Hello and welcome to the Monday, November 17, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu master's degree program in information

security engineering. Well, the first story here is something that developed on Friday and really

sort of became more obvious on Friday, but there was sort of in development for the last few days before that.

And I'll sort of start here with the end.

And that's notice by 40 Net security announcement that there is a new vulnerability

in the 40 Web software.

The problem with this is that the patch, and in this case, for example, if you're on the 8

version, it would be version 802, was actually released a couple weeks ago.

So a couple weeks ago, 4DNet did upgrade their software, fixed a critical vulnerability.

CVS has score of 9.1, according to 40 Net, which I think is about appropriate.

But they didn't tell anybody about fixing this vulnerability.

So what happened last week is that the researchers pointed out some attacks.

They saw that basically looked like a version of an old warnability.

But, well, it was actually this new vulnerability.

And we then got, as usual, good write-up from Watchtower showing that this was essentially

a directory traversal that allowed access to this FWB-CGI binary, that then in turn allowed

an attacker to impersonate arbitrary users. And in doing so, basically, bypass access control. So the vulnerability

was very straightforward. You just needed a JSON payload with the user that you would like

to impersonate. And with that, you were all set in order to then gain access to the admin interface.

You also, over the weekend, did notice some of these attacks in our honeypots.

...