SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Automated Tools to Assist with DShield Honeypot Investigations https://isc.sans.edu/diary/Automated%20Tools%20to%20Assist%20with%20DShield%20Honeypot%20Investigations%20%5BGuest%20Diary%5D/32038 EchoLeak: Zero-Click Microsoft 365 Copilot Data Leak Microsoft fixed a vulnerability in Copilot that could have been abused to exfiltrate data from Copilot users. Copilot mishandled instructions an attacker included in documents inspected by Copilot and executed them. https://www.aim.security/lp/aim-labs-echoleak-blogpost Thunderbolt Vulnerability Thunderbolt users may be tricked into downloading arbitrary files if an email includes a mailbox:/// URL. https://www.mozilla.org/en-US/security/advisories/mfsa2025-49/

Transcribed - Published: 13 June 2025

Quasar RAT Delivered Through Bat Files Xavier is walking you through a quick reverse analysis of a script that will injection code extracted from a PNG image to implement a Quasar RAT. https://isc.sans.edu/diary/Quasar%20RAT%20Delivered%20Through%20Bat%20Files/32036 Delayed Windows 11 24H2 Rollout Microsoft slightly throttled the rollout of windows 11 24H2 due to issues stemming from the patch Tuesday fixes. https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3570 An In-Depth Analysis of CVE-2025-33073 Patch Tuesday fixed an already exploited SMB client vulnerability. A blog by Synacktiv explains the nature of the issue and how to exploit it. https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 Connectwise Rotating Signing Certificates Connectwise is rotating signing certificates after a recent compromise, and will release a new version of its Screen share software soon to harden its configuration. https://www.connectwise.com/company/trust/advisories KDE Telnet URL Vulnerablity The Konsole delivered as part of KDE may be abused to execute arbitrary code via telnet URLs. https://kde.org/info/security/advisory-20250609-1.txt

Transcribed - Published: 12 June 2025

Microsoft Patch Tuesday Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20June%202025/32032 Adobe Vulnerabilities Adobe released patches for 7 different applications. Two significant ones are Adobe Commerce and Adobe Acrobat Reader. All vulnerabilities patched for Adobe Commerce can only be exploited by an authenticated user. The Adobe Acrobat Reader vulnerabilities are exploited by a user opening a crafted PDF, and the exploit may execute arbitrary code. https://helpx.adobe.com/security/Home.html

Transcribed - Published: 11 June 2025

OctoSQL & Vulnerability Data OctoSQL is a neat tool to query files in different formats using SQL. This can, for example, be used to query the JSON vulnerability files from CISA or NVD and create interesting joins between different files. https://isc.sans.edu/diary/OctoSQL+Vulnerability+Data/32026 Mirai vs. Wazuh The Mirai botnet has now been observed exploiting a vulnerability in the open-source EDR tool Wazuh. https://www.akamai.com/blog/security-research/botnets-flaw-mirai-spreads-through-wazuh-vulnerability DNS4EU The European Union created its own public recursive resolver to offer a public resolver compliant with European privacy laws. This resolver is currently operated by ENISA, but the intent is to have a commercial entity operate and support it by a commercial entity. https://www.joindns4.eu/ WordPress FAIR Package Manager Recent legal issues around different WordPress-related entities have made it more difficult to maintain diverse sources of WordPress plugins. With WordPress plugins usually being responsible for many of the security issues, the Linux Foundation has come forward to support the FAIR Package Manager, a tool intended to simplify the management of WordPress packages. https://github.com/fairpm

Transcribed - Published: 10 June 2025

Extracting With pngdump.py Didier extended his pngdump.py script to make it easier to extract additional data appended to the end of the image file. https://isc.sans.edu/diary/Extracting%20With%20pngdump.py/32022 16 React Native Packages for GlueStack Backdoored Overnight 16 npm packages with over a million weekly downloads between them were compromised. The compromised packages include a remote admin tool that was seen before in similar attacks. https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem Atomic MacOS Stealer Exploits Clickfix MacOS users are now also targeted by fake captchas, tricking users into running exploit code. https://www.cloudsek.com/blog/amos-variant-distributed-via-clickfix-in-spectrum-themed-dynamic-delivery-campaign-by-russian-speaking-hackers Microsoft INETPUB Script Microsoft published a simple PowerShell script to restore the inetpub folder in case you removed it by mistake. https://www.powershellgallery.com/packages/Set-InetpubFolderAcl/1.0

Transcribed - Published: 9 June 2025

Be Careful With Fake Zoom Client Downloads Miscreants are tricking victims into downloading fake Zoom clients (and likely other meeting software) by first sending them fake meeting invites that direct victims to a page that offers malware for download as an update to the Zoom client. https://isc.sans.edu/diary/Be%20Careful%20With%20Fake%20Zoom%20Client%20Downloads/32014 Python tarfile Vulnerability Recently, the Python tarfile module introduced a filter option to help mitigate some of the insecure behavior common to software unpacking archives. This filter is, however, not working quite as well as it should. https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/ Hewlett Packard Enterprise Insight Remote Support processAttachmentDataStream Directory Traversal Remote Code Execution Vulnerability HP fixed, among other vulnerabilities, a critical remote code execution vulnerability in Insight Remote Support (IRS) https://www.zerodayinitiative.com/advisories/ZDI-25-325/

Transcribed - Published: 6 June 2025

Phishing e-mail that hides malicious links from Outlook users Jan found a phishing email that hides the malicious link from Outlook users. The email uses specific HTML comment clauses Outlook interprets to render or not render specific parts of the email s HTML code. Jan suggests that the phishing email is intented to not expose users of https://isc.sans.edu/diary/Phishing%20e-mail%20that%20hides%20malicious%20link%20from%20Outlook%20users/32010 Amazon changing default logging from blocking to non-blocking Amazon will change the default logging mode from blocking to non-blocking. Non-blocking logging will not stop the application if logging fails, but may result in a loss of logs. https://aws.amazon.com/blogs/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/ Cisco Removes Backdoor Cisco fixed a Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7 Infoblox Vulnerability Details disclosed Details regarding several vulnerabilities recently patched in Infoblox s NetMRI have been made public. In particular an unauthenticated remote code execution issue should be considered critical. https://rhinosecuritylabs.com/research/infoblox-multiple-cves/

Transcribed - Published: 5 June 2025

vBulletin Exploits CVE-2025-48827, CVE-2025-48828 We do see exploit attempts for the vBulletin flaw disclosed about a week ago. The flaw is only exploitable if vBulltin is run on PHP 8.1, and was patched over a year ago. However, vBulltin never disclosed the type of vulnerability that was patched. https://isc.sans.edu/diary/vBulletin%20Exploits%20%28CVE-2025-48827%2C%20CVE-2025-48828%29/32006 Google Chrome 0-Day Patched Google released a security update for Google Chrome patching three flaws. One of these is already being exploited. https://chromereleases.googleblog.com/ Roundcube Update Roundcube patched a vulnerability that allows any authenticated user to execute arbitrary code. https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 HP Vulnerabilities in StoreOnce HP patched multiple vulnerabilities in StoreOnce. These issues could lead to remote code execution https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US

Transcribed - Published: 4 June 2025

Simple SSH Backdoor Xavier came across a simple SSH backdoor taking advantage of the ssh client preinstalled on recent Windows systems. The backdoor is implemented via an SSH configuration file that instructs the SSH client to connect to a remote system and forward a shell on a random port. This will make the shell accessible to anybody able to connect to the C2 host. https://isc.sans.edu/diary/Simple%20SSH%20Backdoor/32000 Google Chrome to Distrust CAs Google Chrome will remove the Chunghwa Telecom and Netlock certificate authorities from its list of trusted CAs. Any certificates issued after July 31st will not be trusted. Certificates issued before the deadline will be trusted until they expire. https://security.googleblog.com/2025/05/sustaining-digital-certificate-security-chrome-root-store-changes.html Microsoft Emergency Update to Fix Crashes Caused by May Patch Microsoft released an emergency update for a bug caused by one of the patches released in May. Due to the bug, systems may not restart after the patch is applied. This affects, first of all, virtual systems running in Azure and HyperV but apparently has also affected some physical systems. https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23h2#kb5058405-might-fail-to-install-with-recovery-error-0xc0000098-in-acpi-sys Qualcomm Adreno Graphics Processing Unit Patch (Exploited!) Qualcomm released an update for the driver for its Adreno GPU. The patched vulnerability is already being exploited against Android devices. https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html

Transcribed - Published: 3 June 2025

A PNG Image With an Embedded Gift Xavier shows how Python code attached to a PNG image can be used to implement a command and control channel or a complete remote admin kit. https://isc.sans.edu/diary/A+PNG+Image+With+an+Embedded+Gift/31998 Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis Horizon3 analyzed a recently patched flaw in Cisco Wireless Controllers. This arbitrary file upload flaw can easily be used to execute arbitrary code. https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/ Don't Call That "Protected" Method: Dissecting an N-Day vBulletin RCE A change in PHP 8.1 can expose methods previously expected to be safe . vBulletin fixed a related flaw about a year ago without explicitly highlighting the security impact of the fix. A blog post now exposed the flaw and provided exploit examples. We have seen exploit attempts against honeypots starting May 25th, two days after the blog was published. https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

Transcribed - Published: 2 June 2025

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. SANS Stormcast Monday, June 2nd, 2025: PNG with RAT; Cisco IOS XE WLC Exploit; vBulletin Exploit

Transcribed - Published: 2 June 2025

Alternate Data Streams: Adversary Defense Evasion and Detection Good Primer of alternate data streams and how they are abused, as well as how to detect and defend against ADS abuse. https://isc.sans.edu/diary/Alternate%20Data%20Streams%20%3F%20Adversary%20Defense%20Evasion%20and%20Detection%20%5BGuest%20Diary%5D/31990 Connectwise Breach Affects ScreenConnect Customers Connectwise s ScreenConnect solution was compromised, leading to attacks against a small number of customers. This is yet another example of how attackers are taking advantage of remote access solutions. https://www.connectwise.com/company/trust/advisories Mark Your Calendar: APT41 Innovative Tactics Google detected attacks leveraging Google s calendar solution as a command and control channel. https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics Webs of Deception: Using the SANS ICS Kill Chain to Flip the Advantage to the Defender Defending a small Industrial Control System (ICS) against sophisticated threats can seem futile. The resource disparity between small ICS defenders and sophisticated attackers poses a significant security challenge. https://www.sans.edu/cyber-research/webs-deception-using-sans-ics-kill-chain-flip-advantage-defender/

Transcribed - Published: 30 May 2025

Exploring a Use Case of Artificial Intelligence Assistance with Understanding an Attack Jennifer Wilson took a weird string found in a recent honeypot sample and worked with ChatGPT to figure out what it is all about. https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Exploring%20a%20Use%20Case%20of%20Artificial%20Intelligence%20Assistance%20with%20Understanding%20an%20Attack/31980 Ransomware Deployed via SimpleHelp Vulnerabilities Ransomware actors are using vulnerabilities in SimpleHelp to gain access to victim s networks via MSPs. The exploited vulnerabilities were patched in January. https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/ OS Command Injection in Everetz Equipment Broadcast equipment manufactured by Everetz is susceptible to an OS command injection vulnerability. Everetz has not responded to researchers reporting the vulnerability so far and there is no patch available. https://www.onekey.com/resource/security-advisory-remote-code-execution-on-evertz-svdn-cve-2025-4009

Transcribed - Published: 29 May 2025

SSH authorized_keys File One of the most common techniques used by many bots is to add rogue keys to the authorized_keys file, implementing an SSH backdoor. Managing these files and detecting unauthorized changes is not hard and should be done if you operate Unix systems. https://isc.sans.edu/diary/Securing%20Your%20SSH%20authorized_keys%20File/31986 REMOTE COMMAND EXECUTION ON SMARTBEDDED METEOBRIDGE (CVE-2025-4008) Weatherstation software Meteobridge suffers from an easily exploitable unauthenticated remote code execution vulnerability https://www.onekey.com/resource/security-advisory-remote-command-execution-on-smartbedded-meteobridge-cve-2025-4008 https://forum.meteohub.de/viewtopic.php?t=18687 Manageengine ADAuditPlus SQL Injection Zoho patched two SQL Injection vulnerabilities in its ManageEngine ADAuditPlus product https://www.manageengine.com/products/active-directory-audit/cve-2025-41407.html https://www.manageengine.com/products/active-directory-audit/cve-2025-36527.html Dero Miner Infects Containers through Docker API Kaspersky found yet another botnet infecting docker containers to spread crypto coin miners. The initial access happens via exposed docker APIs. https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/

Transcribed - Published: 28 May 2025

SVG Steganography Steganography is not only limited to pixel-based images but can be used to embed messages into vector-based formats like SVG. https://isc.sans.edu/diary/SVG%20Steganography/31978 Fortinet Vulnerability Details CVE-2025-32756 Horizon3.ai shows how it was able to find the vulnerability in Fortinet s products, and how to possibly exploit this issue. The vulnerability is already being exploited in the wild and was patched May 13th https://horizon3.ai/attack-research/attack-blogs/cve-2025-32756-low-rise-jeans-are-back-and-so-are-buffer-overflows/ Remote Prompt Injection in GitLab Duo Leads to Source Code Theft An attacker may leave instructions (prompts) for GitLab Duo embedded in the source code. This could be used to exfiltrate source code and secrets or to inject malicious code into an application. https://www.legitsecurity.com/blog/remote-prompt-injection-in-gitlab-duo

Transcribed - Published: 27 May 2025

Resilient Secure Backup Connectivity for SMB/Home Users Establishing resilient access to a home network via a second ISP may lead to unintended backdoors. Secure the access and make sure you have the visibility needed to detect abuse. https://isc.sans.edu/diary/Resilient%20Secure%20Backup%20Connectivity%20for%20SMB%20Home%20Users/31972 BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory An attacker with the ability to create service accounts may be able to manipulate these accounts to mark them as migrated accounts, inheriting all privileges the original account had access to. https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory Flaw in samlify That Opens Door to SAML Single Sign-On Bypass CVE-2025-47949 The samlify Node.js library does not verify SAML assertions correctly. It will consider the entire assertion valid, not just the original one. An attacker may use this to obtain additional privileges or authenticate as a different user https://www.endorlabs.com/learn/cve-2025-47949-reveals-flaw-in-samlify-that-opens-door-to-saml-single-sign-on-bypass

Transcribed - Published: 23 May 2025

New Variant of Crypto Confidence Scam Scammers are offering login credentials for what appears to be high value crypto coin accounts. However, the goal is to trick users into paying for expensive VIP memberships to withdraw the money. https://isc.sans.edu/diary/New%20Variant%20of%20Crypto%20Confidence%20Scam/31968 Malicious Chrome Extensions Malicious Chrome extensions mimick popular services like VPNs to trick users into installing them. Once installed, the extensions will exfiltrate browser secrets https://dti.domaintools.com/dual-function-malware-chrome-extensions/ Malicious VS Code Extensions Malicious Visual Studio Code extensions target crypto developers to trick them into installing them to exfiltrate developer secrets. https://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#indicators-of-compromise

Transcribed - Published: 22 May 2025

Researchers Scanning the Internet A newish RFC, RFC 9511, suggests researchers identify themselves by adding strings to the traffic they send, or by operating web servers on machines from which the scan originates. We do offer lists of researchers and just added three new groups today https://isc.sans.edu/diary/Researchers%20Scanning%20the%20Internet/31964 Cloudy with a change of Hijacking: Forgotten DNS Records Organizations do not always remove unused CNAME records. An attacker may take advantage of this if an attacker is able to take possession of the now unused public cloud resource the name pointed to. https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/ Message signature verification can be spoofed CVE-2025-47934 A vulnerability in openpgp.js may be used to spoof message signatures. openpgp.js is a popular library in systems implementing end-to-end encrypted browser applications. https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8

Transcribed - Published: 21 May 2025

RAT Dropped By Two Layers of AutoIT Code Xavier explains how AutoIT was used to install a remote admin tool (RAT) and how to analyse such a tool https://isc.sans.edu/diary/RAT%20Dropped%20By%20Two%20Layers%20of%20AutoIT%20Code/31960 RVTools compromise confirmed Robware.net, the site behind the popular tool RVTools now confirmed that it was compromised. The site is currently offline. https://www.robware.net/readMore Trojaned Version of Keepass used to install info stealer and Cobalt Strike beacon A backdoored version of KeePass was used to trick victims into installing Cobalt Strike and other malware. In this case, Keepass itself was not compromised and the malicious version was advertised via search engine optimization tricks https://labs.withsecure.com/publications/keepass-trojanised-in-advanced-malware-campaign Procolored UV Printer Software Compromised The official software offered by the makers of the Procolored UV printer has been compromised, and versions with malware were distributed for about half a year. https://www.hackster.io/news/the-maker-s-toolbox-procolored-v11-pro-dto-uv-printer-review-680d491e17e3 https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads

