The explosive SharePoint vulnerabilities (CVE-2025-53770 and CVE-2025-53771) are already wreaking havoc across hundreds of organizations, exposing sensitive data and creating dangerous footholds for attackers.
In this episode of Exploited: The Cyber Truth, host Paul Ducklin sits down with Joe Saunders, CEO of RunSafe Security, and Ron Reiter, CTO and co-founder of Sentra, to break down what makes this vulnerability so severe, how attackers are bypassing authentication to gain full access, and why traditional patching strategies won’t close the door on risk.
Key topics include:
- The mechanics of the SharePoint exploit and its widespread impact
- How IT breaches can escalate into OT disruptions
- The critical role of customer trust and data protection beyond compliance
- The top three actions organizations must take immediately
If your IT or OT systems rely on secure data flow, this is an episode you can’t afford to miss.
Speakers:
Paul Ducklin: Paul Ducklin is a computer scientist who has been in cybersecurity since the early days of computer viruses, always at the pointy end, variously working as a specialist programmer, malware reverse-engineer, threat researcher, public speaker, and community educator.
His special skill is explaining even the most complex technical matters in plain English, blasting through the smoke-and-mirror hype that often surrounds cybersecurity topics, and helping all of us to raise the bar collectively against cyberattackers.
Joe Saunders: Joe Saunders is the founder and CEO of RunSafe Security, a pioneer in cyberhardening technology for embedded systems and industrial control systems, currently leading a team of former U.S. government cybersecurity specialists with deep knowledge of how attackers operate. With 25 years of experience in national security and cybersecurity, Joe aims to transform the field by challenging outdated assumptions and disrupting hacker economics. He has built and scaled technology for both private and public sector security needs. Joe has advised and supported multiple security companies, including Kaprica Security, Sovereign Intelligence, Distil Networks, and Analyze Corp. He founded Children’s Voice International, a non-profit aiding displaced, abandoned, and trafficked children.
Special Guest – Ron Reiter, CTO & Co-Founder of Sentra: Ron Reiter is CTO and Co-Founder at Sentra. Ron has over 20 years of hands-on tech and leadership experience in cybersecurity, cloud, big data, and machine learning. As a serial entrepreneur and seed investor, Ron has contributed to the success of several startups, including Axonius, Firefly, Guardio, Talon Cyber Security, and Lightricks, after founding a company acquired by Oracle.
Episode Transcript
Exploited: The Cyber Truth, a podcast by RunSafe Security.
[Paul] 00:00:06 Welcome back, everybody, to Exploited: The Cyber Truth. I am Paul Duckllin, joined as usual by Joe Saunders, CEO and founder of Run Safe Security. Hello, Joe. You’re on the road again, aren’t you?
[Joe] 00:00:21 I am on the road and it’s great to be here though. Look forward to the conversation. Paul.
[Paul] 00:00:25 Excellent, because we have a super special guest today. And that is Ron Writer, who is CTO and co-founder at Sentra. Hello, Ron.
[Joe] 00:00:35 Hi.
[Paul] 00:00:36 Now, Ron, today we are going to be talking about SharePoint Under Siege Anatomy of Vulnerabilities. So why don’t you start by what we mean by the SharePoint vulnerability. That was all over the news lately?
[Ron] 00:00:53 Sure. So the recent SharePoint vulnerability noted BV 2025 553770.
[Paul] 00:01:02 And there was a second one, wasn’t there, which is 53771.
[Ron] 00:01:07 Correct.
[Paul] 00:01:08 They kind of hunt as a team, if you like.
[Ron] 00:01:10 Sadly, the other name that the more common name was the tool shell exploit.
[Ron] 00:01:15 If I, if I remember correctly.
[Paul] 00:01:17 Yes. That’s right. And for our listeners, basically a shell is the Unix term for a window in which you can enter commands and the system will respond. So getting a shell on somebody else’s system loosely means you can tell it what commands to run, even though you’re not really supposed to.
[Ron] 00:01:37 Exactly. So the type of vulnerability is, I think, what hackers deem the most lucrative or the most the strongest type of vulnerability, which is the remote code execution vulnerability. Right?
[Paul] 00:01:50 RC yes.
