Podcast Detail

SANS Stormcast Thursday, January 29th, 2026: WebLogic AI Slop; Fortinet Patches; WebLogic AI Slop; Fortinet Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9786.mp3

previous
Podcast Logo
WebLogic AI Slop; Fortinet Patches; WebLogic AI Slop; Fortinet Patches
00:00

Odd WebLogic Request. Possible CVE-2026-21962 Exploit Attempt or AI Slop?
We are seeing attempts to attack CVE-2026-21962, a recent weblog vulnerability, using a non-working AI slop exploit
https://isc.sans.edu/diary/Odd%20WebLogic%20Request.%20Possible%20CVE-2026-21962%20Exploit%20Attempt%20or%20AI%20Slop%3F/32662

Fortinet Patches are Rolling Out
Fortinet is starting to roll out patches for the recent SSO vulnerability
https://fortiguard.fortinet.com/psirt/FG-IR-26-060

SolarWinds Web Helpdesk Vulnerability
Another set of vulnerabilities in SolarWinds Web Helpdesk may result in unauthenticated system access
https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/

Podcast Transcript

 Hello and welcome to the Thursday, January 29th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu undergraduate certificate program in
 cybersecurity fundamentals. Last week, Oracle published
 its quarterly critical patch up date. And with that, we
 also got a patch for WebLogic. That patch, I think I pointed
 out when it was released, wasn't so far noteworthy that
 first of all, WebLogic has been exploited many times in
 the past. And secondly, it got a CVSS score of 10. So a
 perfect score here for possible exploit
 attractiveness, I guess I should say, because
 compromising WebLogic, using this particular vulnerability
 could lead to a complete system compromise. So with an
 exploit like this, I'm usually periodically kind of trying to
 find any exploit attempts in our honeypot logs and did see
 one in our logs. But this particular exploit attempt
 didn't really make much sense. It had sort of all the parts
 that you may expect in an exploit like this, but was
 highly unlikely that, well, the vulnerability was as
 trivial as suggested by this exploit. So doing a little bit
 further digging, apparently, at the time when the
 vulnerability was disclosed by Oracle, someone published a
 GitHub repository with what looks like AI-generated
 exploit that apparently doesn't work at all. And we
 are now seeing this exploit being used against basically
 arbitrary hosts. It's not just being sent against WebLogic,
 but really just random hosts. And well, I guess to some
 extent, nice if attackers are wasting the time with AI slob
 like this. But on the other hand, what's really happening
 here is that both defenders and attackers are using AI
 trying to speed up their development process either of
 signatures or of attack scripts like what we saw here.
 And the result is, well, that sometimes either side wastes
 time. Now, in this case, the attacker sort of has the
 advantage that all they do is waste time. If you're relying
 on AI-generated signatures with the same quality, then,
 of course, you're potentially opening yourself up to real
 exploits. And reading some of the write-ups that were sort
 of published back when the exploit was released as fake
 exploit, it looks like a number of security companies
 actually use that sort of as a potential template for their
 defensive actions and signatures. So definitely be a
 bit careful with this. And Fortinet updated its advisory
 for the single sign-off. Non -warnability, they start
 rolling out patches now. Looks like right now they're rolling
 them only out for the 7.4 version of FortiAnalyzer,
 Manager, and OS. Other patches are supposed to be available
 shortly. Also, nothing yet for FortiWeb. But keep watching
 it. And I would expect sort of by the end of the week we
 probably will have most of the patches for these different
 vulnerable versions. I'll leave it up to you if you want
 to then be brave and turn single sign-on on again, or if
 you just want to try to do without it. Remember, this is
 the second time that we sort of had this fire trail with
 the single sign-on feature. And yes, it's time to patch
 your SolarWinds web help desk again. This time three
 different security vulnerabilities. One sort of a
 variation of stuff that has been patched before. But the
 end effect is that non -authenticated hacker will be
 able to gain full remote code execution on your web help
 desk instance. At the core of it, it's a deserialization
 vulnerability that allows for the code execution now to be
 able to exploit this vulnerability. You can take
 advantage of static sort of a guest or example credentials
 that are being set up as you are creating your web help
 desk instance. And then there's also a security
 protection bypass that will essentially allow you to
 bypass some the filters that have been added in the past to
 prevent exploitation of these types of deserialization of
 vulnerabilities. So definitely something that you must patch.
 Horizon 3 has published a blog post and a link to it in the
 show notes that has quite a bit of detail short of proof
 of concept for this particular vulnerability. But they did
 release, for example, a scanner that you can use to
 check if you're vulnerable and also indicators of compromise
 that you may see in your logs to show that exploit attempts
 have happened. Well, in addition to this, there are a
 couple other things that we don't really have time to
 cover. N8n vulnerabilities. We also do have another
 vulnerability in Google Chrome that has been patched and a
 critical sandbox escape vulnerability in VM2. So for
 the Node.js coders here. That's it for today. Thanks
 for listening. Thanks for subscribing and talk to you
 again tomorrow. Bye.