Transcribed - Published: 20 May 2025

xorsearch.py: Python Functions Didier s xorsearch tool now supports python functions to filter output https://isc.sans.edu/diary/xorsearch.py%3A%20Python%20Functions/31858 Pwn2Own Berlin 2025 Last weeks Pwn2Own contest in Berlin allowed researchers to demonstrate a number of new exploits with a large focus on privilege escalation and virtual machine escape. https://www.zerodayinitiative.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results Senior US Officials Impersonated in Malicious Messaging Campaign The FBI warns of senior US officials being impersonated in text and voice messages. https://www.ic3.gov/PSA/2025/PSA250515 Scattered Spider: TTP Evolution in 2025 Pushscurity provided an update on how Scattered Spider evolved. One thing they noted was that Scattered Spider takes advantage of legit dynamic domain name systems to make detection more difficult https://pushsecurity.com/blog/scattered-spider-ttp-evolution-in-2025/

Transcribed - Published: 19 May 2025

Web Scanning SonicWall for CVE-2021-20016 - Update Scans for SonicWall increased by an order of magnitude over the last couple of weeks. Many of the attacks appear to originate from Global Host , a low-cost virtual hosting provider. https://isc.sans.edu/diary/Web%20Scanning%20SonicWall%20for%20CVE-2021-20016%20-%20Update/31952 Google Update Patches Exploited Chrome Flaw Google released an update for Chrome. The update fixes two specific flaws reported by external researchers, CVE-2025-4664 and CVE-2025-4609. The first flaw is already being exploited in the wild. https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html https://x.com/slonser_/status/1919439373986107814 RVTools Bumblebee Malware Attack Zerodaylabs published its analysis of the RV-Tools Backdoor attack. It suggests that this may not be solely a search engine optimization campaign directing victims to the malicious installer, but that the RVTools distribution site was compromised. https://zerodaylabs.net/rvtools-bumblebee-malware/ Operation RoundPress ESET Security wrote up a report summarizing recent XSS attacks against open-source webmail systems https://www.welivesecurity.com/en/eset-research/operation-roundpress/

Transcribed - Published: 16 May 2025

Another day, another phishing campaign abusing google.com open redirects Google s links from it s maps page to hotel listings do suffer from an open redirect vulnerability that is actively exploited to direct users to phishing pages. https://isc.sans.edu/diary/Another%20day%2C%20another%20phishing%20campaign%20abusing%20google.com%20open%20redirects/31950 Adobe Patches Adobe patched 12 different applications. Of particular interest is the update to ColdFusion, which fixes several arbitrary code execution and arbitrary file read problems. https://helpx.adobe.com/security/security-bulletin.html Samsung Patches magicInfo 9 Again Samsung released a new patch for the already exploited magicInfo 9 CMS vulnerability. While the description is identical to the patch released last August, a new CVE number is used. https://security.samsungtv.com/securityUpdates#SVP-MAY-2025 Ivanti Patches Critical Ivanti Neurons Flaw Ivanti released a patch for Ivanti Neurons for ITSM (on-prem only) fixing a critical authentication bypass vulnerability. Ivanti also points to its guidance to secure the underlying IIS server to make exploitation of flaws like this more difficult

Transcribed - Published: 15 May 2025

Microsoft Patch Tuesday Microsoft patched 70-78 vulnerabilities (depending on how you count them). Five of these vulnerabilities are already being exploited. In particular, a remote code execution vulnerability in the scripting engine should be taken seriously. It requires the Microsoft Edge browser to run in Internet Explorer mode. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%3A%20May%202025/31946 Security Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428) Ivanti patched an authentication bypass vulnerability and a remote code execution vulnerability. The authentication bypass can exploit the remote code execution vulnerability without authenticating first. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US Fortinet Patches Exploited Vulnerability in API (CVE-2025-32756) Fortinet patched an already exploited stack-based buffer overflow vulnerability in the API of multiple Fortinet products. The vulnerability is exploited via crafted HTTP requests. https://fortiguard.fortinet.com/psirt/FG-IR-25-254

Transcribed - Published: 14 May 2025

Apple Updates Everything Apple patched all of its operating systems. This update ports a patch for a recently exploited vulnerability to older versions of iOS and macOS. https://isc.sans.edu/diary/31942 It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities Versions of the Mirai botnet are attacking devices made by Unipi Technology. These devices are using a specific username and password combination. In addition, this version of the Mirai botnet will also attempt exploits against an old Netgear vulnerability. https://isc.sans.edu/diary/It%20Is%202025%2C%20And%20We%20Are%20Still%20Dealing%20With%20Default%20IoT%20Passwords%20And%20Stupid%202013%20Router%20Vulnerabilities/31940 Output Messenger Vulnerability The internal messenger application Output Messenger is currently used in sophisticated attacks. Attackers are exploiting a path traversal vulnerability that has not been fixed. https://www.outputmessenger.com/cve-2025-27920/ Commvault Correction Commvault s patch indeed fixes the recent vulnerability. The Pioneer Release Will Dormann used to experiment will only offer patches after it has been registered, which leads to an error when assessing the patch s efficacy. https://www.darkreading.com/application-security/commvault-patch-works-as-intended

