关联漏洞
标题:
Microsoft Office Sharepoint Server 授权问题漏洞
(CVE-2025-49706)
描述:Microsoft Office Sharepoint Server是美国微软(Microsoft)公司的一款为企业客户而设计的、基于web的内容管理和协作工具。该软件初始版本以Office组件形式存在,现在也仍然大大依托于Office,以提供企业门户、文档协同等功能为主,之后版本支持将Office、Exchange、Lync、Project和Visio结合起来。 Microsoft Office Sharepoint Server存在授权问题漏洞。攻击者利用该漏洞执行欺骗攻击。以下产品和版本受到影响:M
描述
A deep dive into CVE-2025-49706 — the SharePoint spoofing flaw now exploited in the wild for stealthy web shell deployment and privilege escalation.
介绍
# 🚨 CVE-2025-49706 – SharePoint Spoofing Vulnerability Under Active Exploitation
**By Aditya Bhatt – VAPT Specialist | Red Teamer**
---
## 📌 TL;DR
Microsoft SharePoint is under active threat. CVE‑2025‑49706, a spoofing vulnerability in SharePoint Server, has evolved from medium-severity to **real-world weaponization**, with a **variant (CVE‑2025‑53770)** now actively exploited in the wild. If you're running on-prem SharePoint 2016, 2019, or Subscription Edition, **patch immediately** or risk full compromise.
 <br/>
---
## 🧠 The Vulnerability
**CVE‑2025‑49706** affects:
* **SharePoint Server 2016**
* **SharePoint Server 2019**
* **SharePoint Server Subscription Edition <16.0.18526.20424**
### ➤ Root Cause:
The issue lies in **improper authentication handling (CWE‑287)**. Authenticated attackers can **spoof network requests**, leading to potential impersonation and elevation of privileges.
### 🔒 CVSS Score:
* **6.3 (Medium)** – CVSS v3.1
Despite the moderate rating, its chaining potential makes it much more dangerous.
---
## 🧪 PoC Simulation (Ethical Red Teaming Use Only)
> 🚫 **Disclaimer**: The steps below are strictly for **educational and defensive security purposes**. Any unauthorized use against production systems without consent is illegal and unethical.
### 🔧 Scenario: Authenticated SharePoint user abuses spoofed `POST` request to trigger system-level code execution via chained web shell drop.
### 🧾 Requirements:
* Authenticated low-priv SharePoint user
* Burp Suite / MITM proxy
* Access to `/sites/<vuln-site>/_layouts/15/SignOut.aspx`
* A target endpoint that mishandles spoofed headers
---
### 🔥 Steps Overview:
1. **Log in** to SharePoint with any authenticated user (no admin required).
2. **Intercept a legitimate request** to a known vulnerable endpoint (`SignOut.aspx`, `UserProfileService.asmx`, etc.) using Burp.
3. **Modify headers** such as:
```http
X-UserToken: spoofedtoken
X-Ms-Client-Request-Id: {malicious-guid}
```
4. **Replay the request** with an embedded payload (e.g., dropper command or hidden aspx page injection).
5. Use **POST parameters** to upload:
```html
<form action="/_layouts/15/upload.aspx" method="POST" enctype="multipart/form-data">
<input type="file" name="webshell.aspx">
</form>
```
6. **Navigate to** the dropped shell (`spinstall0.aspx`) and trigger system commands via query params.
<img width="1021" height="834" alt="Steps Overview_ - visual selection" src="https://github.com/user-attachments/assets/baee760d-7a63-4d01-8318-de81813e6432" /> <br/>
---
### ⚡ Outcome:
* Attacker now controls a reverse shell or persistence implant via authenticated spoofing without triggering standard authN/authZ rules.
* If chained with CVE-2025-53770: full **RCE** on the SharePoint host.
