Handler on Duty: Jan Kopriva
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, June 4th, 2025: vBulletin Exploited; Chrome 0-Day Patch; Roundcube RCE Patch; Multiple HP StoreOnce Vulns Patched
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9478.mp3

vBulletin Exploited; Chrome 0-Day Patch; Roundcube RCE Patch; Multiple HP StoreOnce Vulns Patched
00:00
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
vBulletin Exploits CVE-2025-48827, CVE-2025-48828
We do see exploit attempts for the vBulletin flaw disclosed about a week ago. The flaw is only exploitable if vBulltin is run on PHP 8.1, and was patched over a year ago. However, vBulltin never disclosed the type of vulnerability that was patched.
https://isc.sans.edu/diary/vBulletin%20Exploits%20%28CVE-2025-48827%2C%20CVE-2025-48828%29/32006
Google Chrome 0-Day Patched
Google released a security update for Google Chrome patching three flaws. One of these is already being exploited.
https://chromereleases.googleblog.com/
Roundcube Update
Roundcube patched a vulnerability that allows any authenticated user to execute arbitrary code.
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
HP Vulnerabilities in StoreOnce
HP patched multiple vulnerabilities in StoreOnce. These issues could lead to remote code execution
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Wednesday, June 4, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and in this episode brought to you by the SANS.edu Credit Certificate Program in Cybersecurity Leadership. I'm recording in Jacksonville, Florida. Well, in diaries today I looked a little bit more at the vBulletin vulnerability that I mentioned earlier this week and exploits that we observed around this particular vulnerability. vBulletin again, it's a bulletin board software. It's quite popular. It's a commercial offering, not an open source offering in that sense. It's written in PHP. And I think this vulnerability really has two sort of interesting aspects that I think haunt a lot of sort of vulnerabilities and also vulnerability mitigation. Now, this vulnerability was first really explained by this particular blog post from Egidio Romano. I think I mentioned the wrong name in the diary originally, but Egidio here is the one that really sort of dove into this patch that vBulletin had released about a year ago and then explained how this particular vulnerability can get exploited. That's sort of really where it gets interesting. So, vBulletin implements an API as so many web applications. And this API does expose specific classes. Now, the problem here is that in PHP version 8.1, how you access particular methods in these classes changed somewhat. So, methods that you considered being protected, not accessible to basically any call from outside the class have now been exposed in PHP version 8.1. Now, there's more details to it. It basically uses these reflections which are used to sort of interrogate classes and figure out, you know, how to call a particular method. And that's really sort of where the change happened. It's, in my opinion, not a well-documented change. I looked at the 8.1 change log, didn't really see it there. But then in the actual PHP manual for the reflection method, invoke method here, it does actually mention that, yes, you know, this change was made in version 8.1. So, from the vBulletin board point of view, certainly something that's easily overlooked. On the other hand, well, you know, you want a patch. You want to keep your PHP versions up to date. So, here actually updating your PHP version did introduce this vulnerability. The second part to this is on the vBulletin side. So, vBulletin did release a patch about a year ago, back in April. And the problem with the patch was that they didn't really explain, well, why you should apply the patch. There was no details of what exactly is wrong with the old version. It is labeled a security patch, but then it just says to maintain site security, you should apply this patch as soon as possible. And that, of course, is not enough information for anybody, particularly, you know, given the risks with patching, to quickly apply this patch. So, you have on the one side where if you were too eager to patch, then you introduce the PHP vulnerability. On the other hand, if you delayed patching, and that's sort of the vBulletin part, because there was no clear vulnerability that you're going to patch. Well, again, you know, you would have missed this particular update. So, in short, if you're running vBulletin do update, we do see some scans out there. There is one threat actor who is using a couple different IP addresses who appears to be particular interest in this vulnerability and has, like, for a few days now scanned for vulnerable systems here. Don't yet exactly know what they're after. They're also looking, like, for what looks like brute forcing and such. So, certainly something that you want to keep an eye on and patch. And Google pushed out an update for Google Chrome. This update does fix three different security vulnerabilities where one of these vulnerabilities, an out -of-bounds read and write in v8, is already being exploited. And Google mitigated this vulnerability with a configuration change. Of course, not a ton of detail here, as typical for Google's security updates. Just patch. And, as usual, Google Chrome does a reasonable good job in patching itself regularly. Just make sure to restart Google Chrome, like, once a day. And the web-nail system, RoundCube, did release an update that fixes a deserialization vulnerability. It's exploitable only by users who are authenticated. But given that you often have all users in your organization connected to a particular RoundCube instance, that may not be too far of a stretch. And just a couple weeks ago, there was, like, that big news story about how these web-mail systems are being exploited. So, pay attention and double -check that it's up-to-date. And finally, noteworthy patches. We also got one from HP for its StoreOnce software. The patches are fixing vulnerabilities found during the Zeroday Initiative's Pwn-to-Own contest. And, well, there are authentication bypass vulnerabilities and then remote code execution vulnerabilities. So, it doesn't really matter if these remote code execution vulnerabilities require authentication because you can bypass it. Certainly, critical vulnerabilities that must be patched quickly. Well, that's it for today. So, thanks again for listening. Thanks for leaving good comments about this podcast. If you like it, let me know. Or, if you don't like it, let me know too. But don't leave a bad comment. Just let me know what to fix here with this podcast. And, other than that, I hope to see some of you at Sands Fire in mid-July in Washington, D.C. either online or in person. But, we've got some special treats if you're coming in person. Like our Honeypot Workshop. We're giving away a limited number of free Honeypots. And, also a number of other events and such that we do have for attendees who actually join us live in D.C. Well, that's it. And, thanks everybody. And, talk to you again tomorrow. Bye.