Transcribed - Published: 13 May 2025

Steganography Challenge Didier revealed the solution to last weekend s cryptography challenge. The image used the same encoding scheme as Didier described before, but the columns and rows were transposed. https://isc.sans.edu/forums/diary/Steganography%20Challenge%3A%20My%20Solution/31912/ FBI Warns of End-of-life routers The FBI is tracking larger botnets taking advantage of unpatched routers. Many of these routers are end-of-life, and no patches are available for the exploited vulnerabilities. The attackers are turning the devices into proxies, which are resold for various criminal activities. https://www.ic3.gov/PSA/2025/PSA250507 ASUS Driverhub Vulnerability ASUS Driverhub software does not properly check the origin of HTTP requests, allowing a CSRF attack from any website leading to arbitrary code execution. https://mrbruh.com/asusdriverhub/ RV-Tools SEO Poisoning Varonis Threat Labs observed SEO poisoning being used to trick system administrators into installing a malicious version of RV Tools. The malicious version includes a remote access tool leading to the theft of credentials https://www.varonis.com/blog/seo-poisoning#initial-access-and-persistence

Transcribed - Published: 12 May 2025

No Internet Access: SSH to the Rescue If faced with restrictive outbound network access policies, a single inbound SSH connection can quickly be turned into a tunnel or a full-blown VPN https://isc.sans.edu/diary/No%20Internet%20Access%3F%20SSH%20to%20the%20Rescue!/31932 SAMSUNG magicINFO 9 Server Flaw Still exploitable The SAMSUNG magicINFO 9 Server Vulnerability we found being exploited last week is apparently still not completely patched, and current versions are vulnerable to the exploit observed in the wild. https://www.huntress.com/blog/rapid-response-samsung-magicinfo9-server-flaw Bring Your Own Installer: Bypassing SentinelOne Through Agent Version Change Interruption SentinelOne s installer is vulnerable to an exploit allowing attackers to shut down the end point protection software https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone Commvault Still Exploitable A recent patch for Commvault is apparently ineffective and the PoC exploit published by watchTowr is still working against up to date patched systems https://infosec.exchange/@wdormann/114458913006792356

Transcribed - Published: 9 May 2025

Example of Modular Malware Xavier analyzes modular malware that downloads DLLs from GitHub if specific features are required. In particular, the webcam module is inspected in detail. https://isc.sans.edu/diary/Example%20of%20%22Modular%22%20Malware/31928 Sysaid XXE Vulnerabilities IT Service Management Software Sysaid patched a number of XXE vulnerabilities. Without authentication, an attacker is able to obtain confidential data and completely compromise the system. watchTowr published a detailed analysis of the flaws including exploit code. https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability Cisco Patched a vulnerability in its wireless controller software that may be used to not only upload files but also execute code as root without authentication. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC Unifi Protect Camera Vulnerability Ubiquity patched a vulnerability in its Protect camera firmware fixing a buffer overflow flaw. https://community.ui.com/releases/Security-Advisory-Bulletin-047-047/cef86c37-7421-44fd-b251-84e76475a5bc

Transcribed - Published: 8 May 2025

Python InfoStealer with Embedded Phishing Webserver Didier found an interesting infostealer that, in addition to implementing typical infostealer functionality, includes a web server suitable to create local phishing sites. https://isc.sans.edu/diary/Python%20InfoStealer%20with%20Embedded%20Phishing%20Webserver/31924 Android Update Fixes Freetype 0-Day Google released its monthly Android update. As part of the update, it patched a vulnerability in Freetype that is already being exploited. Android is not alone in using Freetype. Freetype is a very commonly used library to parse fonts like Truetype fonts. https://source.android.com/docs/security/bulletin/2025-05-01 CISA Warns of Unsophistacted Cyber Actors CISA released an interesting title report warning operators of operational technology networks of ubiquitous attacks by unsophisticated actors. It emphasizes how important it is to not forget basic security measures to defend against these attacks. https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-actors-targeting-operational-technology

Transcribed - Published: 7 May 2025

Mirai Now Exploits Samsung MagicINFO CMS CVE-2024-7399 The Mirai botnet added a new vulnerability to its arsenal. This vulnerability, a file upload and remote code execution vulnerability in Samsung s MagicInfo 9 CMS, was patched last August but attracted new attention last week after being mostly ignored so far. https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE20247399/31920 New Kali Linux Signing Key The Kali Linux maintainers lost access to the secret key used to sign packages. Users must install a new key that will be used going forward. https://www.kali.org/blog/new-kali-archive-signing-key/ The Risk of Default Configuration: How Out-of-the-Box Helm Charts Can Breach Your Cluster Many out-of-the-box Helm charts for Kubernetes applications deploy vulnerable configurations with exposed ports and no authentication https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/the-risk-of-default-configuration-how-out-of-the-box-helm-charts-can-breach-your/4409560

Transcribed - Published: 6 May 2025

Steganography Challenge Didier published a fun steganography challenge. A solution will be offered on Saturday. https://isc.sans.edu/diary/Steganography+Challenge/31910 Microsoft Makes Passkeys Default Authentication Method Microsoft is now encouraging new users to use Passkeys as the default and only login method, further moving away from passwords https://www.microsoft.com/en-us/security/blog/2025/05/01/pushing-passkeys-forward-microsofts-latest-updates-for-simpler-safer-sign-ins/ Microsoft Authenticator Autofill Changes Microsoft will no longer support the use of Microsoft authenticator as a password safe. Instead, it will move users to the password prefill feature built into Microsoft Edge. This change will start in June and should be completed in August at which point you must have moved your credentials out of Microsoft Authenticator https://support.microsoft.com/en-gb/account-billing/changes-to-microsoft-authenticator-autofill-09fd75df-dc04-4477-9619-811510805ab6 Backdoor found in popular e-commerce components SANSEC identified several backdoored Magento e-commerce components. These backdoors were installed as far back as 2019 but only recently activated, at which point they became known. Affected vendors dispute any compromise at this point. https://sansec.io/research/license-backdoor

