SANS Stormcast Monday, October 13th, 2025: More Oracle Patches; Sonicwall Compromisses; Unpatched Gladinet; 7-Zip Patches

October 12, 2025

SANS Stormcast Monday, October 13th, 2025: More Oracle Patches; Sonicwall Compromisses; Unpatched Gladinet; 7-Zip Patches

Episode Transcript

New Oracle E-Business Suite Patches
Oracle released one more patch for the e-business suite. Oracle does not state if it is already exploited, but the timing of the patch suggests that it should be expedited.
https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
Widespread Sonicwall SSLVPN Compromise
Huntress Labs observed the widespread compromise of the Sonicwall SSLVPN appliance.
https://www.huntress.com/blog/sonicwall-sslvpn-compromise
Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw (CVE-2025-11371)
An unpatched vulnerability in the secure file sharing solutions Gladinet CentreStack and TrioFox is being exploited.
https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw
Two 7-Zip Vulnerabilities CVE-2025-11002, CVE-2025-11001
7-Zip patched two vulnerabilities that may lead to arbitrary code execution
https://www.zerodayinitiative.com/advisories/ZDI-25-949/
https://www.zerodayinitiative.com/advisories/ZDI-25-950/

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Monday, October 13th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu graduate certificate program in cloud security. Oracle eBusinessSuite users be aware there is yet another update for you to apply. This update was released on Sunday and it doesn't state in Oracle's notice whether or not this particular vulnerability is already being exploited. It's only an information leakage vulnerability, so an unauthenticated user may have access to information that they're not supposed to have access to. However, given that there's really no statement whether or not it's being exploited, it's released on a Sunday, it's released just a week after we had that major already exploited vulnerability, and it's about a week before the normal Oracle critical patch update, the quarterly update they're releasing for all of their products, I would assume that this vulnerability is already being exploited. Maybe a follow-on to the initial attack that vulnerability was patched last weekend, or maybe just part of that attack that wasn't really patched in Sunday's update. Not much here from Oracle to go by other than conjecture, and I would err on the side of caution in the sense that you probably want to apply this patch as soon as possible before the critical patch update for the quarter comes out in a week. Just so you got it off your plate and then can focus on whatever that critical patch update fixes. But yeah, really not a lot to go by here from Oracle's side. So really just making some assumptions here. And Hunter's lab is reporting in a blog post that they're seeing the widespread exploitation of SonicWall VPN devices. What they're noting here is that the attacker is rapidly logging in to a number of different accounts. This of course comes a couple days after SonicWall. Let it be known that all configurations uploaded to its MySonicWall cloud storage had been compromised. Best guess is that whatever actor got a hold of these configurations is now as quickly as possible attempting to compromise those instances in order to take advantage of these credentials before the user may actually change them. So if you had your configuration uploaded to my SonicWall. Number one, assume it was compromised. Yes, passwords were hashed, but hashes can be brute forced. And the end result is that if you had your configuration in my SonicWall at this point, assume the device is compromised. Don't just go in and change credentials and such. But take a close look. Make sure there are no back doors or any other compromise. No new accounts. No nothing like that installed. Take a look at the Hunter's blog. You also have IP address and other things that they have observed on compromised devices. So this is pretty much a must do at this point that you must assume a compromise of these devices. And the second alert I have also comes from Hunter's lab and it affects the secure clad in it center stack and Triofox storage solutions like all these very secure remote storage solutions. Well, they are not very, very, very secure and as a result, they suffer from a software unpatched local file inclusion vulnerability local file inclusion vulnerability allows even on a secure file storage and sharing system to read arbitrary files in particular in this case, the web dot config file, which then releases the machine key. And well, we all learned about a machine key from the share point vulnerability. Another secure file sharing technology, of course, that it can be used to further compromise the affected system. No patch available. So see what you can do with respect to any configuration changes and as usual, assume compromise. And then we do have two distinct but similar vulnerabilities in 7-zip that have been addressed. These vulnerabilities are your typical symbolic link vulnerabilities that essentially allow for directory traversal and with that under some circumstances, even arbitrary code execution update as you patches become available. There is no indication at this point that these vulnerabilities are being exploited. On the other hand, similar vulnerabilities have often been exploited in the past. So probably no stretch to assume that exploits are already somewhat available for these issues. Well, and this is it for today. So thanks for listening and thanks for liking and subscribing to this podcast. And as always, talk to you again tomorrow. Bye. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich