Handler on Duty: Johannes Ullrich
Threat Level: green
Podcast Detail
SANS Stormcast Friday, October 3rd, 2025: More .well-known Scans; RedHat Openshift Patch; TOTOLINK Vuln;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9640.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
More .well-known scans
Attackers are using API documentation automatically published in the .well-known directory for reconnaissance.
https://isc.sans.edu/diary/More%20.well-known%20Scans/32340
RedHat Patches Openshift AI Services
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example, as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator.
https://access.redhat.com/security/cve/cve-2025-10725#cve-affected-packages
TOTOLINK X6000R Vulnerabilities
Paloalto released details regarding three recently patched vulnerabilities in TotalLink-X6000R routers.
https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/
DrayOS Vulnerability Patched
Draytek fixed a single memory corruption vulnerability in its Vigor series router. An unauthenticated user may use it to execute arbitrary code.
https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
Podcast Transcript
Hello and welcome to the Friday, October 3rd, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Undergraduate Certificate Program in Cybersecurity Fundamentals. Well, and today once more I wrote about the .well-known directory. Of course, I have written about this in the past. Most recently, I think it was last week, about some backdoors and such, some web shells that people left behind in that directory. Today it's a little bit different. Actually, no honeypot data for a change. But instead, something I observed on our ISC web server. And that is that attackers are scanning for URLs in the .well-known directory that are valuable for reconnaissance. There are a number of systems that add configuration files to the .well-known directory. Like, for example, the terraform.json file. That will give an attacker, of course, some hints as to what APIs your particular system supports. Some of them are required, like that terraform.json file, in order to use these tools effectively. Also, these OAuth and OpenID configuration files are required if you would like to use these systems. And so far, it's not a good idea to remove those files from your system in case you see them on your system. Sometimes they're not even files. They're just APIs themselves that create those responses dynamically. So what you want to do is you want to at least keep an eye on these locations and make sure that what's being published here is supposed to be published. I think it was yesterday or at least earlier this week where we had one case where one of these files did include some secret keys, some API secrets. It's not just the public keys that are usually supposed to be listed in those files. For example, the OAuth and OpenID configuration. So double check, make sure nothing there. That's not supposed to be there. But overall, this is not necessarily a bad thing. It's just, well, a way how attackers can abuse these features against you for reconnaissance. And then we have a couple end-of-the-week vulnerabilities to talk about. First of all, Red Hat released the advisory warning of privilege escalation vulnerability in the Red Hat OpenShift AI service. User with minimal credentials, meaning anybody who can run a Jupyter notebook on the system, is able to basically get full admin access to the entire cluster. So this is something that you want to address. I doubt it's super critical depending on who you give access to this OpenShift AI service. But overall, securing Jupyter notebook is always a little bit tricky because, well, you are running code sort of by definition on the system. And a badly configured role like this, yeah, is likely easily exploited. And Palo Alto released an advisory regarding three recently patched vulnerabilities in the TOTOLink X6000R router. This particular manufacturer has had similar vulnerabilities in the past like pretty much any router manufacturer like this. So patches have been released in June. But with this advisory out here now, you definitely must patch in particular because one of the critical vulnerabilities here does allow an unauthenticated command injection. And exploitation for these vulnerabilities is pretty trivial as explained in this advisory. So there are some source code snippets here explaining the exact nature of these vulnerabilities. There is no proof of concept per se here in the advisory. But yes, exploitation is not difficult. And talking about routers, we also got updates from DrayTek for their DrayOS routers, also known under the name Vigor. The single vulnerability being addressed here sounds like a buffer overflow. It's not really clear. It's just as memory corruption here. But it does also say that it does allow arbitrary code execution without authentication. One of the mitigating issues they're covering here, and that's certainly an important one, is that you really shouldn't expose any web admin interface like this to the public eyes. Because, well, they tend to be horribly broken and vulnerable. Well, and I got one more item, something with a little bit more positive note to not let you hang in here just with vulnerabilities for the weekend. Microsoft announced that they're in the process to no longer display SVG images in line in emails in Outlook and Outlook 365. They started this process mid -September and should be finished with it mid-October. I can't get to the original announcement that Microsoft published, so I'll link to the Bleeping Computer article about this. But they have a pretty good summary of it. Of course, these SVG images have recently been heavily used for malware and for phishing and a couple of other circumstances. So that's probably why they're starting to block them now, like they already are blocking a lot of other attachments. Well, and that's it for today. So thanks for listening. Thanks for subscribing. Thanks for liking this podcast. Next week, I'll be in Denver teaching a class following our Cloud Summit. And by the way, I only have one more public class to teach. First week of December in Dallas. So if you're interested in learning more about web application security, that's the week for you to sign up. And as always, any future classes I'll teach are listed in the show notes on the page on the Internet Storm Center website. Just below the actual show notes, you'll see a short list of upcoming classes. Thanks and talk to you again on Monday. Bye.
Follow updates by subscribing to the handler's diary RSS feed
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 