Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, February 10th, 2026: Extracting URLs; Singal Phishing; Ivanti PoC; BeyondTrust RCE; Forticlient SQL Inection
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9802.mp3
Extracting URLs; Singal Phishing; Ivanti PoC; BeyondTrust RCE; Forticlient SQL Inection
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
Quick Howto: Extract URLs from RTF files
https://isc.sans.edu/diary/Quick%20Howto%3A%20Extract%20URLs%20from%20RTF%20files/32692
German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists
German: https://thehackernews.com/2026/02/german-agencies-warn-of-signal-phishing.html English: https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/praevention_wirtschafts-und_wissenschaftsschutz/2026-02-06-gemeinsame-warnmitteilung-phishing.pdf?__blob=publicationFile&v=3
Someone Knows Bash Far Too Well, And We Love It - Pre-Auth RCEs
https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/
Pre-Auth RCE in BeyondTrust Remote Support & PRA CVE-2026-1731
https://www.hacktron.ai/blog/cve-2026-1731-beyondtrust-remote-support-rce
https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
Fortinet FortiClientEMS SQLi in the administrative interface
https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 26th 2026 |
Podcast Transcript
Hello and welcome to the Tuesday, February 10th, 2026 edition of the SANS and Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Penetration Testing and Ethical Hacking. And today, 17 years ago, was, well, the first episode of this podcast. Since then, according to my counting, but it's probably not accurate with re -recordings and stuff like this, we published 4,160 individual episodes, a few days worth of audio material. And just, well, to celebrate this a little bit, if you were born after February 9th, 2009, well, drop me an email and I'll have some stickers for you. It's just interesting to hear how many listeners are actually younger than the podcast itself. And Didier has a diary today about an update and, well, way to better use his famous document analysis tools to extract URLs from RTF documents. And as an example, Didier here has a malicious document that's based out of a basic phishing email that came with an RTF attachment. Extracting URLs is always super useful because, well, that's often the next step that an attacker is trying to pursue. And of course, we had last week this story about well, malformed URLs. And that certainly fits in here too, that you're also then able to extract some of these malformed URLs that may not necessarily quite match standard patterns, but are still effective. And we got, well, a new blog post by Watchtower with details regarding the latest vulnerability in Avanti's Endpoint Manager Mobile. That product, always good for easy to exploit vulnerabilities. And this is not so different here. Now, it took Watchtower a little bit time here to actually walk through all the code. But in the end, it turns out to be a fairly straightforward OS command injection vulnerability. Essentially, as part of the URL, you can supply OS commands and they're then being executed by the system. So definitely something that you must patch, in particular, since this vulnerability is already being exploited. And with all these details being made public by Watchtower now, of course, the exploits are now very easily going to be delivered and expanded. And talking about OS command injection vulnerabilities in software that's supposed to make us more secure, we do have more of these. And this time it's beyond trust name that usually doesn't come up with these simple vulnerabilities and affects their remote support and privileged remote access solution. This is yet another vulnerability that was found via AI Haktron. AI is the company that's been credited with finding this vulnerability. So certainly AI is making an impact here. And as I said yesterday, used correctly, it can actually lead to some good and useful security vulnerability discoveries. And good old Fortinet. Not even sure if I haven't already mentioned that there were so many Fortinet vulnerabilities recently. This one is a SQL injection vulnerability in Forticlient EMS. They gave it a CVS score of 9.1. So it does allow the execution of unauthorized codes and it does not require authentication. So definitely there's something that you need to patch and probably better patch quickly. And well, with all the Fortinet stuff out in the last couple of weeks, definitely if you have any of their devices, double check that they're up to date and that you didn't miss one of the vulnerabilities. Well, and that's it for today. So thanks again for listening. Thanks for liking. Thanks for subscribing to this podcast. And as always, talk to you again tomorrow. Bye.
Follow updates by subscribing to the handler's diary RSS feed
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 