Transcribed - Published: 5 May 2025

Steganography Analysis With pngdump.py: Bitstreams More details from Didiear as to how to extract binary content hidden inside images https://isc.sans.edu/diary/Steganography%20Analysis%20With%20pngdump.py%3A%20Bitstreams/31904 Using Trusted Protocols Against You: Gmail as a C2 Mechanism Attackers are using typosquatting to trick developers into installing malicious python packages. These python packages will use GMail as a command and control channel by sending email to hard coded GMail accounts https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism Security Brief: French BEC Threat Actor Targets Property Payments A French business email compromise threat actor is targeting property management firms to send emails to tenents tricking them into sending rent payments to fake bank accounts https://www.proofpoint.com/us/blog/threat-insight/security-brief-french-bec-threat-actor-targets-property-payments SANS.edu Research Journal https://isc.sans.edu/j/research

Transcribed - Published: 2 May 2025

Web Scanning for Sonicwall Vulnerabilities CVE-2021-20016 For the last week, scans for Sonicwall API login and domain endpoints have skyrocketed. These attacks may be exploiting an older vulnerability or just attempting to brute force credentials. https://isc.sans.edu/diary/Web%20Scanning%20Sonicwall%20for%20CVE-2021-20016/31906 The Wizards APT Group SLAAC Spoofing Adversary in the Middle Attacks ESET published an article with details regarding an IPv6-linked attack they have observed. Attackers use router advertisements to inject fake recursive DNS servers that are used to inject IP addresses for hostnames used to update software. This leads to the victim downloading malware instead of legitimate updates. https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/ Windows RDP Access is Possible with Old Credentials Credential caching may lead to Windows allowing RDP logins with old credentials. https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/?comments-page=1#comments

Transcribed - Published: 1 May 2025

More Scans for SMS Gateways and APIs Attackers are not just looking for SMS Gateways like the scans we reported on last week, but they are also actively scanning for other ways to use APIs and add on tools to send messages using other people s credentials. https://isc.sans.edu/diary/More%20Scans%20for%20SMS%20Gateways%20and%20APIs/31902 AirBorne: AirPlay Vulnerabilities Researchers at Oligo revealed over 20 weaknesses they found in Apple s implementation of the AirPlay protocol. These vulnerabilities can be abused to execute code or launch denial-of-service attacks against affected devices. Apple patched the vulnerabilities in recent updates. https://www.oligo.security/blog/airborne

Transcribed - Published: 30 April 2025

SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics Mark Baggett released SRUM-DUMP Version 3. The tool simplifies data extraction from Widnows System Resource Usage Monitor (SRUM). This database logs how much resources software used for 30 days, and is invaluable to find out what software was executed when and if it sent or received network data. https://isc.sans.edu/diary/SRUM-DUMP%20Version%203%3A%20Uncovering%20Malware%20Activity%20in%20Forensics/31896 Novel Universal Bypass For All Major LLMS Hidden Layer discovered a new prompt injection technique that bypasses security constraints in large language models. The technique uses an XML formatted prequel for a prompt, which appears to the LLM as a policy file. This Policy Puppetry can be used to rewrite some of the security policies configured for LLMs. Unlike other techniques, this technique works across multiple LLMs without changing the policy. https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/ CHOICEJACKING: Compromising Mobile Devices through Malicious Chargers like a Decade ago The old Juice Jacking is back, at least if you do not run the latest version of Android or iOS. This issue may allow a malicious USB device, particularly a USB charger, to take control of a device connected to it. https://pure.tugraz.at/ws/portalfiles/portal/89650227/Final_Paper_Usenix.pdf SANS @RSA: https://www.sans.org/mlp/rsac/

Transcribed - Published: 29 April 2025

Example of a Payload Delivered Through Steganography Xavier and Didier published two diaries this weekend, building on each other. First, Xavier showed an example of an image being used to smuggle an executable past network defenses, and second, Didier showed how to use his tools to extract the binary. https://isc.sans.edu/diary/Example%20of%20a%20Payload%20Delivered%20Through%20Steganography/31892 SAP Netweaver Exploited CVE-2025-31324 An arbitrary file upload vulnerability in SAP s Netweaver product is actively exploited to upload webshells. Reliaquest discovered the issue. Reliaquest reports that they saw it being abused to upload the Brute Ratel C2 framework. Users of Netweaver must turn off the developmentserver alias and disable visual composer, and the application was deprecated for about 10 years. SAP has released an emergency update for the issue. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/ https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ Any.Run Reports False Positive Uploads Due to false positives caused by MS Defender XDR flagging Adobe Acrobat Cloud links as malicious, many users of Any.Run s free tier uploaded confidential documents to Any.Run. Anyrun blocked these uploads for now but reminded users to be cautious about what documents are being uploaded. https://x.com/anyrun_app/status/1915429758516560190

Transcribed - Published: 28 April 2025

Attacks against Teltonika Networks SMS Gateways Attackers are actively scanning for SMS Gateways. These attacks take advantage of default passwords and other commonly used passwords. https://isc.sans.edu/diary/Attacks%20against%20Teltonika%20Networks%20SMS%20Gateways/31888 Commvault Vulnerability CVE-2205-34028 Commvault, about a week ago, published an advisory and a fix for a vulnerability in its backup software. watchTowr now released a detailed writeup and exploit for the vulnerability https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/ Exploitation Trends Q1 2025 Vulncheck published a summary of exploitation trends, pointing out that about a quarter of vulnerabilities are exploited a day after a patch is made available. https://vulncheck.com/blog/exploitation-trends-q1-2025 inetpub directory issues The inetpub directory introduced by Microsoft in its April patch may lead to a denial of service against applying patches on Windows if an attacker can create a junction for that location pointing to an existing system binary like Notepad. https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulnerability-introduces-another-symlink-vulnerability-9ea085537741

