Microsoft SharePoint 2019 - NTLM Authentication

Author: nu11secur1ty
type: remote
platform: windows
port: 
date_added: 2025-07-02  
date_updated: 2025-07-02  
verified: 0  
codes: CVE-2025-47166  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 52349.txt  
# Titles: Microsoft SharePoint 2019 NTLM Authentication
# Author: nu11secur1ty
# Date: 06/27/25
# Vendor: Microsoft
# Software: https://www.microsoft.com/en-us/download/details.aspx?id=57462
# Reference:
https://www.networkdatapedia.com/post/ntlm-autSharePoint 2019 NTLM Authentication hentication-security-risks-and-how-to-avoid-them-gilad-david-maayan

## Description:
Microsoft SharePoint Central Administration improperly exposes
NTLM-authenticated endpoints to low-privileged or even brute-forced domain
accounts. Once authenticated, an attacker can access the `_api/web`
endpoint, disclosing rich metadata about the SharePoint site, including
user group relationships, workflow configurations, and file system
structures. The vulnerability enables username and password enumeration,
internal structure mapping, and API abuse.

Key issues include:
- NTLM over HTTP (unencrypted)
- No fine-grained access control on `_api/web`
- NTLM error codes act as oracles for credential validation

STATUS: HIGH-CRITICAL Vulnerability


[+]Exploit:
```
    # NTLM Authentication + SharePoint Enumeration Tool Usage:
    python ntml.py -u http://10.10.0.15:10626 -U 'CORP\spfarm' -P 'p@ssw0rd'
-v

    # Success output (highlight):
    [+] NTLM Authentication succeeded on http://10.10.0.15:10626/_api/web

    # Result: Full SharePoint metadata dump from the Central Admin instance

```

# Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47166/PoC)


# Time spent:
72:15:00


--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>