Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, December 17th, 2025: Beyond RC4; Forticloud SSO Vuln Exploited; FortiGate SSO Exploited;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9742.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
Beyond RC4 for Windows authentication
Microsoft outlined its transition plan to move away from RC4 for authentication and published guidance and tools to facilitate this change.
https://www.microsoft.com/en-us/windows-server/blog/2025/12/03/beyond-rc4-for-windows-authentication
FortiCloud SSO Login Vuln Exploited
Arctic Wolf observed exploit attempts against vulnerable FortiGate appliances.
https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/
FrePBX Vulnerability
Horizon3.ai identified three distinct vulnerabilities in FreePBX. In particular, the authentication by-pass issue should be of concern, but default FreePBX installs do not use the vulnerable web authentication feature.
https://horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 26th 2026 |
Podcast Transcript
Hello and welcome to the Wednesday, December 17th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Leadership. I want to start today's podcast not sort of with breaking news, but with an issue that has come up beginning of the month and is something that you probably should address early next year. So now is the time kind of to get ready and get organized to get this worked out. And that's Microsoft discontinuing RC4 for all the occasion. Hopefully for your organization, this will be really a non-event. And the last version of Windows that did require RC4 was Windows Server 2003, if I remember correctly. So hopefully you don't have 20 plus year old systems around. But we all know it's easier said than done. And yes, sometimes these legacy systems are hanging around. So what Microsoft did in order to support this transition is that they came up with an extensive blog or website here beyond RC4 for Windows authentication that goes over some of the steps that you can take in order to make sure that you won't be affected once RC4 will at least by default be disabled for authentication with Active Directory. Now that turnover will be mid next year. So again, you still have some time. And what they did now to get ready for it was to enable additional logging in the security events that basically log what authentication mechanisms are used and what are available. If you do have one of the newers like AS and such available and you still use RC4, well, in this case, it may just be as easy as changing the particular user's password, which again, may not necessarily be easy. They also do provide PowerShell scripts to search your logs for any accounts that may need to be updated and set up an email address that you can use in case you're running into any devices or such that just won't work with RC4. If you do run into this situation, you can't really get this resolved by mid next year. There is an option to still manually enable RC4. So it's not that you're sort of left out in the cold here, but it's definitely something that you should address. And it's probably going to point you to a bunch of devices that you probably should have retired a long time ago. And well, this may be sort of the last push it takes to actually make that happen. So like I said, not breaking news, but something that you definitely should tackle. And beginning next year is probably when you sort of should have a plan ready and figure out how much this affects you. And last week I mentioned that Fortinet did publish a single sign-on authentication bypass vulnerability in its FortiGate devices. This affects any device that is using the FortiCloud single sign-on in order to authenticate. Arctic Wolf now says that they have seen active exploit attempts against this vulnerability. So you must get your systems up to date. Now, if you can't get them up to date, again, there is a workaround. You basically just disable the cloud-based single sign-on feature and use local authentication. And then you should be good here. They also point out that as part of these exploit attempts, attackers were then reading configuration files. As always, and we have seen this many times before, if a compromise like this happens, you must change all local credentials stored on the device. This may include any seats for multi-factor authentication. Not sure if that applies here in this particular case, but that's something that has sort of caused problems for people where then later they were compromised even though they had multi-factor authentication enabled. But the seats were not changed and as a result, the attacker was able to replicate the two -factor authentication tokens. And Horizon 3 published a blog post with details regarding three different newly discovered vulnerability in FreePBX. A couple months ago, we sort of had this fire trail where we hadn't already exploited vulnerability being patched in FreePBX. This research sort of evolved out of looking into this earlier vulnerability. So three vulnerabilities. Two of them are SQL injection vulnerabilities that could lead in the worst case to arbitrary code execution vulnerability. Similar to the prior exploit, the way this is exploited to actually achieve remote code execution is by actually using the SQL injection to add data to a ground job table that's being maintained in SQL and then is being used to periodically via cron launch various scripts. And if the attacker can add a script to that table, they have arbitrary code execution. Now, the newer version of the SQL injection vulnerabilities does require authentication. However, that's where the third and in some ways most critical vulnerability comes in. There is an authentication bypass vulnerability that can then be leveraged with these other vulnerabilities to gain unauthenticated full code execution. Well, the only good thing about this vulnerability is it's not exploitable in the default configuration. You need to send your authentication type to web server, which is not the way it's usually configured, but at that point, if you are vulnerable, it's exploitable by just sending a specific header. And with that, you essentially bypass authentication. So definitely get this patched. And even the authenticated vulnerabilities could be an issue depending on who you have authenticating to your free PBX server. Well, and this is it for today. So thanks for listening and talk to you again tomorrow. Bye. Bye.
Follow the Internet Storm Center on Twitter
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 