SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 25ISSUE 38
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
[Guest Diary] Comparing Honeypot Passwords with HIBP
Published: 2025-10-01
Last Updated: 2025-09-30 23:01:11 UTC
by Draden Barwick, SANS.edu BACS Student (Version: 1)
[This is a Guest Diary by Draden Barwick, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.]
DShield Honeypots are constantly exposed to the internet and inundated with exploit traffic, login attempts, and other malicious activity. Analyzing the logged password attempts can help identify what attackers are targeting. To go through these passwords, I have created a tool that leverages HaveIBeenPwned’s (HIBP’s) API to flag passwords that haven’t appeared in any breaches.
Purpose
Identifying passwords that haven’t been seen in known breaches is useful because it can indicate additional planning and help identify patterns in these less common passwords. Anyone that operates a honeypot (and receives a lot of data on attempted use of passwords in plaintext) could benefit from this project as an additional starting point for investigations.
Development
HaveIBeenPwned maintains a large database of breached passwords and offers an API to tell if a given password has been compromised. This is done by making a request to “https://api[.]pwnedpasswords.com/range/#####”. Where the “#####” part in a request is the first 5 characters (prefix) of the SHA1 hash of the tested password. The site will return a list of the last 35 characters (suffix) for any password hash in the database that starts with the provided prefix. Each entry includes a count of how many times the corresponding password has been seen in breaches. This prevents anyone from knowing the full hash of the password we are looking for based on the request alone. While this consideration is not important for our use with the DShield honeypots (as all passwords seen are publicly uploaded), it is important to understand because HIBP does not allow for searching with the full hash directly ...
Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Comparing+Honeypot+Passwords+with+HIBP/32310/
"user=admin". Sometimes you don't even need to log in.
Published: 2025-09-30
Last Updated: 2025-09-30 15:02:21 UTC
by Johannes Ullrich (Version: 1)
One of the common infosec jokes is that sometimes, you do not need to "break" an application, but you have to log in. This is often the case for weak default passwords, which are common in IoT devices. However, an even easier method is to tell the application who you are. This does not even require a password! One of the sad recurring vulnerabilities is an HTTP cookie that contains the user's username or userid.
I took a quick look at our honeypot for cookies matching this pattern. Here is a selection ...
These are listed by frequency, with "uid=1" being the most commonly used value.
Let's see if we can identify some of the targeted vulnerabilities ...
Read the full entry: https://isc.sans.edu/diary/useradmin+Sometimes+you+dont+even+need+to+log+in/32334/
Apple Patches Single Vulnerability CVE-2025-43400
Published: 2025-09-29
Last Updated: 2025-09-29 20:28:54 UTC
by Johannes Ullrich (Version: 1)
It is typical for Apple to release a ".0.1" update soon after releasing a major new operating system. These updates typically fix various functional issues, but this time, they also fix a security vulnerability. The security vulnerability not only affects the "26" releases of iOS and macOS, but also older versions. Apple released fixes for iOS 18 and 26, as well as for macOS back to Sonoma (14). Apple also released updates for WatchOS and tvOS, but these updates do not address any security issues. For visionOS, updates were only released for visionOS 26.
The vulnerability affects the Font Parser. A malicious font may lead to app termination or corrupt process memory. It is not clear if this is exploitable for remote code execution. The vulnerability has not been exploited so far.
For consistency, I am including our usual Apple Patch Table ...
Read the full entry: https://isc.sans.edu/diary/Apple+Patches+Single+Vulnerability+CVE202543400/32330/
Internet Storm Center Entries
Increase in Scans for Palo Alto Global Protect Vulnerability (CVE-2024-3400) (2025.09.29)
New tool: convert-ts-bash-history.py (2025.09.26)
https://isc.sans.edu/diary/New+tool+converttsbashhistorypy/32324/
Webshells Hiding in .well-known Places (2025.09.25)
https://isc.sans.edu/diary/Webshells+Hiding+in+wellknown+Places/32320/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2024-3400 - Palo Alto Networks PAN-OS Command Injection Vulnerability
Product: Palo Alto Networks PAN-OS 11.1.2
CVSS Score: 0
** KEV since 2024-04-12 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3400
ISC Diary: https://isc.sans.edu/diary/32328
ISC Podcast: https://isc.sans.edu/podcastdetail/9634
CVE-2025-26399 - SolarWinds Web Help Desk is vulnerable to a remote code execution flaw that allows unauthenticated attackers to run commands on the host machine through an unauthenticated AjaxProxy deserialization.
