Podcast Detail

SANS Stormcast Tuesday, January 27th, 2026: PWD scanning; MSFT Office OOB Patch; Exposed Clawdbot

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9782.mp3

previous
Podcast Logo
PWD scanning; MSFT Office OOB Patch; Exposed Clawdbot
00:00

Scanning Webserver with “pwd” as a Starting Path
Attackers are adding the output of the pwd command to their web scans.
https://isc.sans.edu/diary/x/32654

Microsoft Office Security Feature Bypass Vulnerability CVE-2026-21509
Microsoft released an out-of-band patch for Office fixing a currently exploited vulnerability.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

Exposed Clawdbot Instances
Many users of the AI tool clawdbot expose instances without access control.
https://x.com/theonejvo/status/2015485025266098536

Podcast Transcript

 Hello and welcome to the Tuesday, January 27th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. This episode is brought to you by
 the SANS.edu Undergraduate Certificate Program in Applied
 Cybersecurity. In Diaries today, we do have a new
 scanning pattern that apparently is being used by a
 couple of IP addresses to scan our web honeypots. The trick
 here is that they're adding pwd, the output of the
 command, actually the way it is being written here, so not
 just the environment variable. And the goal here is likely
 that they're trying to make sort of dynamically the path
 the web server is running in, part of the URL. I'm not sure
 how well this will actually work because that's usually
 the absolute path in the operating system, while of
 course the path that you're using as part of the URL is
 then mapped to specific like web root directories inside
 the operating system's directory structure. So, not
 sure if it will work, but well attackers always try new
 tricks and maybe there are some configurations where this
 will help the attacker find various vulnerabilities or
 data leakage in files. They're using this with a large number
 of different URLs, but a lot of them are sort of the
 standard environment files and configuration files that we
 have seen a lot over the last few years. Well, and this
 month certainly appears to be the month of Microsoft out-of
 -band updates. The latest one, and this one is actually a
 security update. So, yesterday I talked about one that was
 really more preventing some sort of undesirable side
 effects with January's patches. This is a new
 vulnerability and an update to help you protect yourself from
 the exploitation of this vulnerability. The
 vulnerability itself is, well, Microsoft Office and it's one
 of those unsafe com control issues. The good old OLE
 format allows you to load com controls. The fix is for newer
 versions of Office, which is 2124. You get a little fix-it
 script that you can run that will basically apply probably
 the necessary registry changes for you to block execution
 here for older versions of Office. You must then do this
 change manually, which isn't quite trivial. It's a fairly
 complex registry change kind of that you have to make here.
 But, yeah, go ahead and make that change. Again, this
 vulnerability is already being exploited and also details
 have been made public about how to take advantage of this
 vulnerability. Well, and then we have more insecure AI
 deployments. This time it's clawdbot. clawdbot is software
 that allows you to automate workflows, in particular, by
 interacting with instant messengers. There are various
 sort of ways how you can configure it. And by default,
 it only listens on the loopback interface on port
 18789. So it shouldn't really be available and accessible
 from outside the network. But apparently people are setting
 up proxies to do allow access from anywhere on the internet
 to their clawdbot instance. This could easily be protected
 with passwords. If you're already setting up a proxy,
 adding a password is probably not really that much more
 difficult. But there are many, many instances out there
 without. If you are exposing clawdbot without password to
 the internet, then of course you're giving essentially full
 system access to anybody who is finding your instance. And
 Shodan as Jameson O'Reilly, who sort of broke this story,
 found out already has numerous instances listed that are
 ready for exploitation. So if you're running it, double
 check that you're not exposing it. And even with password, I
 probably would rather not expose it to the internet at
 all and only expose it via VPN or something like this, where
 you can connect to the machine then directly it's running on.
 And then just a quick note that Apple today released
 updates for iOS and watchOS and iPadOS. However, these
 updates do not contain any security fixes. Apparently the
 main purpose of the update is to support the new AirTags
 being released today. There's also no update for MacOS. So
 what I expect is that maybe this week or early next week
 or something like that. I'm just guessing here with Apple,
 of course, we may receive sort of a security update that then
 patches MacOS and also security vulnerabilities in
 iOS and other operating systems released by Apple.
 Well, and this is it for today. So thanks for
 listening. Thanks for subscribing. And yes, of
 course, I'm not emailing stickers. There was one
 mistake that I made yesterday. But if you find any mistakes,
 please let me know and you'll get them in the postal mail.
 I'll just need your postal mail address so I can get the
 stickers to you. And that's it for today. Thanks and talk to
 you again tomorrow. Bye. Bye.
 Bye. Have a great day.