Handler on Duty: Johannes Ullrich
Threat Level: green
Podcast Detail
SANS Stormcast Friday, April 3rd, 2026: Vite Exploits; OpenSSH 10.3; Claude Code Vuln
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9878.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
Attempts to Exploit Exposed "Vite" Installs (CVE-2025-30208)
https://isc.sans.edu/diary/Attempts%20to%20Exploit%20Exposed%20%22Vite%22%20Installs%20%28CVE-2025-30208%29/32860
OpenSSH 10.3 Release
https://seclists.org/oss-sec/2026/q2/7
Claude Code Vulnerability
https://adversa.ai/claude-code-security-bypass-deny-rules-disabled/
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 26th 2026 |
Podcast Transcript
Hello and welcome to the Friday, April 3rd, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Orlando, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Incident Response. Today I noticed in our honeypots that we are seeing some scans for a vulnerability in the developer tool Vite. This vulnerability was discovered by Offsec last July and now apparently is being exploited. It's fairly straightforward to exploit vulnerability, even though I doubt that there will be a lot of exposed systems. Typically, this particular tool listens on port 5173. Well, this is not where the scans are going to. These scans are going to standard HTTP ports. So that's the first thing that made me a little bit think that maybe they're looking for someone who maybe misconfigured this particular tool. The problem with the tool is that it does provide access to files on the local file system via simple HTTP requests. All you need is a prefix slash at FS slash and that will then basically just map to the file system disregarding the document route or any settings like this. However, there is some access control as is provided that basically limits this access to certain directories. However, the vulnerability discovered last July does allow arbitrary access as long as the URL ends in question mark, question mark, raw, question mark. So that particular suffix essentially then bypasses the access control. If you're running Vite, please make sure that you are running it securely, that you're not exposing it and that you're also running the latest version. And by the way, this tool, well, it's pronounced Vite, but it's really sort of a French tool and the spelling is V-I-T-E. So some people may pronounce it like Vite or something like that. And Open SSH version 10.3 has been released. And with that, a number of security issues were addressed. None of these security issues I would consider critical or something that would require you to patch. Now, if there will be an update for your particular Unix distribution or such, of course, apply these updates. The one vulnerability that sounds critical because, yes, it is an arbitrary code execution vulnerability, does require very specific configuration. And it also basically only is exploitable if the attacker is able to supply a username parameter. Plus, you need to have a %U token in your configuration that would then be expanded. So highly unlikely that this can be sort of leveraged in a real attack. Still, as the patch becomes available, just update. And you probably heard a couple days ago, Claude Code leaked its source code. This wasn't really a compromise per se. It was really just, well, being careless in publishing a new version of Claude Code, including source maps. But with the source code available, now, of course, various researchers are looking for hidden features or for vulnerability. Adversa found one interesting vulnerability in Claude Code that affects the security feature, where a developer is able to not allow Claude Code to run certain shell commands. And, well, of course, now, Claude Code is all about allowing Claude Code to run shell commands. But you may want to be a little bit careful here. Then this security check is skipped. The problem here, apparently, is that the security check would cost too many tokens. So it's too costly. And as a result, Claude Code just silently skips the security check. So be careful with all of these genetic tools. Personally, I actually like the idea of using a remote machine for development like this. That way, my main work machine is not necessarily affected by anything going wrong here during development. Well, and this is it for today. So thanks again for listening. Thanks for liking. Thanks for subscribing. And as always, talk to you again on Monday. Bye.
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 