A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
Similar Podcasts
Thinking Elixir Podcast
The Thinking Elixir podcast is a weekly show where we talk about the Elixir programming language and the community around it. We cover news and interview guests to learn more about projects and developments in the community.
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Elixir Outlaws
Elixir Outlaws is an informal discussion about interesting things happening in Elixir. Our goal is to capture the spirit of a conference hallway discussion in a podcast.
SANS Stormcast Friday, January 16th, 2026: Cryptojacking Hidden Gifts; Bluetooth Vulnerability; Reprompt in MSFT Copilot
Battling Cryptojacking, Botnets, and IABs Cryptojacking often comes with less obvious addons, like SSH backdoors https://isc.sans.edu/diary/Battling%20Cryptojacking%2C%20Botnets%2C%20and%20IABs%20%5BGuest%20Diary%5D/32632 Microsoft Copilot Reprompt Attacks Adding a query parameter to the URL may prefill a Copilot prompt, altering the meaning of the prompts that follow. https://www.varonis.com/blog/reprompt Hijacking Bluetooth Accessories Using Google Fast Pair Google s fast pair protocol is often not implemented correctly, allowing the Hijacking of Bluetooth accessories https://whisperpair.eu/#about
SANS Stormcast Thursday, January 15th, 2026: Luma Streal Repeat Infection; ServiceNow Broken Auth; Starlink/GPS Jamming
Infection repeatedly adds scheduled tasks and increases traffic to the same C2 domain https://isc.sans.edu/diary/Infection%20repeatedly%20adds%20scheduled%20tasks%20and%20increases%20traffic%20to%20the%20same%20C2%20domain/32628 BodySnatcher (CVE-2025-12420): A Broken Authentication and Agentic Hijacking Vulnerability in ServiceNow https://appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/ Starlink Terminal GPS Spoofing/Jamming Detection in Iran https://github.com/narimangharib/starlink-iran-gps-spoofing/blob/main/starlink-iran.md
SANS Stormcast Wednesday, January 14th, 2026: Microsoft, Adobe and Fortinet Patches; ConsentFix
Microsoft Patch Tuesday January 2026 Microsoft released patches for 113 vulnerabilities. This includes one already exploited vulnerability, one that was made public before today and eight critical vulnerabilities. https://isc.sans.edu/diary/January%202026%20Microsoft%20Patch%20Tuesday%20Summary/32624 Adobe Patches Adobe released patches for five products. The code execution vulnerabilities in ColdFusion and Acrobat Reader deserve special attention. https://helpx.adobe.com/security.html Fortinet Patches Fortnet patched two products today, one suffering from an SSRF vulnerability. https://fortiguard.fortinet.com/psirt/FG-IR-25-783 https://fortiguard.fortinet.com/psirt/FG-IR-25-084 ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants Attackers are tricking victims to copy/paste OAUTH URLs, including credentials, to a fake CAPTCHA https://pushsecurity.com/blog/consentfix
SANS Stormcast Tuesday, January 13th, 2026: n8n got npm’ed; Gogs exploit; telegram proxy links
n8n supply chain attack Malicious npm pagackages were used to attempt to obtain user OAUTH credentials for NPM. https://www.endorlabs.com/learn/n8mare-on-auth-street-supply-chain-attack-targets-n8n-ecosystem Gogs 0-Day Exploited in the Wild An at the time unpachted flaw in Gogs was exploited to compromise git repos. https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit Telegram Proxy Link Abuse Telegram proxy links have been abused to deanonymize users https://x.com/GangExposed_RU/status/2009961417781457129
SANS Stormcast Monday, January 12th, 2026: PEB Manipulation; YARA Update; VideoLAND and Apache NimBLE Patches
Malicious Process Environment Block Manipulation The process environment block contains metadata about particular processes, but can be manipulated. https://isc.sans.edu/diary/Malicious+Process+Environment+Block+Manipulation/32614/ YARA-X 1.11.0 Release: Hash Function Warnings The latest version of YARA will warn users if a hash rule attempts to match an invalid hash. https://isc.sans.edu/diary/YARA-X%201.11.0%20Release%3A%20Hash%20Function%20Warnings/32616 VideoLAN Security Bulletin VLC 3.0.22 CVE-2025-51602 VideoLAN fixed several vulnerabilities in its VLC software. https://www.videolan.org/security/sb-vlc3022.html Apache NimBLE Bluetooth vulnerabilities NimBLE is a Bluetooth stack popular in IoT devices. An update fixes some eavesdropping and pairing vulnerabilities. https://mynewt.apache.org/cve/