Product: SolarWinds Web Help Desk
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26399
ISC Podcast: https://isc.sans.edu/podcastdetail/9626
NVD References:
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26399
CVE-2024-28986 - SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
Product: Solarwinds Web Help Desk 12.8.3
CVSS Score: 0
** KEV since 2024-08-15 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28986
ISC Podcast: https://isc.sans.edu/podcastdetail/9626
CVE-2024-28988 - SolarWinds Web Help Desk is susceptible to a Java Deserialization Remote Code Execution vulnerability, allowing attackers to run commands on the host machine.
Product: SolarWinds Web Help Desk
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28988
ISC Podcast: https://isc.sans.edu/podcastdetail/9626
CVE-2025-10035 - Fortra's GoAnywhere MFT is susceptible to a deserialization vulnerability, which enables an actor to inject commands by deserializing an arbitrary object with a forged license response signature.
Product: Fortra GoAnywhere MFT
CVSS Score: 0
** KEV since 2025-09-29 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10035
ISC Podcast: https://isc.sans.edu/podcastdetail/9630
CVE-2025-20333 - Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software are vulnerable to arbitrary code execution by authenticated remote attackers due to improper validation of user-supplied input in HTTP(S) requests.
Product: Cisco Adaptive Security Appliance Software
CVSS Score: 9.9
** KEV since 2025-09-25 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20333
NVD References:
- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
CVE-2025-20352 - Cisco IOS Software and Cisco IOS XE Software are vulnerable to a DoS attack and potential code execution by an attacker with low or high privileges through the SNMP subsystem.
Product: Cisco IOS and IOS XE
CVSS Score: 7.7
** KEV since 2025-09-29 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20352
NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte
CVE-2025-20362 - Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software are vulnerable to unauthorized access to restricted URL endpoints due to improper validation of user-supplied input in HTTP(S) requests.
Product: Cisco Adaptive Security Appliance Software
CVSS Score: 6.5
** KEV since 2025-09-25 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20362
NVD References:
- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
CVE-2025-20363 - Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software are vulnerable to remote code execution due to improper validation of user-supplied input in HTTP requests.
Product: Cisco Adaptive Security Appliance Software
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20363
NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
CVE-2025-10585 - Google Chrome is vulnerable to type confusion in V8, potentially allowing remote attackers to exploit heap corruption via a crafted HTML page.
Product: Google Chrome
CVSS Score: 8.8
** KEV since 2025-09-23 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10585
NVD References:
- https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html
- https://issues.chromium.org/issues/445380761
CVE-2025-10890 - Google Chrome's V8 allowed remote attackers to leak cross-origin data through a crafted HTML page.
Product: Google Chrome
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10890
NVD References:
- https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_23.html
- https://issues.chromium.org/issues/430336833
CVE-2025-43400 - macOS, visionOS, iOS, and iPadOS were affected by an out-of-bounds write issue when processing maliciously crafted fonts, potentially leading to unexpected app termination or memory corruption.
Product: Multiple Apple products
CVSS Score: 6.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43400
ISC Diary: https://isc.sans.edu/diary/32330
ISC Podcast: https://isc.sans.edu/podcastdetail/9634
CVE-2025-56074 - PHPGurukul Park Ticketing Management System v2.0 is vulnerable to SQL Injection via the fromdate parameter in a POST request.
Product: PHPGurukul Park Ticketing Management System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56074
CVE-2025-35042 - Airship AI Acropolis has a default administrative account with the same credentials on every installation, leaving instances open to remote attacks if the password is not changed, fixed in versions 10.2.35, 11.0.21, and 11.1.9.
Product: Airship AI Acropolis
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-35042
CVE-2025-57432, CVE-2025-57437, & CVE-2025-57441 - Blackmagic Web Presenter version 3.3 and Blackmagic ATEM Mini Pro 2.7 unauthenticated Telnet service vulnerabilities
Product: Blackmagic Web Presenter, Blackmagic Web Presenter HD, & Blackmagic ATEM Mini Pro
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57432
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57437
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57441
CVE-2025-57601 & CVE-2025-57602 - AiKaan Cloud Controller and IoT management platform use hardcoded SSH private keys and username `proxyuser`.
