Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS Stormcast Monday, November 17th, 2025: New(isch) Fortiweb Vulnerability; Finger and ClickFix
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9702.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
| Network Monitoring and Threat Detection In-Depth | Online | Central European Time | Dec 15th - Dec 20th 2025 |
Fortiweb Vulnerability
Fortinet, with significant delay, acknowledged a recently patched vulnerability after exploit attempts were seen publicly.
https://isc.sans.edu/diary/Honeypot+FortiWeb+CVE202564446+Exploits/32486
https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/
https://fortiguard.fortinet.com/psirt/FG-IR-25-910?ref=labs.watchtowr.com
Flnger.exe and ClickFix
Attackers started to use the finger.exe binary to retrieve additional payload in ClickFix attacks
https://isc.sans.edu/diary/Finger.exe%20%26%20ClickFix/32492
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
| Network Monitoring and Threat Detection In-Depth | Online | Central European Time | Dec 15th - Dec 20th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
Podcast Transcript
Hello and welcome to the Monday, November 17th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Master's Degree Program in Information Security Engineering. Well, the first story here is something that developed on Friday and really sort of became more obvious on Friday, but there was sort of in development for the last few days before that. And I'll sort of start here with the end. And that's a notice by Fortinet security announcement that there is a new vulnerability in the FortiWeb software. The problem with this is that the patch, and in this case, for example, if you're on the 8 version, it would be version 802, was actually released a couple weeks ago. So a couple weeks ago, Fortinet did upgrade their software, fixed a critical vulnerability, CVSS score of 9.1 according to Fortinet, which I think is about appropriate. But they didn't tell anybody about fixing this vulnerability. So what happened last week is that the researchers pointed out some attacks they saw that basically looked like a version of an old vulnerability. But well, it was actually this new vulnerability. And we then got, as usual, a good write-up from watchTwer showing that this was essentially a directory traversal that allowed access to this FWB CGI binary that then in turn allowed an attacker to impersonate arbitrary users. And in doing so, basically bypass access control. So the vulnerability was very straightforward. You just needed a JSON payload with the user that you would like to impersonate. And with that, you were all set in order to then gain access to the admin interface. We also, over the weekend, did notice some of these attacks in our honeypots. Didier wrote about this and here published one of the attacks that he saw in his honeypot. But yes, this is actively being exploited. Hopefully, you did upgrade when the upgrade originally came out, not knowing that it fixed this particular vulnerability, which of course may have delayed the upgrade. So if you haven't upgraded yet, the usual advice is assume compromise at this point. This is widely being scanned for. It's trivial to exploit. And as long as your admin interface is exposed to the attacker. And even internally, you may have attackers that take advantage of a vulnerability like this. So definitely do assume compromise. Do not just simply patch the system. We had this happen so many times this year where people patched border security devices like this and ended up basically just patching a device that was already backdoored where attackers already dumped credentials. Also, if you find an unpatched device at this point, do update your credentials. Now, there is no direct path here to credentials from this particular vulnerability. But attackers will have added users. That's probably the best sort of indicator of compromise that I've seen at this point. And yeah, make sure that nobody has access to the admin interface. That's probably another thing that you can look for. Also, that's about 40Web. And as I said, not pretty that 40Web or 40Net did not properly disclose this vulnerability when it was originally patched. There's also a chance that they patched it accidentally maybe and didn't really know what they patched. But it's definitely actively being exploited. And we got a second diary by Didier. And that's a little bit of follow up to a story that sort of broke also late last week. And that's that attackers start to use the finger binary in their click fix attacks. So click fix, you probably are familiar with this by now, but that's where a user is being tricked into copy pasting PowerShell code typically into a command line window. They are believing they're actually solving a capture in doing so. But of course, attackers sometimes run into some endpoint protection software. Well, a standard way to get around endpoint protection software is to use binaries that already exist on the system. That's sort of often referred to as the living off the land binary or or LOL bin attacks. This particular case here uses the finger.exe binary in order to retrieve additional commands from a remote system. They could have done DNS. DNS. I would have liked it actually better if they would have done DNS because I like DNS. But they decided to use finger, which is probably much, much more verbose, much, much louder than using DNS. But then again, network detection is often really not there where it should be. And that's probably why this finger command slips through. Also, the finger command doesn't use any proxies. So other tools they may use may use proxies. The proxies may do some inspection or filtering. Finger doesn't do that. It goes out straight on port TCP 79. So definitely, you know, just start looking for this stuff. And it should be very easy to detect. It's really one of those things where you really shouldn't see any traffic outbound on port 79 from your hosts. But that's it for today. Sorry for being a little bit ranty and long today, but it's kind of frustrating to have the same stuff happening over and over. If you have problems with commercial software, commercial systems, please call the support. Make them incur costs. Otherwise, they're not going to fix it. So don't just sit there and fix it yourself. Have them help you. And then for the second story, make sure you get network detection up and running. Even NetFlow will detect this stuff. So there's really no excuse if you have any kind of sock or so to not detect someone using finger. That's it for today and talk to you again tomorrow. Bye. Bye. Thank you.
Keep yourself informed with our aggregate InfoSec news
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 