Handler on Duty: Guy Bruneau
Threat Level: green
Podcast Detail
SANS Stormcast Monday, January 26th, 2026: FortiOS SSO Vuln Updates; Outlook OOB Update; VMware vCenter Exploited
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9780.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
Analysis of Single Sign-On Abuse on FortiOS
Fortinet released an advisory. FortiOS devices are vulnerable if configured with any SAML integration, not just FortiCloud
https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
Outlook OOB Update
Microsoft released a non-security OOB Update for Outlook, fixing an issue introduced with this months security patches.
https://support.microsoft.com/en-us/topic/january-24-2026-kb5078127-os-builds-26200-7628-and-26100-7628-out-of-band-cf5777f6-bb4e-4adb-b9cd-2b64df577491
VMware vCenter Server Vulnerabilities Exploited (CVE-2024-37079, CVE-2024-37080, CVE-2024-37081)
A VMWare vCenter vulnerability patched last June is now actively exploited.
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 26th 2026 |
Podcast Transcript
Hello and welcome to the Monday January 26, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cyber Defense Operations. I just want to start out with a quick update on the FortiOS SAML bypass issue. We now have an official statement from Fortinet regarding this problem. And they basically say, well, kind of what we already knew, that it was SAML and single sign-on related. So the mitigation still stands. You should disable single sign-on and there is no patch available yet. And Fortinet didn't say about a schedule or anything like this, just that they're working on it. One interesting sort of little tidbit from the Fortinet advisory is that this does not just affect the FortiCloud implementation of single sign-on, but essentially more or less any system that you're using that uses SAML to authenticate to FortiOS could potentially be bypassed. So it's basically how FortiOS implements SAML and how it verifies whether or not these SAML messages are correctly signed. This of course is an ongoing issue. Not just Fortinet has been struggling with implementing SAML correctly. There have been multiple issues. We have talked about this here in the podcast before, where it was possible to bypass SAML authentication by manipulating these digitally signed messages. And then we got a second out of band update from Microsoft that was triggered by January's security updates. This time it's Outlook that's being patched. Again, these updates are not security updates so much, but they're fixing problems that were introduced by the security update. Here, apparently, if you're using Outlook and you're storing PST files on OneDrive, you may have Outlook hanging and you can't exit it. So this problem is now being fixed that this was released on Saturday. So try to update it. Again, not a security issue. If you don't experience any problems with Outlook, then of course you may not need this particular update. And Broadcom released updated advisory for vCenter. Originally, these vulnerabilities were patched in June, but turns out now they're actually being exploited. Now, I don't always cover just the fact that the vulnerabilities are being exploited in particular, if patches have been available for a while. But this sort of trickled something that I've heard about a few times now. And that's, you know, of course, many people are switching away from VMware vCenter, in particular for things like Homelapse and such, just because of the difficulties with licensing and Broadcom. Please remember that many of the alternatives also have these fairly complex web admin interfaces and such, that, in my opinion, are likely vulnerable. You may not have seen a lot of vulnerabilities being disclosed, but just the nature of the software, when you have these complex web-based admin interfaces and such, usually means that there are some vulnerabilities in these systems. In particular, if an attacker gains some authorized access to them. So please do yourself a favor and don't expose them directly to the internet. Well, and this is it for today. So, thanks for listening. Thanks for liking this podcast. Thanks for subscribing to it. I still have the thing going where, if you find a mistake or any kind of, you know, comment or something, you want a sticker, please let me know and I'll email you a sticker. And with that, talk to you again tomorrow. Bye.
Follow the Internet Storm Center on Twitter
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 