Transcribed - Published: 25 April 2025

Honeypot Iptables Maintenance and DShield-SIEM Logging In this diary, Jesse is talking about some of the tasks to maintain a honeypot, like keeping filebeats up to date and adjusting configurations in case your dynamic IP address changes https://isc.sans.edu/diary/Honeypot%20Iptables%20Maintenance%20and%20DShield-SIEM%20Logging/31876 XRPL.js Compromised An unknown actor was able to push malicious updates of the XRPL.js library to NPM. The library is officially recommended for writing Riple (RPL) cryptocurrency code. The malicious library exfiltrated secret keys to the attacker https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor https://github.com/XRPLF/xrpl.js/security/advisories/GHSA-33qr-m49q-rxfx Cisco Equipment Affected by Erlang/OTP SSH Vulnerability Cisco published an advisory explaining which of its products are affected by the critical Erlang/OTP SSH library vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy

Transcribed - Published: 24 April 2025

xorsearch.py: Ad Hoc YARA Rules Adhoc YARA rules allow for easy searches using command line arguments without having to write complete YARA rules for simple use cases like string and regex searches https://isc.sans.edu/diary/xorsearch.py%3A%20%22Ad%20Hoc%20YARA%20Rules%22/31856 Google Spoofed via DKIM Replay Attack DKIM replay attacks are a known issue where the attacker re-uses a prior DKIM signature. This will work as long as the headers signed by the signature are unchanged. Recently, this attack has been successful against Google. https://easydmarc.com/blog/google-spoofed-via-dkim-replay-attack-a-technical-breakdown/ SSL.com E-Mail Validation Bug SSL.com did not properly verify which domain a particular email address is authorized to receive certificates for. This could have been exploited against webmail providers. https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

Transcribed - Published: 23 April 2025

It's 2025, so why are malicious advertising URLs still going strong? Phishing attacks continue to take advantage of Google s advertising services. Sadly, this is still the case for obviously malicious links, even after various anti-phishing services flag the URL. https://isc.sans.edu/diary/It%27s%202025...%20so%20why%20are%20obviously%20malicious%20advertising%20URLs%20still%20going%20strong%3F/31880 ChatGPT Fingerprinting Documents via Unicode ChatGPT apparently started leaving fingerprints in texts, which it creates by adding invisible Unicode characters like non-breaking spaces. https://www.rumidocs.com/newsroom/new-chatgpt-models-seem-to-leave-watermarks-on-text Asus AI Cloud Security Advisory Asus warns of a remote code execution vulnerability in its routers. The vulnerability is related to the AI Cloud feature. If your router is EoL, disabling the feature will mitigate the vulnerability https://www.asus.com/content/asus-product-security-advisory/ PyTorch Vulnerability PyTorch fixed a remote code execution vulnerability exploitable if a malicious model was loaded. This issue was exploitable even with the weight_only=True" setting selected https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6

Transcribed - Published: 22 April 2025

Microsoft Entra User Lockout Multiple organizations reported widespread alerts and account lockouts this weekend from Microsoft Entra. The issue is caused by a new feature Microsoft enabled. This feature will lock accounts if Microsoft believes that the password for the account was compromised. https://www.bleepingcomputer.com/news/microsoft/widespread-microsoft-entra-lockouts-tied-to-new-security-feature-rollout/ https://learn.microsoft.com/en-us/entra/identity/authentication/feature-availability Erlang/OTP SSH Exploit An exploit was published for the Erlang/OTP SSH vulnerability. The vulnerability is easy to exploit, and the exploit and a Metasploit module allow for easy remote code execution. https://github.com/exa-offsec/ssh_erlangotp_rce/blob/main/ssh_erlangotp_rce.rb Sonicwall Exploited An older command injection vulnerability is now exploited on Sonicwall devices after initially gaining access by brute-forcing credentials. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022 Unpatched Vulnerability in Bubble.io An unpatched vulnerability in the no-code platform bubble.io can be used to access any project hosted on the site. https://github.com/demon-i386/pop_n_bubble

Transcribed - Published: 21 April 2025

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. SANS Stormcast Monday, April 21st: MSFT Entra Lockouts; Erlang/OTP SSH Exploit; Sonicwall Exploit; bubble.io bug

Transcribed - Published: 21 April 2025

RedTail: Remnux and Malware Management A description showing how to set up a malware analysis in the cloud with Remnux and Kasm. RedTail is a sample to illustrate how the environment can be used. https://isc.sans.edu/diary/RedTail%2C%20Remnux%20and%20Malware%20Management%20%5BGuest%20Diary%5D/31868 Critical Erlang/OTP SSH Vulnerability Researchers identified a critical vulnerability in the Erlang/OTP SSH library. Due to this vulnerability, SSH servers written in Erlang/OTP allow arbitrary remote code execution without prior authentication https://www.openwall.com/lists/oss-security/2025/04/16/2 Brickstorm Analysis An analysis of a recent instance of the Brickstorm backdoor. This backdoor used to be more known for infecting Linux systems, but now it also infects Windows. https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor https://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf OpenAI GPT 4.1 Controversy OpenAI released its latest model, GPT 4.1, without a safety report and guardrails to prevent malware creation. https://opentools.ai/news/openai-stirs-controversy-with-gpt-41-release-lacking-safety-report

