitigation instructions referenced in the KEV entry and verify that required protections are in place.
- If mitigations are unavailable, discontinue use of the product; for cloud services, follow the applicable BOD 22-01 guidance.
- Review internet-facing SharePoint assets first, then confirm that remediation is completed before the KEV due date.
Evidence notes
This debrief is based only on the supplied CISA KEV metadata and official links. The corpus provides the vulnerability name, publication date, KEV inclusion date, due date, and CISA’s required action. It does not include CVSS scoring or detailed exploit mechanics. CISA’s notes explicitly cite Microsoft’s security blog, Microsoft’s update guide for CVE-2025-49706, and the NVD record as official references.
Official resources
-
CVE-2025-49706 CVE record
CVE.org
-
CVE-2025-49706 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the m
-
Source item URL
cisa_kev
CVE-2025-49706 was published and modified on 2025-07-22. CISA added it to the Known Exploited Vulnerabilities catalog on 2025-07-22 and assigned a remediation due date of 2025-07-23.