SANS Stormcast Tuesday, January 27th, 2026: PWD scanning; MSFT Office OOB Patch; Exposed Clawdbot

January 26, 2026

Episode Transcript

Scanning Webserver with pwd as a Starting Path
Attackers are adding the output of the pwd command to their web scans.
https://isc.sans.edu/diary/x/32654
Microsoft Office Security Feature Bypass Vulnerability CVE-2026-21509
Microsoft released an out-of-band patch for Office fixing a currently exploited vulnerability.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
Exposed Clawdbot Instances
Many users of the AI tool clawdbot expose instances without access control.
https://x.com/theonejvo/status/2015485025266098536

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Tuesday, January 27th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. This episode is brought to you by the SANS.edu Undergraduate Certificate Program in Applied Cybersecurity. In Diaries today, we do have a new scanning pattern that apparently is being used by a couple of IP addresses to scan our web honeypots. The trick here is that they're adding pwd, the output of the command, actually the way it is being written here, so not just the environment variable. And the goal here is likely that they're trying to make sort of dynamically the path the web server is running in, part of the URL. I'm not sure how well this will actually work because that's usually the absolute path in the operating system, while of course the path that you're using as part of the URL is then mapped to specific like web root directories inside the operating system's directory structure. So, not sure if it will work, but well attackers always try new tricks and maybe there are some configurations where this will help the attacker find various vulnerabilities or data leakage in files. They're using this with a large number of different URLs, but a lot of them are sort of the standard environment files and configuration files that we have seen a lot over the last few years. Well, and this month certainly appears to be the month of Microsoft out-of -band updates. The latest one, and this one is actually a security update. So, yesterday I talked about one that was really more preventing some sort of undesirable side effects with January's patches. This is a new vulnerability and an update to help you protect yourself from the exploitation of this vulnerability. The vulnerability itself is, well, Microsoft Office and it's one of those unsafe com control issues. The good old OLE format allows you to load com controls. The fix is for newer versions of Office, which is 2124. You get a little fix-it script that you can run that will basically apply probably the necessary registry changes for you to block execution here for older versions of Office. You must then do this change manually, which isn't quite trivial. It's a fairly complex registry change kind of that you have to make here. But, yeah, go ahead and make that change. Again, this vulnerability is already being exploited and also details have been made public about how to take advantage of this vulnerability. Well, and then we have more insecure AI deployments. This time it's clawdbot. clawdbot is software that allows you to automate workflows, in particular, by interacting with instant messengers. There are various sort of ways how you can configure it. And by default, it only listens on the loopback interface on port 18789. So it shouldn't really be available and accessible from outside the network. But apparently people are setting up proxies to do allow access from anywhere on the internet to their clawdbot instance. This could easily be protected with passwords. If you're already setting up a proxy, adding a password is probably not really that much more difficult. But there are many, many instances out there without. If you are exposing clawdbot without password to the internet, then of course you're giving essentially full system access to anybody who is finding your instance. And Shodan as Jameson O'Reilly, who sort of broke this story, found out already has numerous instances listed that are ready for exploitation. So if you're running it, double check that you're not exposing it. And even with password, I probably would rather not expose it to the internet at all and only expose it via VPN or something like this, where you can connect to the machine then directly it's running on. And then just a quick note that Apple today released updates for iOS and watchOS and iPadOS. However, these updates do not contain any security fixes. Apparently the main purpose of the update is to support the new AirTags being released today. There's also no update for MacOS. So what I expect is that maybe this week or early next week or something like that. I'm just guessing here with Apple, of course, we may receive sort of a security update that then patches MacOS and also security vulnerabilities in iOS and other operating systems released by Apple. Well, and this is it for today. So thanks for listening. Thanks for subscribing. And yes, of course, I'm not emailing stickers. There was one mistake that I made yesterday. But if you find any mistakes, please let me know and you'll get them in the postal mail. I'll just need your postal mail address so I can get the stickers to you. And that's it for today. Thanks and talk to you again tomorrow. Bye. Bye. Bye. Have a great day.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show