CVE-2025-49706

描述： Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

CVE-2025-49706 is an authentication bypass affecting Microsoft SharePoint Server, allowing a remote unauthenticated attacker to reach the ToolPane page, located at the /_layouts/15/ToolPane.aspx URI. The auth bypass works if an attacker supplies the following elements to a HTTP request:

An HTTP Referer header with one of the values /_layouts/SignOut.aspx, /_layouts/14/SignOut.aspx, or /_layouts/15/SignOut.aspx.
An HTTP query parameter named DisplayMode with the value Edit.
An HTTP query parameter with any name and the value /ToolPane.aspx, so long as this is the last query parameter.
An HTTP form parameter named MSOTlPn_Uriwith the full URL to the /_controltemplates/15/AclEditor.ascx endpoint.

If these items are supplied to a HTTP POST request, an attacker can successfully reach the ToolPane page, and in-turn force an unsafe deserialization issue via a separate vulnerability, CVE-2025-49704. Chaining CVE-2025-49706 and CVE-2025-49704 together allows for unauthenticated RCE. This is the exploit chain discovered by security researcher Dinh Ho Anh Khoa (Viettel Cyber Security), and demonstrated at Pwn2Own Berlin 2025.

A full technical analysis of the exploit chain can be read here: https://blog.viettelcybersecurity.com/sharepoint-toolshell/

其他

#attackerkb.com

CVE-2025-49706

http://example.com/2025/07/24/other_2414781838/

作者

lianccc

发布于

2025年7月24日

许可协议

PivotX Remote Code Execution Vulnerability 上一篇

Pandora ITSM authenticated command injection leading to RCE via the backup function 下一篇