SANS Stormcast Thursday, January 22nd, 2026: Visual Studio Code Scripts; Cisco Unified Comm and Zoom Vuln; Insufficient Fortinet Patch; SANS SOC Survey

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9776.mp3

previous

Visual Studio Code Scripts; Cisco Unified Comm and Zoom Vuln; Insufficient Fortinet Patch; SANS SOC Survey

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Thursday, January 22nd, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Bachelor's Degree Program in Applied
 Cybersecurity. In diaries today, we have Xavier and we
 talk about the automatic script execution in Visual
 Studio Code. Visual Studio Code is a development
 environment. It's much more than a simple editor and like
 most of these IDEs, it has the ability to execute code. One
 way this is done in Visual Studio Code is by using a .vs
 code directory and inside that a tasks.json file. What
 happens is as Visual Studio Code opens a file, it checks
 for this directory and the task.json file will then
 define certain actions to execute on specific events,
 like in the example that Xavier presents whenever a new
 folder is opened. So that main attacker can easily smuggle
 code as part of some project that they're offering for
 example for download and then execute it inside the
 developer's editor. This is a technique that has been used
 in several attacks, so there's nothing really new. Similar
 stuff has been done with Visual Studio Code extensions
 for example. But I think the most important lesson here is
 whenever you download like source code and then open it
 in a complex environment like Visual Studio Code, well there
 is a possibility that code is being executed, so you better
 trust that code. Some development environments like
 for example the ones developed by JetBrains that are very
 popular will give you sort of a warning when you open a
 file. It asks you well, you trust the file or not, which
 will then trigger this behavior or keep it just in
 sort of a normal editor mode where it doesn't execute any
 code. Either way, whenever you edit code, make sure that you
 trust the code and you may want to check for any
 mechanisms like this, like these tasks.json file for
 Visual Studio Code, but they look slightly different for
 every development environment. And Cisco released several
 patches today. The most noteworthy one is a critical
 vulnerability in the Cisco Unified Communications
 product. There's an entire sort of product family that is
 sort of under this umbrella. They all suffer from this
 vulnerability. Its rated critical CVSS score is a
 little bit low, I think, for this vulnerability. A base
 score of 8.2. The problem is that we have one of those
 typical vulnerabilities where user input isn't properly
 validated. It doesn't really state the exact nature of the
 problem here, but it says that an unauthenticated attacker
 could obtain user privileges and then later escalate them
 to root. So basically lead to a complete system compromise,
 which is why I think this may deserve a higher CSS score.
 But it's not really clear if they're really talking about
 the same vulnerability here or just two different
 vulnerabilities chained together to get to the
 complete root access on the device. Either way, patch your
 setups. Then we have a critical vulnerability in Zoom
 that has been patched. This one affects the Zoom node
 multimedia routers, so not sort of the Zoom desktop
 product. But it's critical and sort of interesting also
 because it does allow operative code execution. So
 that's why it has a CVSS score of 9.9 and should be quickly
 patched. In order to exploit the vulnerability, a user and
 attacker has to be a participant of a Zoom meeting
 that is using this Zoom node multimedia router. And
 Fortinet users are reporting that they're seeing successful
 exploit attempts against Fortinet firewalls that are
 perfectly patched, in particular patched against CVE
 -2025-59718. A single sign-on vulnerability that was patched
 back in December. And apparently what is going on
 here is that a new variation of the exploit is able to
 bypass the patch. Haven't seen any sort of official note from
 Fortinet yet, but a user in the Fortinet read it that
 quote communication with a Fortinet developer confirming
 that the vulnerability is not really persists and is not
 really fixed yet in 7.410. And there should soon be a 7.411
 version coming out, as well as respective updates for 7.6 and
 8.0. So keep looking out for that. In the meantime, just
 sort of disabling the single sign-on feature works as a
 workaround. That was the workaround that was also
 recommended back when the vulnerability was originally
 discovered and before it was patched in December. And SANS
 is asking for your help with the 10th annual SOC survey.
 It's sort of one of the big surveys that SANS does every
 year. And yes, now for 10 years in a row. So if you're
 working in a SOC or even if you're managing it, please
 share your experience. This has been sort of one of the
 bigger surveys that SANS does each year. It has been quite
 helpful in the past. So please help us out here in just
 answering a couple questions. Well, and that's it for today.
 So thanks for listening. Thanks for liking and thanks
 for subscribing to this podcast. And as always, talk
 to you again tomorrow. Bye.