SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Monday, December 15th, 2025: DLL Entry Points; ClickFix and Finger; Apple Patches

Abusing DLLs EntryPoint for the Fun DLLs will not just execute code when some of their functions are called, but also as they are loaded. https://isc.sans.edu/diary/Abusing%20DLLs%20EntryPoint%20for%20the%20Fun/32562 [https://isc.sans.edu/diary/Abusing%20DLLs%20EntryPoint%20for%20the%20Fun/32562] Apple Patches Everything: December 2025 Edition Apple released patches for all of its operating systems, fixing two already exploited vulnerabilities. ClickFix Attacks Still Using the Finger ClickFix Attacks Still Using the Finger Two examples of ClickFix attacks abusing the finger protocol to load additional malware Denial of Service and Source Code Exposure in React Server Components Denial of Service and Source Code Exposure in React Server Components After last week's critical patch, three more, but less critical, vulnerabilities were identified in React Server Components. https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components [https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components]

SANS Stormcast Friday, December 12th, 2025: Local AI Models; Mystery Chrome 0-Day; SOAPwn Attack

Using AI Gemma 3 Locally with a Single CPU Installing AI models on modes hardware is possible and can be useful to experiment with these models on premise https://isc.sans.edu/diary/Using%20AI%20Gemma%203%20Locally%20with%20a%20Single%20CPU%20/32556 [https://isc.sans.edu/diary/Using%20AI%20Gemma%203%20Locally%20with%20a%20Single%20CPU%20/32556] Mystery Google Chrome 0-Day Vulnerability Google released an update for Google Chrome fixing a vulnerability that is already being exploited, but has not CVE number assigned to it yet https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html [https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html] SOAPwn: Pwning NET Framework Applications Through HTTP Client Proxies And WSDL Watchtwr identified a common vulnerability in SOAP implementations using .Net https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/ [https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/]

SANS Stormcast Thursday, December 11th, 2025: Possible CVE-2024-9042 variant; react2shell exploits; notepad++ update hijacking; macOS priv escalation

Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection) We observed HTTP requests with our honeypot that may be indicative of a new version of an exploit against an older vulnerability. Help us figure out what is going on. https://isc.sans.edu/diary/Possible%20exploit%20variant%20for%20CVE-2024-9042%20%28Kubernetes%20OS%20Command%20Injection%29/32554 [https://isc.sans.edu/diary/Possible%20exploit%20variant%20for%20CVE-2024-9042%20%28Kubernetes%20OS%20Command%20Injection%29/32554] React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182 Wiz has a writeup with more background on the React2Shell vulnerability and current attacks https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive [https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive] Notepad++ Update Hijacking Notepad++ s vulnerable update process was exploited https://notepad-plus-plus.org/news/v889-released/ [https://notepad-plus-plus.org/news/v889-released/] New macOS PackageKit Privilege Escalation A PoC was released for a new privilege escalation vulnerability in macOS. Currently, there is no patch. https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html [https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html]

SANS Stormcast Wednesday, December 10th, 2025: Microsoft, Adobe, Ivanti, Fortinet, and Ruby patches.

Microsoft Patch Tuesday Microsoft released its regular monthly patch on Tuesday, addressing 57 flaws. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20December%202025/32550 [https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20December%202025/32550] Adobe Patches Adobe patched five products. The remote code execution in ColdFusion, as well as the code execution issue in Acrobat, will very likely see exploits soon. https://helpx.adobe.com/security.html [https://helpx.adobe.com/security.html] Ivanti Endpoint Manager Patches Ivanti patched four vulnerabilities in End Point Manager. https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024?language=en_US [https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024?language=en_US] Fortinet FortiCloud SSO Vulnerability Due to a cryptographic vulnerability, Forinet s FortiCloud SSO authentication is bypassable. https://fortiguard.fortinet.com/psirt/FG-IR-25-647 [https://fortiguard.fortinet.com/psirt/FG-IR-25-647] ruby-saml vulnerability Ruby fixed a vulnerability in ruby-saml. The issue is due to an incomplete patch for another vulnerability a few months ago. https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3 [https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3]

SANS Stormcast Tuesday, December 9th, 2025: nanoKVM Vulnerabilities; Ghostframe Phishing; WatchGuard Advisory

nanoKVM Vulnerabilities The nanoKVM device updates firmware insecurely; however, the microphone that the authors of the advisory referred to as undocumented may actually be documented in the underlying hardware description. https://www.tomshardware.com/tech-industry/cyber-security/researcher-finds-undocumented-microphone-and-major-security-flaws-in-sipeed-nanokvm [https://www.tomshardware.com/tech-industry/cyber-security/researcher-finds-undocumented-microphone-and-major-security-flaws-in-sipeed-nanokvm] Ghostframe Phishing Kit The Ghostframe phishing kit uses iFrames and random subdomains to evade detection https://blog.barracuda.com/2025/12/04/threat-spotlight-ghostframe-phishing-kit [https://blog.barracuda.com/2025/12/04/threat-spotlight-ghostframe-phishing-kit] WatchGuard Advisory WatchGuard released an update for its Firebox appliance, fixing ten vulnerabilities. Five of these are rated as High. https://www.watchguard.com/wgrd-psirt/advisories [https://www.watchguard.com/wgrd-psirt/advisories]