SANS Stormcast Friday, January 9th, 2026: Gephi Analysis; zlib vuln; GnuPG Vulns; Cisco/Cloudflare DNS Issue
Analysis using Gephi with DShield Sensor Data Gephi is a neat tool to create interactive data visualizations. It can be applied to honeypot data to find data clusters. https://isc.sans.edu/diary/Analysis%20using%20Gephi%20with%20DShield%20Sensor%20Data/32608 zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility The untgz utility that is part of zlib suffers from a straightforward buffer overflow in the filename parameter https://seclists.org/fulldisclosure/2026/Jan/3 GnuPG Vulnerabilities Several vulnerabilities in GnuPG were disclosed during a recent talk at the CCC congress. https://gpg.fail Cisco DNS Bug Reboot Last night, several Cisco users reported that their switches rebooted. The issue appears to be related to a change Cloudflare made in the order of CNAME records. Only users using 1.1.1.1 as a recursive resolver appear to be affected. https://community.cisco.com/t5/switches-small-business/got-fatal-error-cbs350-24t-4g/td-p/5359883?utm_source=chatgpt.com
SANS Stormcast Thursday, January 8th, 2026: HTML QR Code Phishing; n8n vulnerability; Powerbank Feature Creep
A phishing campaign with QR codes rendered using an HTML table Phishing emails are bypassing filters by encoding QR codes as HTML tables. https://isc.sans.edu/diary/A%20phishing%20campaign%20with%20QR%20codes%20rendered%20using%20an%20HTML%20table/32606 n8n vulnerabilities In recent days, several new n8n vulnerabilities were disclosed. Ensure that you update any on-premises installations and carefully consider what to use n8n for. https://www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858 https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg Power bank feature creep is out of control Simple power banks are increasingly equipped with advanced features, including networking, which may expose them to security risks. https://www.theverge.com/tech/856225/power-banks-are-the-latest-victims-of-feature-creep
SANS Stormcast Wednesday, January 7th, 2026: Tailsnitch Review; D-Link DSL EoL Vuln; TOTOLINK Unpatched Vuln
Tool Review: Tailsnitch Tailsnitch is a tool to audit your Tailscale configuration. It does a comprehensive analysis of your configuration and suggests (or even applies) fixes. https://isc.sans.edu/diary/Tool%20Review%3A%20Tailsnitch/32602 D-Link DSL Command Injection via DNS Configuration Endpoint A new vulnerability in very old D-Link DSL modems is currently being exploited. https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint TOTOLINK EX200 firmware-upload error handling can activate an unauthenticated root telnet service TOTOLINK extenders may start a telnet server and allow unauthenticated access if a firmware update fails. https://kb.cert.org/vuls/id/295169
SANS Stormcast Tuesday, January 6th, 2026: IPKVM Risks; Tailsnitch; Net-SNMP Vuln;
Risks of OOB Access via IP KVM Devices Recently, cheap IP KVMs have become popular. But their deployment needs to be secured. https://isc.sans.edu/diary/Risks%20of%20OOB%20Access%20via%20IP%20KVM%20Devices/32598 Tailsnitch Tailsnitch is a tool to review your Tailscale configuration for vulnerabilities https://github.com/Adversis/tailsnitch Net-SNMP snmptrapd vulnerability A new vulnerability in snmptrapd may lead to remote code execution https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq
SANS Stormcast Monday, January 5th, 2026: MongoBleed/React2Shell Recap; Crypto Scams; DNS Stats; Old Fortinet Vulns
Cryptocurrency Scam Emails and Web Pages As We Enter 2026 Scam emails are directing victims to confidence scams attempting to steal cryptocurrencies. https://isc.sans.edu/diary/Cryptocurrency%20Scam%20Emails%20and%20Web%20Pages%20As%20We%20Enter%202026/32594 Debugging DNS response times with tshark tshark is a powerful tool to debug DNS timing issues. https://isc.sans.edu/diary/Debugging+DNS+response+times+with+tshark/32592/ Old Fortinet Devices Have not been updated Over 10,000 Fortinet devices are still vulnerable to a five year old vulnerability https://www.bleepingcomputer.com/news/security/over-10-000-fortinet-firewalls-exposed-to-ongoing-2fa-bypass-attacks/
SANS Stormcast Sunday, December 28th, 2025: MongoDB Unauthenticated Memory Leak CVE-2025-14847
