SANS Stormcast Friday, November 21st, 2025: Oracle Idendity Manager Scans; SonicWall DoS Vuln; Adam Wilson (@sans_edu) reducing prompt injection.
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 21 November 2025
⏱️ 14 minutes
🧾️ Download transcript
Summary
Oracle Identity Manager Exploit Observation from September (CVE-2025-61757)
We observed some exploit attempts in September against an Oracle Identity Manager vulnerability that was patched in October, indicating that exploitation may have occurred prior to the patch being released.
https://isc.sans.edu/diary/Oracle%20Identity%20Manager%20Exploit%20Observation%20from%20September%20%28CVE-2025-61757%29/32506
https://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/
DigitStealer: a JXA-based infostealer that leaves little footprint
https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/
SonicWall DoS Vulnerability
Sonicwall patched a DoS vulnerability in SonicOS
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0016
Adam Wilson: Automating Generative AI Guidelines: Reducing Prompt Injection Risk with 'Shift-Left' MITRE ATLAS Mitigation Testing
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Friday, November 21st, 2025 edition of the Sands Internet Storm Center's Stormcast. |
| 0:12.5 | My name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:16.9 | And this episode is brought you by the Sands.edu bachelor's degree program in applied cyber security. Well, in diaries today, let's start with Oracle Identity Manager. In October, as part of its critical patch update that Oracle releases once a quarter, one critical vulnerability was patched in Oracle Identity Manager |
| 0:39.0 | that not only allows authentication bypass, but also remote code execution as part of that |
| 0:46.4 | authentication bypass. And with Oracle Identity Manager being sort of a critical part of the entire |
| 0:52.9 | Oracle ecosystem, this is certainly a big deal. |
| 0:57.0 | And Oracle Ident Manager was also sort of one of the issues behind the breach of |
| 1:02.8 | Oracle's cloud earlier this year. |
| 1:06.2 | Now, today Searchlight Cyber did release some details regarding this vulnerability. |
| 1:12.4 | And turns out exploitation is pretty straightforward, pretty simple for this vulnerability. |
| 1:19.9 | It's essentially a buck in the Oracle identity manager authentication logic that any URL that adds with dot wadl will bypass authentication. |
| 1:32.4 | Now, typically if you just add dot wadl, you end up with different file edit points to, and you get a |
| 1:39.4 | 404 error, so not much happens there, but if you do a semicolon.wadl, the authentication bypass |
| 1:47.6 | still works, and you're not pointing to a different URL. So this is basically what |
| 1:54.1 | Searchlight Cyber found and then reported to Oracle. Now, seeing that particular proof of concept URL that SearchLid Cyber published, |
| 2:04.5 | I went back through our Honeypot logs to see if you already see any exploitation for |
| 2:10.8 | this vulnerability. |
| 2:12.3 | Well, I didn't see anything for today or the last couple days, but I did see some exploitation for the first week of |
| 2:21.1 | September so well before the vulnerability was actually patched and publicly known. |
| 2:28.3 | The URL that's being exploited there against our honeypots is slightly different, but still |
| 2:33.7 | use that same semicolon. |
| 2:35.4 | wadl pattern. So maybe a different group found the same vulnerability. And given that they hit |
... |
Transcript will be available on the free plan in 6 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.