Microsoft SharePoint 2019 – NTLM Authentication

• CVE-2025-47166

Titles: Microsoft SharePoint 2019 NTLM Authentication Author:…

# Titles: Microsoft SharePoint 2019 NTLM Authentication

# Author: nu11secur1ty

# Date: 06/27/25

# Vendor: Microsoft

# Software: https://www.microsoft.com/en-us/download/details.aspx?id=57462

# Reference:

https://www.networkdatapedia.com/post/ntlm-autSharePoint 2019 NTLM Authentication hentication-security-risks-and-how-to-avoid-them-gilad-david-maayan

## Description:

Microsoft SharePoint Central Administration improperly exposes

NTLM-authenticated endpoints to low-privileged or even brute-forced domain

accounts. Once authenticated, an attacker can access the `_api/web`

endpoint, disclosing rich metadata about the SharePoint site, including

user group relationships, workflow configurations, and file system

structures. The vulnerability enables username and password enumeration,

internal structure mapping, and API abuse.

Key issues include:

– NTLM over HTTP (unencrypted)

– No fine-grained access control on `_api/web`

– NTLM error codes act as oracles for credential validation

STATUS: HIGH-CRITICAL Vulnerability

[+]Exploit:

“`

# NTLM Authentication + SharePoint Enumeration Tool Usage:

python ntml.py -u http://10.10.0.15:10626 -U ‘CORP\spfarm’ -P ‘p@ssw0rd’

-v

# Success output (highlight):

[+] NTLM Authentication succeeded on http://10.10.0.15:10626/_api/web

# Result: Full SharePoint metadata dump from the Central Admin instance

“`

# Reproduce:

[href](

https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47166/PoC)

# Time spent:

72:15:00

—

System Administrator – Infrastructure Engineer

Penetration Testing Engineer

Exploit developer at https://packetstormsecurity.com/

https://cve.mitre.org/index.html

https://cxsecurity.com/ and https://www.exploit-db.com/

0day Exploit DataBase https://0day.today/

home page: https://www.nu11secur1ty.com/

hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=

nu11secur1ty