Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS Stormcast Monday, July 13th, 2026: Progress Sharefile Shutdown; U-Boot Vuln; More Nightmare Eclipse; Cisco AI Response
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/10004.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
Progress Sharefile Emergency Shutdown Notice
https://status.sharefile.com
https://www.reddit.com/r/sysadmin/comments/1usohco/psa_shutdown_your_sharefile_storage_zone/
https://www.bleepingcomputer.com/news/security/progress-urges-sharefile-customers-to-shut-down-servers-over-credible-threat/
U-Boot Vulnerabilities
https://www.binarly.io/blog/unfit-to-boot-breaking-u-boots-fit-signature-verification
Nightmare Eclipse Releases Next Microsoft Defender Exploit
https://blog.projectnightcrawler.dev/posts/2026-07-09-some-interesting-findings-in-windows-defender/
Cisco Increases Patch Cadence
https://blogs.cisco.com/security/strengthening-the-foundation-a-predictable-customer-focused-response-to-ai-accelerated-vulnerability-discovery
My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Monday July 13th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Washington DC. This episode is brought to you by the SANS.edu Master's Degree Program in Information Security Engineering. If you are a user of the Progres Sharefile Server made by Progres Software, you probably received an email in the last couple days stating, and I quote here from the email, you must manually shut down the server hosting your storage zone controllers. This is a critical additional step to ensure the safety of your data. End quote. Essentially what they are saying is that if your Sharefile Storage Zone controller is exposed to the internet, there is a credible external security threat, as they are calling it, that targets these kind of systems. And yes, your best bet is to shut things down. And it also then states that you can expect to hear from us in the next 24 hours. Well, this email was sent more than 24 hours ago. So I'm not sure if anybody has received the email since then. At least I haven't seen anything publicly posted. There is nothing really on the Progres website. There is on the status website for Sharefile a note that there is an unresolved issue. But again, it's still marked as unresolved. So nothing really seems to be released here in terms of like a patch, a fix or a configuration update or anything like that. Remember that Progres software has been at the center of a number of significant ransomware incidents in the past. So certainly they have been targeted. And I would highly recommend that you follow their advice. And Biterly published a blog post with details regarding several vulnerabilities in the U-Boot bootloader. Now, U-Boot is a very popular bootloader. I see it a lot in networking equipment, IoT and the like. It's not necessarily as popular as some or as well known, I should say, as some of the less popular bootloaders that you sort of see in Linux and such like Krupp and the like. But still very important, very frequently used, but often used sort of more behind the scenes. Binerly found a number of vulnerabilities here. And the problem with a vulnerability in a bootloader is that essentially someone could then use invalid, corrupt, malicious operating system images and as a result sort of lead to a further permanent compromise of the system. I have to point out that Binerly here went the extra mile. They didn't just publish a blog post complaining about the vulnerabilities. They worked with the U-Boot maintainers. It's an open source project and even provided some patches for these vulnerabilities. So patches are available. Applying them will be a little bit tricky because usually you get it sort of as part of the device firmware. So you may have to wait here for the vendor to sort of step up and incorporate these patches into respective updates. Well, then we have the next chapter in the Nightmare Eclipse saga. Last week, Microsoft published a fix for the rogue planet vulnerabilities. This was a privilege escalation in Microsoft Defender. According to Nightmare Eclipse, there is a bug in that fix that allows the attacker to essentially just lock the entire disk. Basically, all the free space is being locked so that to any other process it appears that the data disk is full. Interesting vulnerability. Don't think it's all that terrible secure. Also, exploitation, while outlined in the post by Nightmare Eclipse, isn't terribly straightforward. Certainly something I think that one can live with in a fix that actually prevents approach escalation vulnerability. And I guess now it's up to Microsoft to provide the next round here in form of a fix for this vulnerability. Well, then Cisco is the latest vendor to join others in releasing patches more frequently. Reason of course is AI and the faster development lifecycle for exploits. So Cisco will now release patches twice a month on the second and fourth Wednesday of each month and still provide a seven day advance notice to customers. Well and that's it for today. Thanks for listening. Thanks for liking. Thanks for recommending and subscribing. And today I'll also be speaking here at Science Fire in DC at 7pm about some of the future ideas we are having with the Internet Storm Center, how to improve our honeypots with the use of AI. And I hope to see some of you there and thanks and talk to you again tomorrow. Bye.