---
## ⚔️ Real-World Attacks: The “ToolShell” Campaign
Microsoft and security researchers have reported that CVE‑2025‑49706 is being **chained with other bugs** in active campaigns labeled **"ToolShell"**. This multi-phase attack:
* Leverages **CVE‑2025‑49706 + CVE‑2025‑49704**
* Drops **web shells** like `spinstall0.aspx`
* Steals **SharePoint authentication tokens**
* Hijacks **NT AUTHORITY\SYSTEM** via process injection
* Installs malware payloads like `SuspSignoutReq.exe`
📌 *It’s a full compromise scenario.*
---
## 🧩 Detection & IOCs
If you're running Defender for Endpoint or Defender AV:
* Watch for alerts like:
* `Possible web shell installation`
* `Suspicious IIS Worker Behavior`
* `HijackSharePointServer`
* Hunt for **spinstall0.aspx** in:
* `C:\inetpub\wwwroot\wss\VirtualDirectories\*`
📁 **Other indicators:**
* Dropped binaries: `SuspSignoutReq.exe`, `sharepoint_helper.dll`
* Suspicious outbound C2: `.onion` or random DNS traffic from SharePoint box
---
## 🛡️ Mitigation: What You MUST Do Now
### ✅ PATCH IMMEDIATELY
Install the **July 2025 Patch Tuesday updates**:
* SharePoint 2016 ➤ `KB5002744`
* SharePoint 2019 ➤ `KB5002741`
🔗 [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5002741)
### ✅ ENABLE AMSI + Defender AV
For real-time protection:
```powershell
Set-MpPreference -EnableScriptScanning $true
Set-MpPreference -DisableRealtimeMonitoring $false
```
### ✅ BLOCK EXTERNAL ACCESS TEMPORARILY
If patching is delayed, **isolate the SharePoint server from the internet** to prevent initial payload delivery.
---
## 🧠 Pro Tip – Custom Threat Hunt Query (Defender):
```kusto
DeviceFileEvents
| where FileName contains "spinstall0.aspx" or FolderPath contains "inetpub"
| where ActionType == "FileCreated"
```
Use this KQL in **Microsoft 365 Defender Advanced Hunting** to detect web shell drops.
---
## 🔚 Final Words
This is not just a CVE with a 6.3 rating — it’s a **genuine lateral movement enabler**, already leveraged by sophisticated threat actors. If you’re running an on-prem SharePoint instance and haven’t patched since June 2025 — **you’re already a target**.
> 🛡️ Patch fast. Monitor logs. Hunt threats. Stay safe.
---
## 📚 References
* [CVE-2025-49706 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-49706)
* [Microsoft Customer Guidance for CVE-2025-53770](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770)
* [The Hacker News Coverage](https://thehackernews.com/2025/07/critical-microsoft-sharepoint-flaw.html)
* [Wiz Threat Report](https://www.wiz.io/vulnerability-database/cve/cve-2025-49706)
---
## 👨💻 About the Author
I'm a cybersecurity practitioner with a strong focus on red teaming, vulnerability assessment, and offensive security. I’ve ranked in the top 2% on TryHackMe and built tools like KeySentry, PixelPhantomX, and ShadowHash that focus on key leakage detection, AI model evasion, and cryptographic operations.
I hold multiple certifications including CEH, CompTIA Security+, the Red Team Certificate from IIT Kanpur among others. I actively write for InfoSec WriteUps, where I share technical content for the security community, and I’ve contributed to Scopus-indexed research in cybersecurity and AI. I also regularly take part in hackathons and hands-on security challenges.
🔗 GitHub: [@AdityaBhatt3010](https://github.com/AdityaBhatt3010) <br/>
✍️ Medium: [@adityabhatt3010](https://medium.com/@adityabhatt3010) <br/>
💼 LinkedIn: [Aditya Bhatt](https://www.linkedin.com/in/adityabhatt3010/) <br/>
---
文件快照
[4.0K] /data/pocs/c7a3f84d1b89ca0027bb33f9c0af1275a7bc319e
├── [1.0K] LICENSE
└── [6.6K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。