SANS Stormcast Thursday, August 14th, 2025: Equation Editor; Kerberos Patch; XZ-Utils Backdoor; ForitSIEM/FortiWeb patches
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 14 August 2025
⏱️ 7 minutes
🧾️ Download transcript
Summary
CVE-2017-11882 Will Never Die
The (very) old equation editor vulnerability is still being exploited, as this recent sample analyzed by Xavier shows. The payload of the Excel file attempts to download and execute an infostealer to exfiltrate passwords via email.
https://isc.sans.edu/diary/CVE-2017-11882%20Will%20Never%20Die/32196
Windows Kerberos Elevation of Privilege Vulnerability
Yesterday, Microsoft released a patch for a vulnerability that had already been made public. This vulnerability refers to the privilege escalation taking advantage of a path traversal issue in Windows Kerberos affecting Exchange Server in hybrid mode.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53779
Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images
Some old Debian Docker images containing the xz-utils backdoor are still available for download from Docker Hub via the official Debian account.
https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images
FortiSIEM / FortiWeb Vulnerablities
Fortinet patched already exploited vulnerabilities in FortiWeb and FortiSIEM
https://fortiguard.fortinet.com/psirt/FG-IR-25-152
https://fortiguard.fortinet.com/psirt/FG-IR-25-448
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Thursday, August 14th, |
| 0:07.7 | 2025 edition of the Sands Internet Storm Center's Stormcast. |
| 0:12.8 | My name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:18.8 | This episode is brought to you by the sands.edu graduate certificate program in Purple Team |
| 0:24.8 | Operation. |
| 0:26.9 | Yesterday we talked about new Microsoft patches. |
| 0:30.6 | Well, sadly, all vulnerabilities appear to be still around, at least around enough |
| 0:36.4 | for attacks to still take advantage of them. |
| 0:41.0 | Xavier came across this little bit odd Excel spreadsheet, the extension is dotxel AM, which |
| 0:48.5 | usually hints at like a macro file, but macros were not the problem here. Instead, it just exploited an old |
| 0:58.0 | 2017 vulnerability, the good old equation editor vulnerability. So apparently it's still |
| 1:05.1 | enough of it around in order for attackers to still give it a try ever so often. |
| 1:12.2 | As Xavier points out, he keeps an old virtual machine around just for that purpose. |
| 1:18.1 | I think in most corporate environment, I hope it's not that easy to find these old systems |
| 1:24.2 | still running, but I have been surprised before. |
| 1:28.3 | The payload here is then essentially just triggering a download of an executable |
| 1:34.3 | that is being run on the victim's system, and this executable is an information stealer |
| 1:41.3 | that then exfiltrates data via email directly to an attacker's |
| 1:47.6 | mail server. Another sort of not super common technique |
| 1:52.0 | given that outbound email via random mail services often blocked. |
| 1:57.7 | So maybe more something going after home users or the like versus more |
| 2:03.1 | enterprise users. And talking about vulnerabilities and Microsoft's Patch Tuesday. There's one |
... |
Transcript will be available on the free plan in 23 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.