Product: AiKaan Cloud Controller and AiKaan IoT management platform
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57601
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57602
CVE-2025-59434 - Flowise had an authenticated vulnerability prior to August 2025 that allowed users on the free tier to access sensitive environment variables from other tenants, resulting in cross-tenant data exposure.
Product: Cloud-Hosted Flowise
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59434
CVE-2025-59528 - Flowise version 3.0.5 is vulnerable to remote code execution due to insecure handling of user input in the CustomMCP node, allowing attackers to execute JavaScript code with full Node.js runtime privileges.
Product: Flowise 3.0.5
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59528
CVE-2025-9588 - Iron Mountain Archiving Services Inc. EnVision is vulnerable to OS Command Injection before version 250563.
Product: Iron Mountain Archiving Services Inc EnVision
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9588
CVE-2025-9846 - Inka.Net before 6.7.1 allows for unrestricted upload of files with dangerous types, leading to command injection vulnerabilities in TalentSys Consulting Information Technology Industry Inc.
Product: TalentSys Consulting Information Technology Industry Inc Inka.Net
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9846
CVE-2025-59545 - DNN (formerly DotNetNuke) allows potential script execution through the Prompt module prior to version 10.1.0.
Product: DNN software DotNetNuke
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59545
CVE-2025-41715 - Web application's database is unauthenticated and exposed to remote attackers, risking unauthorized access and compromise.
Product: WAGO Solution Builder and the WAGO Device Sphere
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41715
NVD References: https://certvde.com/de/advisories/VDE-2025-087
CVE-2025-21483 & CVE-2025-27034 - Memory corruption in Qualcomm products
Product: Qualcomm
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21483
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27034
NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html
CVE-2025-56819 - An issue in Datart v.1.0.0-rc.3 allows a remote attacker to execute arbitrary code via the INIT connection parameter.
Product: Datart v.1.0.0-rc.3
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56819
CVE-2025-57347 - The 'dagre-d3-es' Node.js package version 7.0.9 has a vulnerability in its 'bk' module's addConflict function, allowing attackers to exploit prototype pollution vulnerabilities by injecting malicious input values, potentially leading to denial of service or arbitrary code execution.
Product: Node.js dagre-d3-es
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57347
CVE-2025-57321 - magix-combine-ex versions thru 1.2.10 is vulnerable to Prototype Pollution in util-deps.addFileDepend, allowing attackers to inject properties into Object.prototype with a crafted payload and potentially leading to DoS.
Product: magix-combine-ex util-deps
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57321
CVE-2025-10894 - Nx package and related plugins were compromised, allowing malicious code to collect credentials and post them to GitHub.
Product: Nx (build system) package
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10894
CVE-2025-59834 - ADB MCP Server prior to version 0.1.0 is vulnerable to command injection attacks in some of its tool definitions, resolved in commit 041729c.
Product: ADB MCP Server
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59834
CVE-2025-10542 - iMonitor EAM 9.6394 has default administrative credentials visible in the connection dialog, allowing remote attackers to gain full control over monitored agents and data, potentially compromising highly sensitive telemetry.
Product: iMonitor EAM 9.6394
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10542
CVE-2025-59832 - Horilla HRMS prior to version 1.4.0 contains a stored XSS vulnerability in the ticket comment editor, allowing low-privileged authenticated users to execute arbitrary JavaScript and hijack admin sessions.
Product: Horilla
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59832
CVE-2025-59841 - Flag Forge versions 2.2.0 to before 2.3.1 allow authenticated users to access protected endpoints post-logout due to session invalidation and valid CSRF tokens.
Product: Flag Forge Capture The Flag (CTF) platform
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59841
CVE-2025-55187 - In DriveLock 24.1.4 before 24.1.5, 24.2.5 before 24.2.6, and 25.1.2 before 25.1.4, attackers can gain elevated privileges.
Product: DriveLock
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55187
CVE-2025-58384 - DOXENSE WATCHDOC before 6.1.1.5332 allows remote code execution via deserialization of untrusted data in the .NET Remoting library.
Product: DOXENSE WATCHDOC
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58384
NVD References: https://doc.doxense.com/Watchdoc/J_Securite/cve-2025-58384.htm
CVE-2025-59934 - Formbricks lacked JWT signature verification prior to version 4.0.1, allowing attackers to authenticate and reset a victim's password by crafting an arbitrary JWT with an "alg: none" header.
