SANS Stormcast Monday, May 2nd, 2025: PNG with RAT; Cisco IOS XE WLC Exploit; vBulletin Exploit
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 2 June 2025
⏱️ 6 minutes
🧾️ Download transcript
Summary
A PNG Image With an Embedded Gift
Xavier shows how Python code attached to a PNG image can be used to implement a command and control channel or a complete remote admin kit.
https://isc.sans.edu/diary/A+PNG+Image+With+an+Embedded+Gift/31998
Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis
Horizon3 analyzed a recently patched flaw in Cisco Wireless Controllers. This arbitrary file upload flaw can easily be used to execute arbitrary code.
https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/
Don't Call That "Protected" Method: Dissecting an N-Day vBulletin RCE
A change in PHP 8.1 can expose methods previously expected to be safe . vBulletin fixed a related flaw about a year ago without explicitly highlighting the security impact of the fix. A blog post now exposed the flaw and provided exploit examples. We have seen exploit attempts against honeypots starting May 25th, two days after the blog was published.
https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Monday, June 2nd, 2025 edition of the Sands Inlet Storm Center's Stormcast. |
| 0:08.0 | My name is Johannes Ulrich and this episode brought you by the Sands.edu graduate certificate program in penetration testing and ethical hacking is recorded in Jacksonville, Florida. |
| 0:21.5 | Well, and in Diaries, we do have yet more fun with images from Xavier. |
| 0:28.0 | Xavier came across a PNG image that included malware. |
| 0:32.4 | Now, this one didn't use out of the steganography. |
| 0:35.4 | We have talked about a lot in the last couple of weeks. |
| 0:37.9 | Instead, it used sort of a simpler form |
| 0:40.0 | where the malicious code is just being appended to the image. |
| 0:45.1 | With P&G images, there is an end marker, |
| 0:49.2 | any data after the end marker is ignored, |
| 0:52.2 | meaning that if you display the image in a normal image viewer, |
| 0:56.6 | well, all will look fine because the script in the end is just ignored. |
| 1:01.8 | But as Xavier points out, the script or that data in the end is really just a little zip archive |
| 1:08.3 | that then unpacks into a Python script. |
| 1:11.9 | Now, one trick they're sort of doing here is that they are replacing the desktop wallpaper |
| 1:18.5 | with their own sort of little wallpaper. |
| 1:21.8 | Now, I consider this a little bit more proof of concept than actual malware, in part, |
| 1:27.3 | because, well, it's just of a very simple, |
| 1:29.6 | straightforward basic remote admin tool. Also, this particular wallpaper sounds more like |
| 1:37.2 | something that's sort of being done to indicate, hey, this is sort of something that could |
| 1:41.6 | be exploited rather than the exploit itself. |
| 1:45.7 | Regardless, virus total detection for this image is very low, indicating that, well, there aren't really a lot of antivirus products that are, for example, looking for code being appended to an image like this, which should really always be considered malicious. |
... |
Transcript will be available on the free plan in 14 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.