[Ron] 00:01:52 That’s basically the ability to select a server and say, I’m going to execute whatever I want there take over the server and then from there. Do anything. Read the emails that are on the server. Hack into the organization from within that server or whatnot. That is the CV that was recently published.
[Paul] 00:02:15 It’s the one that kind of describes itself the best, isn’t it? Remote. The person could be on the other side of the world. Code is shorthand for program or programs.
[Paul] 00:02:26 Unknown. And execution means I ask you run it. So it literally is take over and ultimately, perhaps with a little bit of fiddling. Do whatever you want.
[Ron] 00:02:39 Correct. And what recently was announced, and I think the reason that is so this is such a, such a critical vulnerability, is that when a remote code execution vulnerability is known to the open right, if someone publishes it, someone talks about it, suddenly people know how to exploit that vulnerability and it becomes widespread knowledge. The question becomes how broad is the damage? So is there only one server that is open to the internet, or is millions of servers potentially could be open to the internet? And it’s also a combination, right? Like you have to have a server that is running it. But that server also has to be accepting connections from the outside world. So things like a mail server, an application server, a web server, these things are usually open to the internet because they welcome people to connect to them. Right.
[Ron] 00:03:39 And that’s exactly what happened.
[Paul] 00:03:41 And that’s the problem with something like SharePoint, isn’t it? The hint is in the name. It is the point from which you share stuff inside the company, outside the company, perhaps with suppliers, perhaps with contractors, perhaps with working from home employees, Ways, perhaps web pages that you want the general public to look at.
[Ron] 00:04:03 The numbers that I’ve collected, I’ve already heard about 400 different organizations that were actually directly affected by this hack. We don’t know if that’s the only number. We can only assume that the number is much, much greater.
[Paul] 00:04:17 It’s certainly not going to be less, is it?
[Ron] 00:04:22 Exactly. A month ago, there were at least 9000 servers that were exposed to the open internet. So from an impact perspective, you know, it’s definitely something very, very severe. And again, these are only the initial numbers. Of course the numbers could be much greater.
[Paul] 00:04:40 And I think it’s also important to mention at this point because we talked about two CVE numbers at the start.
[Paul] 00:04:47 The important one here of course is the remote code execution. But it’s sort of partner in crime, if you like, is what’s called a authentication bypass Heart vulnerability. That means not only can the initial exploit be triggered remotely. The person who’s triggering it doesn’t even have to have the most basic form of login on the targeted system. With a bit of effort, they can probably authorise themselves to get in and then, loosely speaking, implant any rogue executable code or malware that they like.
[Ron] 00:05:26 Completely correct. I think when we assess the impact that a remote code execution vulnerability, this is definitely one of the parameters, right? So the first parameter is how many servers are there in the world that are running this vulnerable software. And then the second question is how many of these are open to the internet. And then the third question is is the remote code execution vulnerability a type of vulnerability that requires you to be authenticated or not? Because if it’s an unauthenticated remote code execution, it’s definitely the worst type. Maybe I can give a small insight into what exactly that vulnerability means.
[Paul] 00:06:05 Please go ahead.
[Ron] 00:06:06 So basically what happened is that the hacker that found this vulnerability noticed that there is a way to get something called a machine key. And that key allows you to create something called a view state. Now it doesn’t really matter what a view state is, but what you need to know is that this view state contains something that if you can manipulate it, if you can change it, then you can put something in it. That is basically what you want to execute. Please take over the server. Please send me all of the passwords that you can find, or the emails that you can extract from the server. And if you can manipulate that view state, then you can essentially do whatever you want with the server. You can basically go and get that machine key, and then you can forge a malicious view state and then basically do whatever you want on that server. The SharePoint servers usually are servers that contain a lot of corporate data.
[Paul] 00:07:12 Now internally it’s actually IIs, isn’t it?
[Ron] 00:07:16 Yes.
[Paul] 00:07:16 If you have SharePoint running, you actually have an IIs server in the background doing all the webby stuff.
[Ron] 00:07:22 Right. And that server usually contains many more things. Not only the IIs server, which is a web server, it could potentially have other servers installed in the same machine, for example in Exchange Server. Right.
[Paul] 00:07:36 Absolutely.
[Ron] 00:07:37 So your emails could also be there.