Product: Formbricks
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59934
CVE-2025-11126 - Apeman ID71 218.53.203.117 has a security flaw in /system/www/system.ini allowing for hard-coded credentials and remote exploitation, despite notification attempts to the vendor.
Product: Apeman ID71
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11126
CVE-2025-8868 - Chef Automate versions earlier than 4.13.295 on Linux x86 platform allow an authenticated attacker to access restricted compliance functionality via an SQL injection vulnerability.
Product: Chef Automate
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8868
CVE-2024-13150 - Fayton Software and Consulting Services' fayton.Pro ERP product is vulnerable to SQL Injection through 20250929.
Product: Fayton Software and Consulting Services fayton.Pro ERP
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13150
CVE-2025-57266 - ThriveX Blogging Framework versions 2.5.9 through 3.1.3 allow unauthenticated attackers to obtain sensitive information, such as API Keys, through the /api/assistant/list endpoint in AssistantController.java.
Product: ThriveX Blogging Framework
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57266
CVE-2025-54875 - FreshRSS allows unprivileged attackers in versions 1.16.0 through 1.26.3 to create a new admin user through a hidden field, new_user_is_admin, fixed in version 1.27.0.
Product: FreshRSS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54875
CVE-2025-7937 & CVE-2025-6198 - Supermicro MBD-X12STW & MBD-X13SEM-F vulnerabilities allow attackers to update the system firmware with a specially crafted image.
Product: Supermicro MBD-X12STW
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7937
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6198
ISC Podcast: https://isc.sans.edu/podcastdetail/9626
Recent CVEs Continued
CVE-2025-58255 - Yonisink Custom Post Type Images allows code injection through CSRF vulnerability, affecting versions up to 0.5.
Product: Yonisink Custom Post Type Images
Active Installations: Unknown
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58255
CVE-2025-9321 - The WPCasa plugin for WordPress is vulnerable to Code Injection up to version 1.4.1, allowing unauthenticated attackers to execute arbitrary functions and code.
Product: WPCasa WordPress plugin
Active Installations: 1,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9321
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c1001b2b-395a-44ee-827e-6e57f7a50218?source=cve
CVE-2025-10147 - The Podlove Podcast Publisher plugin for WordPress allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution.
Product: Podlove Podcast Publisher plugin for WordPress
Active Installations: 4,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10147
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/093058f1-c717-424f-9bd5-4838df8d20a1?source=cve
CVE-2025-10412 - The Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially execute remote code.
Product: WooCommerce Uni CPO (Premium) plugin
Active Installations: 1,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10412
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/1c0c6a45-2c4a-4a23-84e6-7a9759796824?source=cve
CVE-2025-60156 - AR For WordPress is vulnerable to a CSRF issue that enables an attacker to upload a web shell to a web server.
Product: webandprint AR For WordPress
Active Installations: 500+
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60156
CVE-2025-60219 - WooCommerce Designer Pro allows malicious upload of files that can execute code on a web server.
Product: HaruTheme WooCommerce Designer Pro
Active Installations: Unknown
CVSS Score: 10.0
Sponsors
Wiz
Securing AI Agents 101. AI agents are rapidly emerging across enterprise environments: powering automation, chaining tools, and acting across systems. Securing AI Agents 101 is a one-page resource to help teams build a clear understanding of what AI agents are, how they operate, and where key security considerations show up. Download the security flashcard and get up to speed quickly.
SANS
Virtual Event | SANS CloudSecNext Summit Solutions Track | Friday, October 3, 2025 at 10:00am MT (12:00pm ET) Join SANS Sr. Instructor Brandon Evans as he hosts this 2 hour event delving into the latest tools, techniques and procedures to help you better secure cloud, multi-cloud and hybrid environments.
SANS
Webcast | Closing the Gaps: Zero Trust Microsegmentation in Hybrid Cloud Environments | Monday, October 20, 2025 @10:30 AM ET Join Dave Shackleford as he shares results from an in-depth hands-on review of Zscaler Microsegmentation, revealing how it enables real-time asset discovery, granular policy enforcement, and unified Zero Trust controls across cloud and on-premises environments.
SANS
Virtual Event | SANS 2025 Attack Surface & Vulnerability Management Survey: Hackers Don’t Wait—Why Should We? | Wednesday, October 22, 2025 at 10:30am ET Join Chris Dale, SANS Chief Hacking Officer as he explores the results of SANS's 2025 survey and hosts a series of industry experts specializing in Exposure Management.