Preface: About a decade ago, a technical white paper evaluated how many cybersecurity experts a bank should hire to manage cybersecurity.
Although Tier 1 financial institutions have information security controls in-house, their effectiveness cannot be compared to managed security services. The examples at the time were AWS cloud and cybersecurity controls. Now, the details of these two CVE records extend this story again.
Background: The architectural differences between SharePoint Online (Office 365) and SharePoint Server (on-premises) in the context of vulnerabilities like CVE-2025-53770 and CVE-2025-53771.
According to Microsoft’s official guidance, these vulnerabilities only affect on-premises SharePoint Server installations (2016, 2019, and Subscription Edition). Do not impact SharePoint Online in Microsoft 365.
The reason SharePoint Online is not vulnerable involves multiple layers of architectural and operational differences, including:
Microsoft controls the infrastructure runtime environment.
In SharePoint Online, developers cannot deploy full-trust code or access server-side object models like SPSite or SPWeb. This eliminates many attack vectors that exist in on-prem environments. In SharePoint Online Intelligent Proxy and Request Filtering. These systems can detect and block unsafe deserialization attempts before they reach backend services.
Reference:
The SPWeb parameter in SharePoint refers to an object that represents a SharePoint website (or subsite) within a site collection. It’s used in PowerShell cmdlets like Get-SPWeb, New-SPWeb, Set-SPWeb, and Remove-SPWeb to interact with and manage these websites.
The term “SPSite parameter” generally refers to parameters used with the Get-SPSite, New-SPSite, and Set-SPSite cmdlets in SharePoint PowerShell. These parameters are used to specify or configure site collection properties, such as the URL, owner, template, quota, or lock state.
Vulnerability details:
CVE-2025-53770 is a “deserialisation of untrusted data” vulnerability. Successful exploitation could allow an unauthenticated remote attacker to execute arbitrary code on the SharePoint Server. CVE-2025-53770 addresses a partial fix for CVE-2025-49704 released in Microsoft’s July 2025.
CVE-2025-53771 is a “path traversal”, “improper neutralisation”, and “improper input validation” vulnerability. CVE-2025-53771 addresses a partial fix for CVE-2025-49706 released in Microsoft’s July 2025 scheduled security updates.
Ref: Avoiding exposure of vulnerable endpoints like /_layouts/15/ToolPane.aspx to the internet is directly related to CVE-2025-53771, as well as CVE-2025-53770. These two vulnerabilities are chained together in an exploit known as ToolShell.
Official announcement: Please refer to the link for details –