[Paul] 00:07:39 Oh dear.
[Ron] 00:07:40 And it’s usually the case by the way usually people put the exchange server on the SharePoint servers because why not. Right. But even if it’s not taking over a server that is running Windows in a server environment probably means that you have access to other servers in the organization.
[Paul] 00:08:00 That SharePoint server probably itself communicates. Collects, manipulates, organizes data from far inside the network, not necessarily servers or services that are on the Windows network. They could be other servers, perhaps even out in the cloud, but do things like collect surveillance video, collect telemetry data from vehicle fleets, all sorts of stuff.
[Ron] 00:08:28 If you think about the two most sensitive things in an organization is usually the SharePoint server and the exchange server, right?
[Paul] 00:08:36 Yes.
[Ron] 00:08:36 What’s more sensitive than reading the emails of people and reading the internal knowledge base of everything that is owned by the organization, right?
[Paul] 00:08:46 Yes, you’ve got contracts, you’ve got calendars, you’ve got sales forecasts.
[Ron] 00:08:52 Yeah.
[Paul] 00:08:53 You might even have discussions about the last breach that you just had.
[Ron] 00:08:58 Exactly. And what about the IT materials? Right. What about the, maybe there are passwords that are stored in the SharePoint. These things happen all the time that will enable you to take over the organization.
[Paul] 00:09:10 Absolutely. And even worse for employees inside the organization. Many, if not most countries in the world these days, require employers to collect and hold very detailed what you might call know your customer information about their staff. So they probably have things like scans of driving licenses, scans of passports, tax return details, bank account details, medical insurance history, all of that sort of stuff.
[Joe] 00:09:42 And it might add, Paul, your list and Ron’s list is pretty scary in the first place. But let’s not forget intellectual property and even operational data.
[Joe] 00:09:53 The IP of an organization, when that gets stolen is obviously a devastating thing, and it’s a form of economic espionage and sabotage. And so when you see systems like this that are widespread, that do have these vulnerabilities and do provide access, the key is to look at what’s the motivation of the attackers trying to get in and what are they trying to do. And let’s just not forget intellectual property and and operational data.
[Paul] 00:10:17 Absolutely. I’m thinking about me. Oh no. They’ve got a scan of my driving license. But what if they’ve got, as you say, the intellectual property that makes the company valuable? Maybe they’ve not just got my driving license. Maybe they’ve potentially put my job on the line as well.
[Ron] 00:10:33 Either organizations need to protect their customers’ data or they need to protect their corporate data. So the customer data is what they need to protect to make sure that they are giving a loyal service to their customers or their customers’ customers, and making sure that they preserve the privacy and be compliant with the, you know, different privacy frameworks or compliance frameworks to protect that customer data.
[Paul] 00:11:02 Ron, can I just say how pleased I am to hear you talk about dealing with their loyalty to their customer first, before you said the word. Oh, and being compliant rather than just doing it the other way around and thinking, well, we’ll be compliant and then maybe they’ll think we’ve got some loyalty.
[Ron] 00:11:19 Of course.
[Paul] 00:11:20 I’m sure Joe agrees very strongly with that as well, because he’s very opposed to checkbox compliance, aren’t you, Joe?
[Joe] 00:11:27 Yeah, 100%.
[Ron] 00:11:28 If a customer gets hurt because he gave his details to an organization that couldn’t keep his private information private, then who can he trust? Right. This type of breach of trust is terrible, and every company that has and holds customer data has to really take care of it. And the second type of data is the corporate data. Right. So intellectual property is the number one example. Of course there are always contracts, business agreements, employee agreements. Things that you don’t want out or you don’t want the salaries of all of your employees out.
[Ron] 00:12:03 Some companies it may. Maybe it’s a small thing, but other companies, this could destroy the company. Right.
[Paul] 00:12:09 And it’s one thing if your competitors get it, it’s even worse if some kind of hostile enemy state, for want of a better way of putting it, gets hold of it. And instead of crowing over that, just squirrels that information away in a cupboard so that they can use it later, either for competitive advantage or for intelligence gathering, or for undermining the confidence of your own community.
[Ron] 00:12:37 Yeah, exactly. Some people call this SharePoint again, which is a funny term.
