Handler on Duty: Johannes Ullrich
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, December 10th, 2025: Microsoft, Adobe, Ivanti, Fortinet, and Ruby patches.
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9732.mp3
My Next Class
| Network Monitoring and Threat Detection In-Depth | Online | Central European Time | Dec 15th - Dec 20th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
Microsoft Patch Tuesday
Microsoft released its regular monthly patch on Tuesday, addressing 57 flaws.
https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20December%202025/32550
Adobe Patches
Adobe patched five products. The remote code execution in ColdFusion, as well as the code execution issue in Acrobat, will very likely see exploits soon.
https://helpx.adobe.com/security.html
Ivanti Endpoint Manager Patches
Ivanti patched four vulnerabilities in End Point Manager.
https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024?language=en_US
Fortinet FortiCloud SSO Vulnerability
Due to a cryptographic vulnerability, Forinet’s FortiCloud SSO authentication is bypassable.
https://fortiguard.fortinet.com/psirt/FG-IR-25-647
ruby-saml vulnerability
Ruby fixed a vulnerability in ruby-saml. The issue is due to an incomplete patch for another vulnerability a few months ago.
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Network Monitoring and Threat Detection In-Depth | Online | Central European Time | Dec 15th - Dec 20th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
Podcast Transcript
Hello and welcome to the Wednesday, December 10th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Bachelor's Degree Program in Applied Cybersecurity. Well, today, of course, lots of patches to talk about. And first of all, Microsoft's Patch Tuesday for December. It was a lighter patch Tuesday, only 57 vulnerabilities being addressed here. Only three of these vulnerabilities were rated as critical. And then we had one vulnerability that's already being exploited and two that are publicly disclosed. Now, about the already being exploited vulnerability, that is a privilege escalation vulnerability in the Microsoft Cloud Files Mini filters, driver, some of those driver issues. And yes, that's already being exploited. But again, only a privilege escalation vulnerability. The publicly known but not yet exploited vulnerabilities. Well, actually, the first one, invoke web request, the PowerShell function that's often used maliciously, but of course, also in benign scripts. The problem here is that by default, you may actually execute code here. So there is this use basic parsing parameter. And what they changed here was that if you just use invoke web request, you'll actually get a warning telling you that you are here at the risk of actually executing code unless you add the use basic parsing parameter. So really just clarified how to use this particular PowerShell function. And then the second already known vulnerability. It's a really sort of a class of vulnerabilities that we have seen, of course, quite frequently lately. And that's all these AI co-pilots. As you let them take over your IDE, your development environment, you, of course, run the risk that they'll overstep their bounds and will actually execute code. And of course, in some cases, an attacker may have some control over the code being executed here. And the GitHub co-pilot plugin for JetBrains. So JetBrains is not Microsoft, but a company that makes a lot of integrated development environments. And then, of course, Microsoft is responsible for the co-pilot part that plugs into JetBrains. And that's sort of where they added some additional constraints. We'll see how well they work to prevent some of these malicious code executions. Now, none of these vulnerabilities is rated critical. The critical ones are in Office and Outlook. So your good old Outlook Office vulnerabilities we have every month. And with that, I don't really think that is a terribly exciting Patch Tuesday. Even like these three known and already exploited vulnerabilities aren't really that terribly big of a deal. Next company to always release updates on Patch Tuesday is Adobe. And we got updates for five products, which is on the lighter side for Adobe. But two of these products are sort of on my watch list of likely to be exploited products. One ColdFusion. And we do have a big vulnerability here. An arbitrary code execution due to an unconstrained file upload. So very likely something where an attacker could upload some kind of web shell. The second product, Acrobat Reader. Also some code execution vulnerabilities being addressed here. And then again, that's typically being exploited by sending a malicious PDF to the victim. And Avanti also jumped in here on Patch Tuesday. This time again with an update for Endpoint Manager. One interesting vulnerability here. Stored cross-site scripting in admin sessions. And this one rates with a COS score of 9.6. Certainly something where an attacker could do quite a bit of damage. If they can essentially remote control an administrator's browser as part of an admin session. And Fortinet is warning of an authentication bypass vulnerability that affects its FortiCloud single sign-on login. This affects all products that are configured with FortiCloud. And the mitigation here is, well, to turn it off until you update your device. Looks like some kind of cryptographic issue. Maybe algorithm confusion or something like that. And that's very common like in these single sign-on systems. If they haven't been validated properly or if they're using some outdated library and the like. That often leads to these type of vulnerabilities. And I have no idea if Fortinet's software is written in Ruby. But we also had an patch today for the Ruby SAML library. Apparently, this is sort of one of those parser discrepancy issues. Where different XML parsers interpret data slightly different. And that often leads then to vulnerabilities where, for example, username or claims or such aren't parsed properly or differently in different parsers. They had a similar vulnerability, I think, a couple months ago and didn't completely fix it. So this is really just an additional fix for this older vulnerability to hopefully this time completely mitigate it. Well, and this is it for today. Thanks for listening. And would really appreciate a comment in the Apple Podcasts app. And that's it for today. Talk to you again tomorrow. Bye. Bye. Bye. Bye.
Have you seen our swag? Buy SANS ISC Gear
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 