Microsoft has released emergency patches for two critical SharePoint vulnerabilities discovered at Pwn2Own Berlin, one of which allows completely unauthenticated attackers to compromise enterprise servers with just a single malicious request.
The primary critical vulnerability, CVE-2025-49706, dubbed as ToolShell by the researcher, exploits a fundamental flaw in how SharePoint's ToolPane endpoint handles HTTP Referer headers.
This authentication bypass vulnerability (CVSS 6.5) requires no credentials whatsoever, allowing attackers to circumvent security controls and access protected APIs by simply manipulating HTTP headers in their requests.
"The exploit needs only one request. I'd name this bug ToolShell - ZDI did say the endpoint is ToolPane after all," tweeted Khoa Dinh, a researcher who discovered the vulnerability, highlighting the flaw, which is particularly dangerous for organizations worldwide.
The vulnerability stems from inadequate access restrictions within SharePoint's ToolPane functionality. Unlike typical SharePoint exploits that require compromised credentials or insider access, ToolShell significantly lowers the barrier to entry for cybercriminals targeting enterprise networks.
Compounding the threat is a second vulnerability, CVE-2025-49704, which enables authenticated attackers with Site Owner privileges to execute arbitrary code remotely. This critical remote code execution flaw (CVSS 8.8) results from improper input validation in SharePoint's code generation mechanisms, allowing attackers to inject and execute malicious code on targeted servers.
Together, these vulnerabilities create a substantial attack chain: CVE-2025-49706 provides unauthenticated access to SharePoint systems, potentially enabling attackers to escalate privileges and exploit the RCE vulnerability for complete system compromise.
The implications are significant for organizations relying on SharePoint for document management and collaboration. Successful exploitation could lead to unauthorized data access, complete server compromise, and substantial operational disruptions across enterprise environments.
Viettel Cyber Security researchers discovered both vulnerabilities and reported them through Trend Micro's Zero Day Initiative.
Microsoft has confirmed that security updates are now available through its Security Update Guide. Organizations must prioritize immediate deployment, implement web application firewalls to filter malicious ToolPane requests, and monitor for unusual authentication patterns indicating potential exploitation attempts.