{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "nl", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." }, { "category": "description", "text": "Microsoft heeft informatie vrijgegeven over een actief misbruikte ZeroDay kwetsbaarheid in on-premises Microsoft SharePoint Server. Sharepoint Online (Microsoft 365) is niet geraakt.", "title": "Feiten" }, { "category": "description", "text": "De ZeroDay kwetsbaarheid, geïdentificeerd als CVE-2025-53770, stelt een aanvaller in staat om ongeautoriseerde code uit te voeren op de kwetsbare SharePoint Server. Dit kan leiden tot ernstige beveiligingsrisico's. Microsoft ontwikkelt momenteel een update om deze kwetsbaarheid te verhelpen, maar biedt in de tussentijd mitigaties aan om gebruikers te helpen hun omgevingen te beschermen.\n\nDe kwetsbaarheid is een variant van de eerder actief misbruikte kwetsbaarheid met kenmerk `CVE-2025-49706`. Voor deze kwetsbaarheid heeft het NCSC beveiligingsadvies NCSC-2025-0215 uitgebracht, waarvoor op 19 juli een update is verschenen met kans en inschaling HIGH/HIGH [1]\n\nEr is vooralsnog geen publieke exploit bekend, maar er wordt wel actief misbruik waargenomen. Wanneer Proof-of-Concept-code (PoC) of exploitcode publiek beschikbaar komt, verwacht het NCSC een significante toename in scanverkeer en pogingen tot misbruik.\n\n[1] https://advisories.ncsc.nl/advisory?id=NCSC-2025-0215", "title": "Interpretaties" }, { "category": "description", "text": "Microsoft werkt op dit moment aan updates om de kwetsbaarheid te verhelpen. Vooralsnog zijn uitsluitend mitigerende maatregelen beschikbaar om de risico's zo veel mogelijk te beperken. Het NCSC adviseert om met spoed onderstaande stappen te zetten in afwachting van een definitieve update:\n\n- Zet de meest recente updates in, waaronder de updates van juli 2025 waarvoor het NCSC beveiligingsadvies NCSC-2025-0215 heeft gepubliceerd.\n- Configureer de integratie met de Anti Malware Scan Interface (AMSI) binnen SharePoint. AMSI integratie is sinds september 2023 standaard actief, maar het is zinvol te controleren of integratie niet is uitgeschakeld in de tussentijd. Wanneer AMSI integratie actief is, is de kwetsbaarheid wel nog aanwezig, maar is misbruik niet mogelijk volgens Microsoft.\n- Zet Defender AV in op alle sharepoint omgevingen.\n- Indien AMSI uitgeschakeld is, en niet ingezet kan worden, adviseert Microsoft om de Sharepoint server **los te koppelen van het internet** en te wachten op de update om deze zo spoedig mogelijk in te zetten.\n\nZie verder bijgevoegde referenties voor meer informatie.", "title": "Oplossingen" }, { "category": "general", "text": "high", "title": "Kans" }, { "category": "general", "text": "high", "title": "Schade" }, { "category": "general", "text": "Deserialization of Untrusted Data", "title": "CWE-502" } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "Nationaal Cyber Security Centrum", "namespace": "https://www.ncsc.nl/" }, "references": [ { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770" }, { "category": "external", "summary": "Reference - ncscclear", "url": "https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/" }, { "category": "external", "summary": "Reference - ncscclear", "url": "https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration" } ], "title": "ZeroDay kwetsbaarheid ontdekt in Microsoft SharePoint Server", "tracking": { "current_release_date": "2025-07-20T08:34:22.645952Z", "generator": { "date": "2025-06-05T14:45:00Z", "engine": { "name": "V.A.", "version": "1.1" } }, "id": "NCSC-2025-0233", "initial_release_date": "2025-07-20T08:34:22.645952Z", "revision_history": [ { "date": "2025-07-20T08:34:22.645952Z", "number": "1.0.0", "summary": "Initiele versie" } ], "status": "final", "version": "1.0.0" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:microsoft/unknown", "product": { "name": "vers:microsoft/unknown", "product_id": "CSAFPID-1770545", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*" } } } ], "category": "product_name", "name": "Microsoft SharePoint Enterprise Server 2016" }, { "branches": [ { "category": "product_version_range", "name": "vers:microsoft/unknown", "product": { "name": "vers:microsoft/unknown", "product_id": "CSAFPID-1770546", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Microsoft SharePoint Server 2019" }, { "branches": [ { "category": "product_version_range", "name": "vers:microsoft/unknown", "product": { "name": "vers:microsoft/unknown", "product_id": "CSAFPID-1429583", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:sharepoint_server:-:*:*:*:subscription:*:*:*" } } } ], "category": "product_name", "name": "Microsoft SharePoint Server Subscription Edition" } ], "category": "product_family", "name": "Microsoft Office" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/n/a", "product": { "name": "vers:unknown/n/a", "product_id": "CSAFPID-2990034" } } ], "category": "product_name", "name": "Microsoft SharePoint Enterprise Server 2016" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/n/a", "product": { "name": "vers:unknown/n/a", "product_id": "CSAFPID-2990035" } } ], "category": "product_name", "name": "Microsoft SharePoint Server 2019" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/n/a", "product": { "name": "vers:unknown/n/a", "product_id": "CSAFPID-2990036" } } ], "category": "product_name", "name": "Microsoft SharePoint Server Subscription Edition" } ], "category": "vendor", "name": "Microsoft" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-53770", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "notes": [ { "category": "other", "text": "Deserialization of Untrusted Data", "title": "CWE-502" } ], "product_status": { "known_affected": [ "CSAFPID-1770545", "CSAFPID-2990034", "CSAFPID-1770546", "CSAFPID-2990035", "CSAFPID-1429583", "CSAFPID-2990036" ] }, "references": [ { "category": "self", "summary": "CVE-2025-53770 | NCSC-NL Website", "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53770.json" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL" }, "products": [ "CSAFPID-1770545", "CSAFPID-2990034", "CSAFPID-1770546", "CSAFPID-2990035", "CSAFPID-1429583", "CSAFPID-2990036" ] } ], "title": "CVE-2025-53770" } ] }