SANS Stormcast Thursday, September 25th, 2025: Hikvision Exploits; Cisco Patches; Sonicawall Anit-Rootkit Patch; Windows 10 Support

September 24, 2025

SANS Stormcast Thursday, September 25th, 2025: Hikvision Exploits; Cisco Patches; Sonicawall Anit-Rootkit Patch; Windows 10 Support

Episode Transcript

Exploit Attempts Against Older Hikvision Camera Vulnerability
Out honeypots observed an increase in attacks against some older Hikvision issues. A big part of the problem is weak passwords, and the ability to send credentials as part of the URL.
https://isc.sans.edu/diary/Exploit%20Attempts%20Against%20Older%20Hikvision%20Camera%20Vulnerability/32316
Cisco Patches Already Exploited SNMP Vulnerability
Cisco patched a stack-based buffer overflow in the SNMP subsystem. It is already exploited in the wild, but requires
admin privileges to achieve code execution.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte
SonicWall Anti-Rootkit Update
SonicWall released a firmware update for its SMA100 devices specifically designed to eradicate a commonly deployed rootkit.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0015
Extended Windows 10 Support
Microsoft will extend free Windows 10 essential support for US and European customers.
https://www.straitstimes.com/world/united-states/microsoft-offers-no-cost-windows-10-lifeline

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Thursday, September 25th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Las Vegas, Nevada. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Engineering. Today I wrote up a diary about some recent attacks that we have seen against Hikvision camera systems. These usually target DVRs, network connected video recorders that various analog cameras connect to. We have written, well, as early as back in 2014 about vulnerabilities in these systems. This latest rash of exploit attempts that I've seen, I would probably qualify it more as a brute force attempt. They're using the username admin and the password 11. So not even 123456, which tends to be the default password for many of these Hikvision systems, at least the older ones. One of the problems with these systems is that they often don't come with a full keyboard, but you basically use a mouse and an on-screen keyboard that usually defaults to a numeric keypad in order to change your password. Haven't looked at more recent devices and what changes have been made. It's usually easier to change the password via the web application, but in order to get to that point, you first have to set a password using that on-screen keyboard. Anyway, if you have a Hikvision system still around, make sure you secure and patch it properly. There is a possibility that this also attempts to exploit some older specific vulnerabilities, but at this point, I really think it's just essentially brute forcing, which also is a little bit simpler here because the username and password is just encoded in base64 and appended to the URL. And then another blast from the past, and that's a stack-based buffer overflow in SNMP. This was fixed by Cisco as part of its September set of patches that were released today. And this vulnerability is noteworthy because it already has been exploited in the wild. I say blast from the past because, well, I remember back in 2000, 2001, we had a lot of issues with SNMP because of the little bit difficult to power ASN.1 encoding that is used in SNMP. No idea if this is also related to this vulnerability, but the stack-based buffer overflow kind of would be a typical vulnerability here. In order to exploit the vulnerability, an attacker must have admin access to the device and is then able to execute code on the device as root. So this essentially is then usable as a persistent mechanism to further compromise the device. And again, noteworthy because it's already exploited in the wild. And SonicWall released an advisory and firmware update that for a change doesn't actually fix a specific security vulnerability. Instead, the point of this firmware update is to remove a rootkit that has often been deployed as part of attacks on vulnerable SMA-100 devices. These rootkits are typically, of course, not removed by patches. Actually, patches typically don't make any changes to the system other than fixing the security vulnerability. And as pointed out before, well, whenever you apply a patch, you should make sure that the system is not already compromised. But this turns out to be quite tricky with this particular rootkit. So SonicWall, in order to help its users, has released this special firmware update. Even if you don't believe that your device has been compromised, I would still recommend applying this update because that's exactly the problem here. It's really easy to miss this rootkit and have a compromised device that, of course, then later can be accessed again by the threat actor responsible for the rootkit. Well, in the end is or better was near for Windows 10 users. Turns out that Microsoft has given in and will extend the Windows 10 end of support deadline that was originally supposed to happen in October. Due to public outcry, they initially relented in Europe and offered free additional one-year essential support for Windows 10 in Europe. Apparently in the US they now have done so as well. I couldn't find the original release from Microsoft, so I'm linking in the show notes to a news report about this. But initially it was supposed to cost $30 to get continued basically basic support security updates for a year. But this will now happen for free. Well, and that's it for today. So thanks for listening. Thanks for liking, recommending and for subscribing to this podcast. That's it for today. And talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich