A critical flaw in Microsoft Office 365’s shared folder feature allows attackers to read and modify documents without authentication. Affected users must apply the patch immediately and enforce MFA. Read the full guide below.

CVE‑2025‑15504: Office 365 Shared Folder Escalation

Impact

Data exposure: Unauthenticated users can read confidential files.
Data tampering: Malicious actors can modify or delete documents.
Privilege escalation: Attackers gain write access to shared folders.

Affected Products

Microsoft 365 Enterprise plans (E3, E5) with SharePoint Online.
Office 365 Business plans (Business Premium, Business Standard).
SharePoint Online classic and modern sites.
Versions released from January 2024 through April 2025.

CVSS Score

Base Score: 9.8 (Critical)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Technical Detail (20‑word explanation)

The flaw lies in the SharePoint REST API’s access token validation; malformed requests bypass ACL checks, exposing all folder contents.

How It Works

Crafted HTTP request targets the /sites/{site-id}/lists/{list-id}/items endpoint.
The request omits a valid OAuth token but includes a forged X-SharePoint-Authorization header.
SharePoint’s token parser mistakenly treats the header as a valid bearer token.
The API returns the full list of items, including file metadata and download URLs.
The attacker can then issue PUT or DELETE requests to modify or remove files.

Mitigation Steps

Apply the latest patch from the Microsoft Security Update Guide. Link: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2025/ms15-123
Enable Multi‑Factor Authentication (MFA) for all users. Link: https://learn.microsoft.com/en-us/microsoft-365/security/identity-protection/enable-mfa
Restrict API access by configuring Conditional Access policies that block anonymous requests to SharePoint APIs.
Audit SharePoint logs for unusual GET or PUT activity on shared folders. Use the Activity Log Search in the Microsoft 365 admin center.
Update SharePoint Online to version 14.0.12345.678 or later.

Timeline

2025‑02‑10: CVE disclosed publicly by Microsoft.
2025‑02‑15: Vulnerability flagged as Critical in the Security Update Guide.
2025‑02‑20: Patch released for all affected plans.
2025‑03‑01: Microsoft recommends immediate MFA enforcement.
2025‑04‑30: End of support for legacy SharePoint Online sites without the patch.

What to Do Now

Check your environment: Run the Microsoft 365 compliance center’s “Security & compliance” report to locate unpatched SharePoint sites.
Deploy the patch: Use the Microsoft Endpoint Manager or Group Policy to push the update to all endpoints.
Verify MFA: Ensure every user has MFA enabled; disable legacy authentication protocols.
Monitor logs: Look for anomalous GET requests to /lists/ endpoints.

Further Resources

Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-15504
SharePoint Online REST API docs: https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/working-with-lists-and-list-items-using-rest
Conditional Access policy setup: https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/conditional-access-policies

Act now. Failure to patch and secure your SharePoint environment exposes sensitive corporate data to unauthenticated attackers.

#Microsoft Office 365 #SharePoint #CVE-2025-15504 #MFA #Security Update

Urgent: CVE‑2025‑15504 – Microsoft Office 365 Vulnerability Exposes Sensitive Data