SANS Stormcast Monday, December 1st, 2025: More ClickFix; Teams Guest Access; Geoserver XXE Vulnerablity

November 30, 2025

Episode Transcript

Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix
The latest variant of ClickFix tricks users into copy/pasting commands by displaying a fake blue screen of death.
https://www.acronis.com/en/tru/posts/fake-adult-websites-pop-realistic-windows-update-screen-to-deliver-stealers-via-clickfix/
B2B Guest Access Creates an Unprotected Attack Vector
Users may be tricked into joining an external Teams workspace as a guest, bypassing protections typically enabled for Teams workspaces.
https://www.ontinue.com/resource/blog-microsoft-chat-with-anyone-understanding-phishing-risk/
Geoserver XXE Vulnerability CVE-2025-58360
Geoserver patched an external XML entity (XXE) vulnerability.
https://helixguard.ai/blog/CVE-2025-58360

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Monday, December 1, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Dallas, Texas. This episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Leadership. Well, first of all, it looks like this long weekend, at least here in the U.S., was pretty eventless and no emergencies here to report about. Nothing that you need to do right now in order to sort of catch up for whatever threat you may have missed this long weekend. But we do have a couple sort of smaller things that are certainly worth covering. First one is a new development when it comes to ClickFix attacks. ClickFix attacks do trick victims into copy-pasting commands into a command prompt to then execute malicious code. The latest version was here identified by Acronis. And what they observed is attackers using fake blue screens of death. And with that, again, tricking users into copy-pasting commands into a command prompt. The ultimate idea is exactly the same as ClickFix, but just the lure is a little bit different with the blue screen of death. Maybe a little bit more plausible at this point, given that we hopefully have taught users about ClickFix or they have experienced it firsthand, while they may not have seen this with a blue screen. Apparently the websites with displaying the blue screens are being advertised via Google Ads and the blue screen doesn't show up right away, but only after the user interacts a little bit with the website. Maybe also making this a little bit more plausible, but also making it more difficult to detect and eliminate these malicious websites. The blog by Ontinu does outline an interesting trick that attackers are apparently playing with Microsoft Teams. Microsoft Teams, if you're enabling it in an enterprise context, you have a rich set of protection features that you are able to enable if you are trying to filter content. Now, the problem here that attackers are taking advantage of is that the users who are used to this kind of enterprise set up are expecting this protection even if they're joining someone else's Teams space. Teams allows guests to join another team space and what's happening here is that the attacker is essentially setting up their own Teams environment without any of these protections and then inviting the victim to join their Teams environment and then exposing them to these malicious links and similar threats. Again, social engineering, a little bit like what we just covered with ClickFix where users really don't quite understand the environment that they are connecting to. And then there's one vulnerability that I want to talk about today and that's an external XML entity vulnerability in GeoServer. Two reasons why I want to cover this. First of all, GeoServer is one of those tools we do see scans for and have seen scans for us for a couple of years now. So it's definitely targeted by attackers and shouldn't really be exposed in the first place. It's one of those complex systems to deal with geographic information systems, coordinates and the like. And yes, it has had multiple vulnerabilities in the past, is often not configured correctly also. That's not our issue with that. So please don't expose it if you can help it. And then the second reason I want to cover it is external XML entities is an often overlooked issue that keeps popping up in particular in these sort of complex data processing systems that often deal with XML. What it really refers to is that NetHacker may include essentially commands in an XML document that redefine entities as content of files or remote URLs. So essentially your parser is now going out and hitting that URL, which can then also lead to server side request forgery, or they can read an internal file, which basically sort of an internal file inclusion vulnerability. So definitely don't overlook these XML vulnerabilities. A lot of them can be controlled by adjusting your parser correctly. And hopefully in this particular case, well, in geo server released a patch for it. Well, and this is it for today. So thanks for listening. If you are here in Dallas, I'll be giving a talk, I think on Wednesday about the internet storm center. And I also have one more class actually this year that I'll be teaching. It'll be online only, but on the European time zone. And it's our intrusion detection in depth, SEC 503 class. That's it for today. Thanks for listening and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show