SANS Stormcast Monday, November 3rd, 2025: Port 8530/8531 Scans; BADCANDY Webshells; Open VSX Security Improvements
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 3 November 2025
⏱️ 6 minutes
🧾️ Download transcript
Summary
Scans for WSUS: Port 8530/8531 TCP, CVE-2025-59287
We did observe an increase in scans for TCP ports 8530 and 8531. These ports are associated with WSUS and the scans are likely looking for servers vulnerable to CVE-2025-59287
https://isc.sans.edu/diary/Scans%20for%20Port%208530%208531%20%28TCP%29.%20Likely%20related%20to%20WSUS%20Vulnerability%20CVE-2025-59287/32440
BADCANDY Webshell Implant Deployed via
The Australian Signals Directorate warns that they still see Cisco IOS XE devices not patches for CVE-2023-20198. A threat actor is now using this vulnerability to deploy the BADCANDY implant for persistent access
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy
Improvements to Open VSX Security
In reference to the Glassworm incident, OpenVSX published a blog post outlining some of the security improvements they will make to prevent a repeat of this incident.
https://blogs.eclipse.org/post/mika l-barbero/open-vsx-security-update-october-2025
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Monday, November 3, 2025 edition of the Sands Internet Storm Centers. |
| 0:11.8 | Stormcast, my name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:17.5 | And this episode is brought you by the Sands.edu undergraduate certificate program in cybersecurity fundamentals. |
| 0:25.4 | It was just about a week ago that we got from Microsoft the emergency update for the Windows Server Update service. |
| 0:32.6 | This update fixed and already at the time exploited vulnerability that can lead to remote code |
| 0:40.6 | execution. Well, since the warnability now has been made public and also additional details |
| 0:47.0 | about the vulnerability have been made public, we have seen in our sensors an increase in scans for port 8530 and 8531, which are the two ports that are associated with was. |
| 1:02.6 | The first one is just plain TCP. |
| 1:05.6 | The second one is then also TCP, but with TLS for the 8530 scan rates went up from about 800 or so a day, |
| 1:18.3 | all the way up to in excess of 3,500. |
| 1:22.8 | And similar numbers for 8531, a little bit lower here, only about 3,000 counts here per day for 8531, |
| 1:34.1 | which is probably just because it's a little bit slower to scan TLS |
| 1:37.9 | if you actually want to go through the TLS handshake. |
| 1:42.9 | So assume that if you haven't exposed the WAS server, it has been found by now. |
| 1:50.3 | Now, many of these scans are being done by researchers. |
| 1:53.8 | I saw Shadow Server. |
| 1:55.5 | For example, in our data, doing some of these scans, Shadow Server will attempt to notify |
| 2:00.5 | entities of exposed servers, Shadow Server will attempt to notify entities off-exposed servers, |
| 2:03.1 | so please take those notifications serious. |
| 2:07.2 | The Australian Signals Directorate has published an advisory noting that an implant that they're |
| 2:13.5 | calling Bad Candy is being deployed to Cisco iOS XE devices that are still |
| 2:20.3 | warnable to CVE 202023-2198. So this is a 2023 vulnerability. Apparently it's still not patched. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.