MongoDB Unauthenticated Attacker Sensitive Memory Leak CVE-2025-14847 Over the Christmas holiday, MongoDB patched a sensitive memory leak vulnerability that is now actively being exploited https://www.mongodb.com/community/forums/t/important-mongodb-patch-available/332977 https://github.com/mongodb/mongo/commit/505b660a14698bd2b5233bd94da3917b585c5728 https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/ https://github.com/joe-desimone/mongobleed/
SANS Stormcast Monday, December 22nd, 2025: TLS Callbacks; FreeBSD RCE; NIST Time Server Issues
DLLs & TLS Callbacks As a follow-up to last week's diary about DLL Entrypoints, Didier is looking at TLS ( Thread Local Storage ) and how it can be abused. https://isc.sans.edu/diary/DLLs%20%26%20TLS%20Callbacks/32580 FreeBSD Remote code execution via ND6 Router Advertisements A critical vulnerability in FreeBSD allows for remote code execution. But an attacker must be on the same network. https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc NIST Time Server Problems The atomic ensemble time scale at the NIST Boulder campus has failed due to a prolonged utility power outage. One impact is that the Boulder Internet Time Services no longer have an accurate time reference. https://tf.nist.gov/tf-cgi/servers.cgi https://groups.google.com/a/list.nist.gov/g/internet-time-service/c/o0dDDcr1a8I
SANS Stormcast Friday, December 19th, 2025: Less Vulnerabie Devices; Critical OneView Vulnerablity; Trufflehog finds JWTs
Positive trends related to public IP range from the year 2025 Fewer ICS systems, as well as fewer systems with outdated SSL versions, are exposed to the internet than before. The trend isn t quite clean for ISC, but SSL2 and SSL3 systems have been cut down by about half. https://isc.sans.edu/diary/Positive%20trends%20related%20to%20public%20IP%20ranges%20from%20the%20year%202025/32584 Hewlett-Packard Enterprise OneView Software, Remote Code Execution HPs OneView Software allows for unauthenticated code execution https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1 Trufflehog Detecting JWTs with Public Keys Trufflehog added the ability to detect JWT tokens and validate them using public keys. https://trufflesecurity.com/blog/trufflehog-now-detects-jwts-with-public-key-signatures-and-verifies-them-for-liveness
SANS Stormcast Thursday, December 18th, 2025: More React2Shell; Donicwall and Cisco Patch; Updated Chrome Advisory
Maybe a Little Bit More Interesting React2Shell Exploit Attackers are branching out to attack applications that initial exploits may have missed. The latest wave of attacks is going after less common endpoints and attempting to exploit applications that do not have Next.js exposed. https://isc.sans.edu/diary/Maybe%20a%20Little%20Bit%20More%20Interesting%20React2Shell%20Exploit/32578 UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager Cisco s Security Email Gateway and Secure Email and Web Manager patch an already-exploited vulnerability. https://blog.talosintelligence.com/uat-9686/ https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4 SONICWALL SMA1000 APPLIANCE LOCAL PRIVILEGE ESCALATION VULNERABILITY A local privilege escalation vulnerability, which SonicWall patched today, is already being exploited. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019 Google releases vulnerability details Google updated last week s advisory by adding a CVE to the mystery vulnerability and adding a statement that it affects WebGPU. No new patch was released. https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html
SANS Stormcast Wednesday, December 17th, 2025: Beyond RC4; Forticloud SSO Vuln Exploited; FortiGate SSO Exploited;
Beyond RC4 for Windows authentication Microsoft outlined its transition plan to move away from RC4 for authentication and published guidance and tools to facilitate this change. https://www.microsoft.com/en-us/windows-server/blog/2025/12/03/beyond-rc4-for-windows-authentication FortiCloud SSO Login Vuln Exploited Arctic Wolf observed exploit attempts against vulnerable FortiGate appliances. https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/ FrePBX Vulnerability Horizon3.ai identified three distinct vulnerabilities in FreePBX. In particular, the authentication by-pass issue should be of concern, but default FreePBX installs do not use the vulnerable web authentication feature. https://horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/