Podcast Detail

SANS Stormcast Monday, November 17th, 2025: New(isch) Fortiweb Vulnerability; Finger and ClickFix

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9702.mp3

previous
Podcast Logo
New(isch) Fortiweb Vulnerability; Finger and ClickFix
00:00

My Next Class

Application Security: Securing Web Apps, APIs, and MicroservicesDallasDec 1st - Dec 6th 2025
Network Monitoring and Threat Detection In-DepthOnline | Central European TimeDec 15th - Dec 20th 2025

… more classes


Fortiweb Vulnerability
Fortinet, with significant delay, acknowledged a recently patched vulnerability after exploit attempts were seen publicly.
https://isc.sans.edu/diary/Honeypot+FortiWeb+CVE202564446+Exploits/32486
https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/
https://fortiguard.fortinet.com/psirt/FG-IR-25-910?ref=labs.watchtowr.com

Flnger.exe and ClickFix
Attackers started to use the finger.exe binary to retrieve additional payload in ClickFix attacks
https://isc.sans.edu/diary/Finger.exe%20%26%20ClickFix/32492

Podcast Transcript

 Hello and welcome to the Monday, November 17th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Master's Degree Program in Information
 Security Engineering. Well, the first story here is
 something that developed on Friday and really sort of
 became more obvious on Friday, but there was sort of in
 development for the last few days before that. And I'll
 sort of start here with the end. And that's a notice by
 Fortinet security announcement that there is a new
 vulnerability in the FortiWeb software. The problem with
 this is that the patch, and in this case, for example, if
 you're on the 8 version, it would be version 802, was
 actually released a couple weeks ago. So a couple weeks
 ago, Fortinet did upgrade their software, fixed a
 critical vulnerability, CVSS score of 9.1 according to
 Fortinet, which I think is about appropriate. But they
 didn't tell anybody about fixing this vulnerability. So
 what happened last week is that the researchers pointed
 out some attacks they saw that basically looked like a
 version of an old vulnerability. But well, it
 was actually this new vulnerability. And we then
 got, as usual, a good write-up from watchTwer showing that
 this was essentially a directory traversal that
 allowed access to this FWB CGI binary that then in turn
 allowed an attacker to impersonate arbitrary users.
 And in doing so, basically bypass access control. So the
 vulnerability was very straightforward. You just
 needed a JSON payload with the user that you would like to
 impersonate. And with that, you were all set in order to
 then gain access to the admin interface. We also, over the
 weekend, did notice some of these attacks in our
 honeypots. Didier wrote about this and here published one of
 the attacks that he saw in his honeypot. But yes, this is
 actively being exploited. Hopefully, you did upgrade
 when the upgrade originally came out, not knowing that it
 fixed this particular vulnerability, which of course
 may have delayed the upgrade. So if you haven't upgraded
 yet, the usual advice is assume compromise at this
 point. This is widely being scanned for. It's trivial to
 exploit. And as long as your admin interface is exposed to
 the attacker. And even internally, you may have
 attackers that take advantage of a vulnerability like this.
 So definitely do assume compromise. Do not just simply
 patch the system. We had this happen so many times this year
 where people patched border security devices like this and
 ended up basically just patching a device that was
 already backdoored where attackers already dumped
 credentials. Also, if you find an unpatched device at this
 point, do update your credentials. Now, there is no
 direct path here to credentials from this
 particular vulnerability. But attackers will have added
 users. That's probably the best sort of indicator of
 compromise that I've seen at this point. And yeah, make
 sure that nobody has access to the admin interface. That's
 probably another thing that you can look for. Also, that's
 about 40Web. And as I said, not pretty that 40Web or 40Net
 did not properly disclose this vulnerability when it was
 originally patched. There's also a chance that they
 patched it accidentally maybe and didn't really know what
 they patched. But it's definitely actively being
 exploited. And we got a second diary by Didier. And that's a
 little bit of follow up to a story that sort of broke also
 late last week. And that's that attackers start to use
 the finger binary in their click fix attacks. So click
 fix, you probably are familiar with this by now, but that's
 where a user is being tricked into copy pasting PowerShell
 code typically into a command line window. They are
 believing they're actually solving a capture in doing so.
 But of course, attackers sometimes run into some
 endpoint protection software. Well, a standard way to get
 around endpoint protection software is to use binaries
 that already exist on the system. That's sort of often
 referred to as the living off the land binary or or LOL bin
 attacks. This particular case here uses the finger.exe
 binary in order to retrieve additional commands from a
 remote system. They could have done DNS. DNS. I would have
 liked it actually better if they would have done DNS
 because I like DNS. But they decided to use finger, which
 is probably much, much more verbose, much, much louder
 than using DNS. But then again, network detection is
 often really not there where it should be. And that's
 probably why this finger command slips through. Also,
 the finger command doesn't use any proxies. So other tools
 they may use may use proxies. The proxies may do some
 inspection or filtering. Finger doesn't do that. It
 goes out straight on port TCP 79. So definitely, you know,
 just start looking for this stuff. And it should be very
 easy to detect. It's really one of those things where you
 really shouldn't see any traffic outbound on port 79
 from your hosts. But that's it for today. Sorry for being a
 little bit ranty and long today, but it's kind of
 frustrating to have the same stuff happening over and over.
 If you have problems with commercial software,
 commercial systems, please call the support. Make them
 incur costs. Otherwise, they're not going to fix it.
 So don't just sit there and fix it yourself. Have them
 help you. And then for the second story, make sure you
 get network detection up and running. Even NetFlow will
 detect this stuff. So there's really no excuse if you have
 any kind of sock or so to not detect someone using finger.
 That's it for today and talk to you again tomorrow. Bye.
 Bye. Thank you.