[Paul] 00:12:44 Yeah, maybe that maybe that’s going a bit too far. I suppose if it takes that to focus your mind on actually patching promptly and knowing what’s what in your organization.
[Ron] 00:12:55 Yeah. And now there’s basically a race. Every organization now is in a race to upgrade their SharePoint servers to, so that the hackers won’t actually exploit the vulnerability in time.
[Paul] 00:13:08 Role. At this point, can I just ask you whether I’m assuming correctly here, the fact that this vulnerability allows an attacker to extract things like machine keys.
[Paul] 00:13:21 That means that there’s no username, there’s no password, there’s no multi-factor authentication code required. So you just don’t show up in traditional logs, do you?
[Ron] 00:13:33 When this vulnerability was in Zero Day, no one knew up to the when the vulnerability was published that people actually used it. But since it was discovered, basically all of the different threat detection tools, cybersecurity tools, added a detection mechanism that allowed their security tool to automatically quickly find out if someone is using and exploiting that vulnerability.
[Paul] 00:14:01 So clearly patching is absolutely vital. If you haven’t patched yet, then it’s no longer a zero day, or even a one day, or a three day, or a 12 day. The wry term used is an end day, sometimes for very large values of n, so if you haven’t patched yet, you’re probably not sending out the best message to your customers or to your staff. But patching alone is not enough, is it. Because in cases like this, particularly where things like web servers or data sharing servers are involved, the attackers will almost always add an additional backdoor of their own.
[Paul] 00:14:42 Say something like a web shell that will keep on working even after the hole they used in the first place has been shut off.
[Ron] 00:14:50 Correct. If you look at the since day zero when this vulnerability was discovered, Basically all of the IT teams in the world had to make sure that all of their SharePoint servers are correctly patched, and the faster they do it, the safer they are. And after they patch, you’re very much correct. What they need to do is now to understand and analyze if there was an attack on their servers. They need to now go back to the logs and try to see if someone had tried to exploit that server. They need to investigate whether or not a malicious hacker managed to put some sort of backdoor in that server or steal information. And then, of course, if they discovered something like that, they have to disclose this, right? They have to make sure that if customer data was stolen, that they have to disclose it according to regulations or at least the newer regulations.
[Ron] 00:15:47 So, yeah, it definitely something that created a lot of work for the security teams and throughout the world.
[Paul] 00:15:53 Now, Joe, there’s yet another dimension to all of this, and that is that many organizations may have things like operational technology or industrial control system devices on a separate network that they may consider as largely insulated from the internet because it only ever connects to the internal network, for example, to upload telemetry data about what’s happening in a pump room, what’s happening in a pressure vessel, how many items the lathe has turned out today, etc. but often that interface may actually work in two directions. So if you can get a good footprint inside the IT network an attacker may be able to reach further and start messing with the things that actually make the physical parts of your business work. For example, if you’re a manufacturing company.
[Joe] 00:16:50 Yeah, no doubt. And certainly with operational technology and OT networks and IT networks converging the risk of somebody moving laterally, as Ron had said, and finding their way to other servers inside an organization’s overall networks is certainly possible.
[Joe] 00:17:07 And one of the great concerns, and especially if they somehow maintain some kind of persistent access. And with that, one of my concerns, of course, in attacks like this on SharePoint and all that is the operational data that ultimately finds its way back into the enterprise. Yes, for managing workloads and communicating capacity and forecasting future performance and and all that kind of information. But also then you may find your way into the plant room floor or to those systems that are out there. We did see something like that with Equifax going way back when, in fact, it went the other way. People found their way in through an OTT vendor’s web based infrastructure. And then once they were able to do that, they were traversed to the network and moving across and finding other things. So it goes both ways.
[Paul] 00:17:59 Yes, we had a great example of exposing more than you might initially have thought in a recent podcast. When we spoke to Gabriel Gonzalez of IoActive, didn’t we? And he spoke about an MQTT server that had been set up incorrectly, that by looking at and watching what was going on in that server, attackers could not only read out information about where every vehicle in a fleet was at any moment, which gives them an incredible amount of competitive information about a business or even about a society.
