# Titles: Microsoft SharePoint 2019 NTLM Authentication # Author: nu11secur1ty # Date: 06/27/25 # Vendor: Microsoft # Software: https://www.microsoft.com/en-us/download/details.aspx?id=57462 # Reference: https://www.networkdatapedia.com/post/ntlm-autSharePoint 2019 NTLM Authentication hentication-security-risks-and-how-to-avoid-them-gilad-david-maayan ## Description: Microsoft SharePoint Central Administration improperly exposes NTLM-authenticated endpoints to low-privileged or even brute-forced domain accounts. Once authenticated, an attacker can access the `_api/web` endpoint, disclosing rich metadata about the SharePoint site, including user group relationships, workflow configurations, and file system structures. The vulnerability enables username and password enumeration, internal structure mapping, and API abuse. Key issues include: - NTLM over HTTP (unencrypted) - No fine-grained access control on `_api/web` - NTLM error codes act as oracles for credential validation STATUS: HIGH-CRITICAL Vulnerability [+]Exploit: ``` # NTLM Authentication + SharePoint Enumeration Tool Usage: python ntml.py -u http://10.10.0.15:10626 -U 'CORP\spfarm' -P 'p@ssw0rd' -v # Success output (highlight): [+] NTLM Authentication succeeded on http://10.10.0.15:10626/_api/web # Result: Full SharePoint metadata dump from the Central Admin instance ``` # Reproduce: [href]( https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47166/PoC) # Time spent: 72:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>