Podcast Detail

SANS Stormcast Thursday, September 25th, 2025: Hikvision Exploits; Cisco Patches; Sonicawall Anit-Rootkit Patch; Windows 10 Support

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9628.mp3

previous
Podcast Logo
Hikvision Exploits; Cisco Patches; Sonicawall Anit-Rootkit Patch; Windows 10 Support
00:00

Exploit Attempts Against Older Hikvision Camera Vulnerability
Out honeypots observed an increase in attacks against some older Hikvision issues. A big part of the problem is weak passwords, and the ability to send credentials as part of the URL.
https://isc.sans.edu/diary/Exploit%20Attempts%20Against%20Older%20Hikvision%20Camera%20Vulnerability/32316

Cisco Patches Already Exploited SNMP Vulnerability
Cisco patched a stack-based buffer overflow in the SNMP subsystem. It is already exploited in the wild, but requires
admin privileges to achieve code execution.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte

SonicWall Anti-Rootkit Update
SonicWall released a firmware update for its SMA100 devices specifically designed to eradicate a commonly deployed rootkit.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0015

Extended Windows 10 Support
Microsoft will extend free Windows 10 essential support for US and European customers.
https://www.straitstimes.com/world/united-states/microsoft-offers-no-cost-windows-10-lifeline

Podcast Transcript

 Hello and welcome to the Thursday, September 25th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ulrich, recording today from Las
 Vegas, Nevada. And this episode is brought to you by
 the SANS.edu Graduate Certificate Program in
 Cybersecurity Engineering. Today I wrote up a diary about
 some recent attacks that we have seen against Hikvision
 camera systems. These usually target DVRs, network connected
 video recorders that various analog cameras connect to. We
 have written, well, as early as back in 2014 about
 vulnerabilities in these systems. This latest rash of
 exploit attempts that I've seen, I would probably qualify
 it more as a brute force attempt. They're using the
 username admin and the password 11. So not even
 123456, which tends to be the default password for many of
 these Hikvision systems, at least the older ones. One of
 the problems with these systems is that they often
 don't come with a full keyboard, but you basically
 use a mouse and an on-screen keyboard that usually defaults
 to a numeric keypad in order to change your password.
 Haven't looked at more recent devices and what changes have
 been made. It's usually easier to change the password via the
 web application, but in order to get to that point, you
 first have to set a password using that on-screen keyboard.
 Anyway, if you have a Hikvision system still around,
 make sure you secure and patch it properly. There is a
 possibility that this also attempts to exploit some older
 specific vulnerabilities, but at this point, I really think
 it's just essentially brute forcing, which also is a
 little bit simpler here because the username and
 password is just encoded in base64 and appended to the
 URL. And then another blast from the past, and that's a
 stack-based buffer overflow in SNMP. This was fixed by Cisco
 as part of its September set of patches that were released
 today. And this vulnerability is noteworthy because it
 already has been exploited in the wild. I say blast from the
 past because, well, I remember back in 2000, 2001, we had a
 lot of issues with SNMP because of the little bit
 difficult to power ASN.1 encoding that is used in SNMP.
 No idea if this is also related to this vulnerability,
 but the stack-based buffer overflow kind of would be a
 typical vulnerability here. In order to exploit the
 vulnerability, an attacker must have admin access to the
 device and is then able to execute code on the device as
 root. So this essentially is then usable as a persistent
 mechanism to further compromise the device. And
 again, noteworthy because it's already exploited in the wild.
 And SonicWall released an advisory and firmware update
 that for a change doesn't actually fix a specific
 security vulnerability. Instead, the point of this
 firmware update is to remove a rootkit that has often been
 deployed as part of attacks on vulnerable SMA-100 devices.
 These rootkits are typically, of course, not removed by
 patches. Actually, patches typically don't make any
 changes to the system other than fixing the security
 vulnerability. And as pointed out before, well, whenever you
 apply a patch, you should make sure that the system is not
 already compromised. But this turns out to be quite tricky
 with this particular rootkit. So SonicWall, in order to help
 its users, has released this special firmware update. Even
 if you don't believe that your device has been compromised, I
 would still recommend applying this update because that's
 exactly the problem here. It's really easy to miss this
 rootkit and have a compromised device that, of course, then
 later can be accessed again by the threat actor responsible
 for the rootkit. Well, in the end is or better was near for
 Windows 10 users. Turns out that Microsoft has given in
 and will extend the Windows 10 end of support deadline that
 was originally supposed to happen in October. Due to
 public outcry, they initially relented in Europe and offered
 free additional one-year essential support for Windows
 10 in Europe. Apparently in the US they now have done so
 as well. I couldn't find the original release from
 Microsoft, so I'm linking in the show notes to a news
 report about this. But initially it was supposed to
 cost $30 to get continued basically basic support
 security updates for a year. But this will now happen for
 free. Well, and that's it for today. So thanks for
 listening. Thanks for liking, recommending and for
 subscribing to this podcast. That's it for today. And talk
 to you again tomorrow. Bye.