[Paul] 00:18:36 They could, in fact, also inject commands into the vehicles and do things like lock and unlock them. So not only do they know where your drivers are, they could go and steal all your cars as well. Knowing the information that’s coming out, the telemetry information that’s coming out of an industrial control network is Hugely valuable information, but sometimes being able to poke data back could actually affect the physical operation of the business up to and including people’s safety.
[Joe] 00:19:06 Absolutely. And, you know, I think it begs the question of thinking through your own risk management framework and what’s at risk in your enterprise and how you have set up to protect the different assets, the different corporate data, that you have to include your operational data, but also your intellectual property. And I think this set of vulnerabilities in this exposure that’s out there, run said 9000 servers and hundreds of organizations have already been affected, and those are the ones we know about. We need to ultimately go back and look at what’s the motivation of the people behind it, and what are they ultimately going after and, and try to anticipate when we do our own security planning to think about what kind of data do I want to protect?
[Paul] 00:19:48 So, Rob, maybe you could say something now about the kind of things that an organization One should do when they’re confronted by a set of vulnerabilities like this one.
[Paul] 00:20:00 It sounds very specific to start with. It’s only affecting the SharePoint server, but as you’ve pointed out, that could actually be the key or the gateway to the entire network, this vulnerability.
[Ron] 00:20:12 We look at what exactly happened. Those servers probably serve the organization itself, not external customers, which is another use case. But again, usually SharePoint servers are internal. That’s where network security comes in. A lot of times, the most basic network security could have probably avoided most of these issues. When you look at an organization, you want to make sure that you have layered defense mechanisms.
[Paul] 00:20:42 Yes.
[Ron] 00:20:43 The first layer that you want to make sure is the network layer. You want to make sure that people cannot physically access the server if they’re not supposed to access it. After you do that, then you can take care of the other layers, for example, patch management, security, posture of servers, stronger passwords and so forth. At the end of the day, you have to have a multi-layered approach here.
[Ron] 00:21:08 And with those 9000 servers that were open to the internet, they probably shouldn’t have been open to the internet.
[Paul] 00:21:15 So they could have been compromised in some other way. The attackers could have used a phishing attack, or they could have bought a password on the dark web, then found the SharePoint servers, then exploited them. That’s not impossible, but it’s very much harder than just going, hey, look! They left the front door open. If you’re exposing yourself unnecessarily, you’re just making it more likely that something bad is going to happen.
[Ron] 00:21:40 Exactly. There are three types of hackers. There is the script kiddies that usually look for the easy wins. If there is an open vulnerability, they’ll write a script. They’ll scan the internet and they’ll just go and see what open servers are they? Exploit them and try to get something out of it. Maybe some sort of quick ransomware attack with Bitcoin or something very generic? That’s one type. The second type is the ones that target organizations and they try to find ways to go in.
[Ron] 00:22:09 That’s where you want to make sure that you’re fortified from these attackers. And then there’s the third type, which is the nation state. You want to make sure that at least you’re not leaving out a trivial attack surface, so that every script that someone writes, because there is a new vulnerability that’s out, directly impacts your organization. And that’s something that every security leader must remember. You also have the commitment to know exactly what servers you have open to the internet, and how easy is it for people to exploit these servers. So that’s why pen testing is done regularly. That’s why scanners are used. What you don’t want to do is leave a server that has an open CV that is well known to the to the world, and it’s unpatched. That is the most irresponsible thing that a security person can do.
[Paul] 00:23:06 Absolutely. And if you don’t find it, you can be quite sure that the cybercriminals or the state sponsored attackers will. And unlike a typical cybersecurity researcher, they ain’t going to tell you exactly.
[Paul] 00:23:20 So, Joe, it sounds as though this is, if you like, another angle on bills of materials, isn’t it? Now, I know you’re very passionate about software bills of materials, and that’s obviously important here. But there’s a bit more to it than that, isn’t it? It also means that you need to know what the configuration of your network is, to make sure that connectivity only works in the way that you designed it to or intended it to, not the way it accidentally ended up getting implemented.
[Joe] 00:23:52 One of the things I picked up from what Ron had said is in this particular case. Yes, you can even patch the systems, but there’s still work to do, and finding out and going through your logs and finding out if someone has attempted an attack on your system is a key step. And unfortunately, in today’s environment, it’s hard enough to make sure people provide necessary patches or apply necessary patches. But it’s another thing to make sure that people go through the right steps to make sure they weren’t infected or compromised in the first place.