Transcribed - Published: 18 April 2025

Apple Updates Apple released updates for iOS, iPadOS, macOS, and VisionOS. The updates fix two vulnerabilities which had already been exploited against iOS. https://isc.sans.edu/diary/Apple%20Patches%20Exploited%20Vulnerability/31866 Oracle Updates Oracle released it quarterly critical patch update. The update addresses 378 security vulnerabilities. Many of the critical updates are already known vulnerabilities in open-source software like Apache and Nginx ingress. https://www.oracle.com/security-alerts/cpuapr2025.html Oracle Breach Guidance CISA released guidance for users affected by the recent Oracle cloud breach. The guidance focuses on the likely loss of passwords. https://www.cisa.gov/news-events/alerts/2025/04/16/cisa-releases-guidance-credential-risks-associated-potential-legacy-oracle-cloud-compromise Google Chrome Update A Google Chrome update released today fixes two security vulnerabilities. One of the vulnerabilities is rated as critical. https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_15.html CVE Updates CISA extended MITRE s funding to operate the CVE numbering scheme. However, a number of other organizations announced that they may start alternative vulnerability registers. https://euvd.enisa.europa.eu/ https://gcve.eu/ https://www.thecvefoundation.org/

Transcribed - Published: 17 April 2025

Online Services Again Abused to Exfiltrate Data Attackers like to abuse free online services that can be used to exfiltrate data. From the originals , like pastebin, to past favorites like anonfiles.com. The latest example is gofile.io. As a defender, it is important to track these services to detect exfiltration early https://isc.sans.edu/diary/Online%20Services%20Again%20Abused%20to%20Exfiltrate%20Data/31862 OpenSSH 10.0 Released OpenSSH 10.0 was released. This release adds quantum-safe ciphers and the separation of authentication services into a separate binary to reduce the authentication attack surface. https://www.openssh.com/releasenotes.html#10.0p1 Apache Roller Vulnerability Apache Roller addressed a vulnerability. Its CVSS score of 10.0 appears inflated, but it is still a vulnerability you probably want to address. https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f CVE Funding Changes Mitre s government contract to operate the CVE system may run out tomorrow. This could lead to a temporary disruption of services, but the system is backed by a diverse board of directors representing many large companies. It is possible that non-government funding sources may keep the system afloat for now. https://www.cve.org/

Transcribed - Published: 16 April 2025

xorsearch Update Diedier updated his "xorsearch" tool. It is now a python script, not a compiled binary, and supports Yara signatures. With Yara support also comes support for regular expressions. https://isc.sans.edu/diary/xorsearch.py%3A%20Searching%20With%20Regexes/31854 Shorter Lived Certificates The CA/Brower Forum passed an update to reduce the maximum livetime of certificates. The reduction will be implemented over the next four years. EFF also released an update to certbot introducing profiles that can be used to request shorter lived certificates. https://www.eff.org/deeplinks/2025/04/certbot-40-long-live-short-lived-certs https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/bvWh5RN6tYI New Malware Harvesting Data from USB drives and infecting them. Kaspersky is reporting that they identified new malware that not only harvests data from USB drives, but also spread via USB drives by replacing existing documents with malicious files. https://securelist.com/goffee-apt-new-attacks/116139/

Transcribed - Published: 15 April 2025

Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248) After spotting individaul attempts to exploit the recent Langflow vulnerability late last weeks, we now see more systematic internet wide scans attempting to verify the vulnerability. https://isc.sans.edu/forums/diary/Exploit+Attempts+for+Recent+Langflow+AI+Vulnerability+CVE20253248/31850/ Fortinet Analysis of Threat Actor Activity Fortinet oberved recent vulnerablities in its devices being used to add a symlink to ease future compromise. The symlink is not removed by prior patches, and Fortinet released additional updates to detect and remove this attack artifact. https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity MSFT Inetpub Microsoft clarrified that its April patches created the inetpub directory on purpose. Users should not remove it. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204#exploitability SANSFIRE https://isc.sans.edu/j/sansfire

Transcribed - Published: 14 April 2025

Network Infraxploit Our undergraduate intern, Matthew Gorman, wrote up a walk through of CVE-2018-0171, an older Cisco vulnerability, that is still actively being exploited. For example, VOLT TYPHOON recently exploited this problem. https://isc.sans.edu/diary/Network+Infraxploit+Guest+Diary/31844 Windows Update Issues / Windows 10 Update Microsoft updated its "Release Health" notes with details regarding issues users experiences with Windows Hello, Citrix, and Roblox. Microsoft also released an emergency update for Office 2016 which has stability problems after applying the most recent update. https://support.microsoft.com/en-us/topic/april-8-2025-kb5055523-os-build-26100-3775-277a9d11-6ebf-410c-99f7-8c61957461eb https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3521 https://support.microsoft.com/en-us/topic/april-10-2025-update-for-office-2016-kb5002623-d60c1f31-bb7c-4426-b8f4-69186d7fc1e5 Dell Updates Dell releases critical updates for it's Powerscale One FS product. In particular, it fixes a default password problem. https://www.dell.com/support/kbdoc/en-us/000300860/dsa-2025-119-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities Langflow Vulnerablity (possible exploit scans sighted) CVE-2025-3248 Langflow addressed a critical vulnerability end of March. This writeup by Horizon3 demonstrates how the issue is possibly exploited. We have so far seen one "hit" in our honeypot logs for the vulnerable API endpoint URL. https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/

Transcribed - Published: 11 April 2025

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. SANS Stormcast ThursdayApril 10th: Getting Past PyArmor; CenterStack RCE; Android 0-Day Patch; VMware Tanzu Patches; Odd Win11 Directory; WhatsApp File Confusion; SANS AI Guide;

Transcribed - Published: 10 April 2025

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. SANS Stormcast Wednesday, April 10th: Microsoft Patch Tuesday; Adobe Patches; OpenSSL 3.5 with PQC; Fortinet

Transcribed - Published: 9 April 2025

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. SANS Stormcast Tuesday, April 8th:

Transcribed - Published: 8 April 2025