Podcast Detail

SANS Stormcast Monday, October 13th, 2025: More Oracle Patches; Sonicwall Compromisses; Unpatched Gladinet; 7-Zip Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9652.mp3

previous
Podcast Logo
More Oracle Patches; Sonicwall Compromisses; Unpatched Gladinet; 7-Zip Patches
00:00

New Oracle E-Business Suite Patches
Oracle released one more patch for the e-business suite. Oracle does not state if it is already exploited, but the timing of the patch suggests that it should be expedited.
https://www.oracle.com/security-alerts/alert-cve-2025-61884.html

Widespread Sonicwall SSLVPN Compromise
Huntress Labs observed the widespread compromise of the Sonicwall SSLVPN appliance.
https://www.huntress.com/blog/sonicwall-sslvpn-compromise

Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw (CVE-2025-11371)
An unpatched vulnerability in the “secure” file sharing solutions Gladinet CentreStack and TrioFox is being exploited.
https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw

Two 7-Zip Vulnerabilities CVE-2025-11002, CVE-2025-11001
7-Zip patched two vulnerabilities that may lead to arbitrary code execution
https://www.zerodayinitiative.com/advisories/ZDI-25-949/
https://www.zerodayinitiative.com/advisories/ZDI-25-950/


Podcast Transcript

 Hello and welcome to the Monday, October 13th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in cloud
 security. Oracle eBusinessSuite users be aware
 there is yet another update for you to apply. This update
 was released on Sunday and it doesn't state in Oracle's
 notice whether or not this particular vulnerability is
 already being exploited. It's only an information leakage
 vulnerability, so an unauthenticated user may have
 access to information that they're not supposed to have
 access to. However, given that there's really no statement
 whether or not it's being exploited, it's released on a
 Sunday, it's released just a week after we had that major
 already exploited vulnerability, and it's about
 a week before the normal Oracle critical patch update,
 the quarterly update they're releasing for all of their
 products, I would assume that this vulnerability is already
 being exploited. Maybe a follow-on to the initial
 attack that vulnerability was patched last weekend, or maybe
 just part of that attack that wasn't really patched in
 Sunday's update. Not much here from Oracle to go by other
 than conjecture, and I would err on the side of caution in
 the sense that you probably want to apply this patch as
 soon as possible before the critical patch update for the
 quarter comes out in a week. Just so you got it off your
 plate and then can focus on whatever that critical patch
 update fixes. But yeah, really not a lot to go by here from
 Oracle's side. So really just making some assumptions here.
 And Hunter's lab is reporting in a blog post that they're
 seeing the widespread exploitation of SonicWall VPN
 devices. What they're noting here is that the attacker is
 rapidly logging in to a number of different accounts. This of
 course comes a couple days after SonicWall. Let it be
 known that all configurations uploaded to its MySonicWall
 cloud storage had been compromised. Best guess is
 that whatever actor got a hold of these configurations is now
 as quickly as possible attempting to compromise those
 instances in order to take advantage of these credentials
 before the user may actually change them. So if you had
 your configuration uploaded to my SonicWall. Number one,
 assume it was compromised. Yes, passwords were hashed,
 but hashes can be brute forced. And the end result is
 that if you had your configuration in my SonicWall
 at this point, assume the device is compromised. Don't
 just go in and change credentials and such. But take
 a close look. Make sure there are no back doors or any other
 compromise. No new accounts. No nothing like that
 installed. Take a look at the Hunter's blog. You also have
 IP address and other things that they have observed on
 compromised devices. So this is pretty much a must do at
 this point that you must assume a compromise of these
 devices. And the second alert I have also comes from
 Hunter's lab and it affects the secure clad in it center
 stack and Triofox storage solutions like all these very
 secure remote storage solutions. Well, they are not
 very, very, very secure and as a result, they suffer from a
 software unpatched local file inclusion vulnerability local
 file inclusion vulnerability allows even on a secure file
 storage and sharing system to read arbitrary files in
 particular in this case, the web dot config file, which
 then releases the machine key. And well, we all learned about
 a machine key from the share point vulnerability. Another
 secure file sharing technology, of course, that it
 can be used to further compromise the affected
 system. No patch available. So see what you can do with
 respect to any configuration changes and as usual, assume
 compromise. And then we do have two distinct but similar
 vulnerabilities in 7-zip that have been addressed. These
 vulnerabilities are your typical symbolic link
 vulnerabilities that essentially allow for
 directory traversal and with that under some circumstances,
 even arbitrary code execution update as you patches become
 available. There is no indication at this point that
 these vulnerabilities are being exploited. On the other
 hand, similar vulnerabilities have often been exploited in
 the past. So probably no stretch to assume that
 exploits are already somewhat available for these issues.
 Well, and this is it for today. So thanks for listening
 and thanks for liking and subscribing to this podcast.
 And as always, talk to you again tomorrow. Bye.
 Bye.