[Joe] 00:24:26 And so we do need to be vigilant in our operations, in managing our endpoints, in our systems and our servers. Yes, you have to apply the patch, but you also have to do some digging to see if you were compromised in the first place.
[Paul] 00:24:39 Yes, because it’s not unusual for attackers once they’re inside, particularly if they’re worried about other attackers following them in. To apply patches for you, basically close the door behind Find themselves, because after all, they’re already inside.
[Joe] 00:24:56 Yeah, and we don’t want anybody to be a sitting duck, let alone in the digital world where access to information and sensitive corporate data is at risk. So we’ve got to be more vigilant.
[Paul] 00:25:06 Joe, if there are duck puns to be done, I think we’ll leave them to me. This is very clearly something that’s not just, hey, Microsoft did a boo boo. This is Microsoft’s fault. I’ve seen a lot of stuff in the media waving fingers at Microsoft. And sure, you can criticize their developers for having these bugs in the first place.
[Paul] 00:25:29 My understanding is that there were bugs of this sort found and patched, but the patches weren’t quite enough and someone figured out how to get past the original patches. But Ron, as he said, this is no longer a zero day. It’s no longer even a one day, or a three day, or a 12 day. So anyone who hasn’t moved yet, there’s not much point in pointing the finger at anybody else. Maybe you just have to look in the mirror and go. There’s the person who can help me get this sorted out.
[Ron] 00:25:59 Yeah, I think vendors in general, I mean, that create software. There will always be vulnerabilities. I don’t think it’s fair to accuse Microsoft for having bad software, right? The more you’re successful, the more hackers try to target your software.
[Paul] 00:26:17 Indeed. And when you look at your typical Patch Tuesday updates, although people talk about the windows updates are out, it’s not windows in the same way that you might talk about bugs in the Linux kernel. It’s windows and hundreds of applications, broad and deep, that go along with it.
[Ron] 00:26:40 It’s up to the IT person to make sure that he doesn’t run software that is outdated. That is the number one cause for concern when it comes to hacking. And I think you know that the first thing that hackers do always is to look for publicly known CVEs, and just hope that the IT administrators have forgotten to upgrade the servers, because it sounds like it’s something that is trivial, but you would be surprised by how common untouched servers are in the internet.
[Paul] 00:27:13 So, Ron, I’m conscious of time. Maybe we can finish up by you just giving us three exercises or three simple steps that system administrators can take, regardless of whether they’re windows shops, Mac shops, Linux shops, or whatever, to make sure that they’re not just focusing on, oh, there’s a patch, I’ll apply it. What should they be doing to make sure that they have a good organization wide holistic view of cyber security?
[Ron] 00:27:43 I mentioned two of them already. I think the first one is the adoption of of network security. If you can make sure that your organization’s resources are only available to your organization’s employees.
[Ron] 00:28:00 That is the first step. So network security is a must. The second thing is a good patch management approach, right? Being able to know about every server and being able to immediately know if you have an untapped server. That’s the second thing. And I guess the third thing is to have a good understanding of where your sensitive data is. I think that’s the three things that every security leader needs to do in order to make sure that it’s not being surprised by such a hack.
[Paul] 00:28:32 If I can summarize maybe oversimplifying things, it’s okay to put all your eggs in one basket. If you watch that basket really carefully, but it’s much better to put only the eggs you need in baskets, in separate baskets, and to protect them separately, depending on the risk associated with each one.
[Ron] 00:28:57 Correct. So I would say know your data multi-layered approach to security and a good patch management program. That’s the three.
[Paul] 00:29:08 Excellent. I think that’s a great point on which to end. Gentlemen, thank you very much for your thoughtfulness, for your passion and for this in-depth discussion.
[Paul] 00:29:18 That is a wrap for this episode of Exploited the Cyber Truth. Thanks to everybody who tuned in and listened. If you find this podcast insightful, please don’t forget to subscribe! Please share the podcast with everyone in your team. Like and share it on social media as well. Thanks again for listening and remember. Stay ahead of the threat. See you next time.
