Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Thursday, September 4th, 2025: Dassault DELMIA Apriso Exploit Attempts; Android Updates; 1.1.1.1 Certificate Issued
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9598.mp3

Dassault DELMIA Apriso Exploit Attempts; Android Updates; 1.1.1.1 Certificate Issued
00:00
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Exploit Attempts for Dassault DELMIA Apriso. CVE-2025-5086
Our honeypots detected attacks against the manufacturing management system DELMIA Apriso. The deserialization vulnerability was patched in June and is one of a few critical vulnerabilities patched in recent months.
https://isc.sans.edu/diary/Exploit%20Attempts%20for%20Dassault%20DELMIA%20Apriso.%20CVE-2025-5086/32256
Android Bulletin
Google released its September update, fixing two already-exploited privilege escalation flaws and some remote code execution issues.
https://source.android.com/docs/security/bulletin/2025-09-01
Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020
Certificate authority Fina RDC issues a certificate for Cloudflare’s IP address 1.1.1.1
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/SgwC1QsEpvc
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
Podcast Transcript
Hello and welcome to the Thursday, September 4th, 2025 edition of the SANS Internet Storm Centers Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu graduate certificate program in Purple Team Operations. Our honeypots last couple days picked up some attacks for the Dassault DEMLIA Apriso software. Now you're probably not familiar with that. That's not necessarily sort of a household name, but it's a manufacturing operation management software. One of these complex packages that basically interface with your plant and your enterprise research planning system and allow you to sort of get a holistic view of a manufacturing process, sort of from the devices on the manufacturing line all the way to the bookkeeping. There have been a number of vulnerabilities in this software in recent month. This particular one that we see exploited is a deserilization vulnerability that was patched in June. There were a couple other remote code execution vulnerabilities that I didn't see so far being exploited. The advisories from Dassault are fairly minimal. It's sort of a little one-liners, essentially what the vulnerability is all about. Definitely if you're running this type of software, make sure you keep it patched. Not just this particular software from Dassault, but any sort of complex operation management software and such tends to have vulnerabilities, in particular deserilization vulnerabilities like this. We have seen them also often in ERP software. And yes, they are usually not easy to patch. So you want to stay ahead of that, not wait for the emergency, like now hearing that there is active exploitation of this vulnerability before you have to apply any patches for this type of software. And we got the monthly update for Android from Google. This is the September version of this update. Two vulnerabilities here. Both privilege escalation vulnerabilities are already being exploited. One of these vulnerabilities affects the Linux kernel. I believe that's a vulnerability that also has been discussed with respect to Linux in general. And then there's a second vulnerability in the Android system. There are, in addition to these privilege escalation vulnerabilities, additional vulnerabilities that can lead to remote code execution from what they're calling a network adjacent position. So not necessarily across the internet, but someone being sort of on the same Wi-Fi network or on the same LTE or cellular network that may also be exploitable this way. Well, as usual, update as these updates become available for your particular phone. And we have yet an interesting certificate event to talk about. This time it's a certificate for the IP address 1.1.1.1.1. This IP address is used by Cloudflare for its DNS service. So a certificate that is valid for this IP address may be useful to intercept DNS over HTTPS, DNS over quick connections to that IP address. The certificate authority that issued this certificate is FINA RDC. As far as I know, they're not universally trusted. However, they're trusted by Microsoft's Edge browser. This certificate was issued a few months ago. I think it says three months when it was first seen. It was properly added to certificate transparency logs, but only now was noted for some reason. Well, there are a lot of certificates in those logs. Also, it was added as an alternative name, which isn't quite as obvious. The main subject CN for the certificate was test1.hr. .hr is for Croatia. So it's their country top level domain. Given that it was test1.hr and test1.hr. It could be that this was just a test someone was running. Still not good that that certificate made it sort of through the server authority. But at this point, we don't know what the purpose of the certificate was. Just well, that it has been around and is probably still valid as of me recording this podcast. And this vulnerability I'm really just covering in part because it's sort of familiar. It hits a couple buttons with me. In the ESP IDF web server, an interesting authentication bypass happens by the web server only comparing as many characters as the user actually provides. So if you provide a short password like just the letter S, then only the first letter of the password S is compared. And with that, of course, you can primitively brute force passwords. ESPF IDF web server, if you're familiar with this, it's part of these little prototype boards and often use the home automation like where you have a little ESP CPU with some Wi-Fi, Bluetooth and such interfaces that allow you to automate some tasks. Well, a patch, of course, as usual, I'm not sure how many are exposing ESP home to the internet. Well, this is it for today. So thanks for listening. Thanks for liking. Thanks for subscribing. And as always, special thanks if you're leaving a comment in your favorite podcast platform. I think I haven't seen a new comments in a while in like Apple or Amazon particular. Not a lot of people are apparently listening to Alexa in the morning to this podcast. But anyway, that's it for today and talk to you again tomorrow. Bye.