SANS Internet Storm Center's Stormcast Highlights Critical Cybersecurity Issues

In the April 14, 2025 edition of the SANS Internet Storm Center's Stormcast, Johannes Ullrich, recording from Orlando, Florida, addresses several crucial cybersecurity topics. The first key point concerns a vulnerability in Langflow, a tool used to orchestrate various artificial intelligence tools and execute workflows based on AI outputs. This vulnerability, initially discovered by Horizon 3, allows remote code execution via an unauthenticated API, enabling the injection of arbitrary Python code. Although Langflow patched this flaw at the end of March, they never officially acknowledged the vulnerability. Horizon 3 not only discovered the flaw but also submitted a fix after Langflow ignored it. This situation underscores the importance of transparency and communication in managing vulnerabilities. Another point discussed is an alert from Fortinet regarding an old vulnerability in their devices, exploited by a malicious actor to deploy a SIM link. This SIM link allows read-only access to the device, providing persistence for the attacker. Fortinet responded by publishing an update that detects and removes this SIM link, while implementing countermeasures to prevent similar future incidents. This update is crucial for systems already compromised by the old vulnerability, as simply applying the previous patch is not enough to eliminate the SIM link. Microsoft was also discussed regarding a Patch Tuesday update from the previous week. This update created an empty "inetpub" directory, used by IIS (Internet Information Services). Microsoft confirmed that this creation was intentional, aimed at adding a layer of protection against certain vulnerabilities. It is important to note that this directory should not be deleted, even if it contains older files, as these files may include installation logs, configuration backups, or even custom web files added by the user. Finally, Johannes Ullrich mentions that he will be present at the SANS Spring event in Orlando and invites viewers to meet him to get stickers and discuss cybersecurity. He also encourages viewers to scan a QR code for more information about the SANS Fire event in July. This video provides valuable insights into current vulnerabilities and the measures needed to secure systems. It highlights the importance of vigilance and responsiveness in cybersecurity, emphasizing that even patches may require additional actions to ensure complete protection.