šŸŽ“ļø Vulnerable U | #100

CISA's Advisory board disbanded, Zero click Outlook 0day, Fortinet saga continues, PowerSchool breach has data back to 1985, Sam Curry hacked a Subaru, and more!

Read Time: 8 minutes

Howdy friends!

100! Wild. I donā€™t know how we can celebrate. But thanks for being here for 100 weeks straight. And Iā€™m just getting started. Lots of big things coming in 2025 for Vuln U.

ICYMI

šŸ–Šļø Something I wrote: When rest feels like a risk. - I know a lot of us are burning out early with the news cycle as crazy as it is right now. I know its cliche, but take care of yourself. Your own oxygen mask before othersā€¦

šŸŽ§ļø Something I heard: I keep playing this song by Childish Gambino loudly while driving. The chorus scientifically hits harder while played at max volume.

šŸŽ¤ Something I said: Revisited Cambridge Analytica with a 2025 lens. I think this is an important topic of how weā€™ve all gotten used to the new way of things.

šŸ”– Something I read: Miesslerā€™s piece on AI canā€™t solve everything. ā€œWe can't take the weights out of the gym.ā€ in there hit me. Great quick read.

Vulnerable News

Well this is messy - Trump's DHS just cleared house on all their advisory committees, including the Cyber Safety Review Board that's currently investigating those Chinese telecom hacks. Acting Secretary Huffman says it's about "eliminating misuse of resources," but the timing is interesting given they're mid-investigation into the Salt Typhoon campaign. Members can reapply for their spots, but several, including Chris Krebs (who Trump previously fired from CISA), had already jumped ship.

ā€œYou canā€™t stop what you donā€™t understand and the CSRB was arming us with understandingā€

The move is getting predictably partisan reactions - House Republicans are defending it as giving Trump's team a chance to reshape things. At the same time, Dems are worried it'll delay the Salt Typhoon investigation. Mark Montgomery from the Foundation for Defense of Democracies raises a good point though - losing private sector expertise from folks like Google's security chief and Mandiant's founder could have real operational impact. This isn't just about shuffling deck chairs. (read more)

Vulnerabilities are gateways in your attack surface that can be exploited to deploy ransomware, infostealers & more. Learn how to build a strong vulnerability management program (VMP) and reduce your attack surface with this guide, featuring:

ā†’ Roadmaps, battle-tested lessons learned, and strategies implemented by Flashpoint customers
ā†’ Measuring your VMP's effectiveness with metrics like Mean Time to Detect (MTTD) and Mean Time to Remediation (MTTR)
ā†’ How to manage risk exposure by combining vulnerability intelligence with industry-leading threat intelligence

Download now to learn more.

*Sponsored

Microsoft just patched a nasty zero-click RCE in OLE that's particularly scary for Outlook users. The bug (CVE-2025-21298) lets attackers trigger code execution just by having someone preview an RTF email - no clicks needed. It's a double-free vulnerability in ole32.dll where a pointer gets released twice during stream conversion, leading to heap corruption.

The good news is there's already a patch out in the January updates. The bad news is this affects pretty much every Windows version from Server 2008 through 2025, plus Windows 10/11. If you're running Outlook in your environment, you'll want to prioritize this update. For the extra paranoid, you might want to disable RTF previews until you're patched up. There's already a PoC floating around on GitHub, so this one's likely to get some attention from the bad guys. (read more)

Sam Curry is the GOAT - he and Shubham Shah found a vulnerability in Subaru's STARLINK system that gave them complete access to every connected Subaru in North America and Japan. The bug was simple: an admin portal with a broken password reset and 2FA bypass that let them take over employee accounts with just an email address.

Once in, they could track any car's location history (down to 5m accuracy), unlock vehicles remotely, and access customer PII - all they needed was a last name and ZIP code or license plate.

The good news is Subaru patched it within 24 hours of the report. The concerning part? The whole system was designed with incredibly broad access by default - any employee could query sensitive data for any vehicle across multiple countries. Sam demonstrated this by tracking his mom's car for a year and remotely unlocking a friend's Subaru.

Everyone in the comments is bragging about driving an old beater at this point. (read more)

PowerSchool is looking worse. Sensitive data for potentially 62.4 million students and 9.5 million teachers across 16,000 schools getting swiped. This isn't just names and emails - full SSNs, medical records, and discipline notes. Some of this data goes back to 1985 which is insane. If you graduated school in the 80s, there was absolutely no way for you to consent to this software having your info.

PowerSchool's playing the "trust us, the attackers promised to delete it" card, even claiming they've got a video showing the deletion. Anyone who's been in security more than five minutes knows what thatā€™s worth.

They're offering the usual "we're sorry" package of two years credit monitoring, but haven't confirmed if they paid a ransom. (read more)

The Treasury just sanctioned some Chinese actors linked to those massive breaches from last year. They're going after a Shanghai-based individual who apparently helped hack Janet Yellen's computer (got about 50 unclassified files) and a Sichuan company tied to the Salt Typhoon crew that's been having a field day with U.S. telecom networks.

The FCC's finally had enough of this telecom mess and is making companies actually prove they're securing their networks (wild that this wasn't already required). Meanwhile, the State Department's dangling a $10M reward for intel on these actors. The really spicy detail here is that the Treasury's saying these "security companies" have direct ties to Chinese intelligence - not exactly shocking, but notable they're saying it out loud now. (read more)

Unauthenticated RCE in the wild and it's already being exploited. The bug (CVE-2024-50603) affects all versions before 7.2.4996/7.1.4191, and Wiz has spotted multiple actors successfully hitting exposed instances. The PoC dropped literally a day after disclosure, because of course it did.

Here's the fun part - even if you patch, it might not stick. The fix isn't persistent in certain scenarios, like if you're running an older version or don't have CoPilot 4.16.1+. CISA just added this to their KEV catalog, while they still exist. (read more)

Cloudflare just reported the biggest DDoS attack ever recorded - a massive 5.6 Tbps hit against an ISP in East Asia. The previous record was 3.8 Tbps, so this is a significant jump. The attack came from a Mirai variant botnet controlling 13,000 IoT devices, mostly compromised smart TVs and set-top boxes (because who patches those, right?).

The attack only lasted 80 seconds but shows how Mirai continues to be a pain years after its source code leaked in 2016. DDoS attacks in general were up 53% in 2024, with Cloudflare blocking an average of 4,870 attacks per hour. Indonesia topped the charts for attack sources in Q4, followed by Hong Kong and Singapore. Ransom DDoS attacks also spiked during the holiday shopping season because... of course they did. (read more)

CISA and FBI just published the details on those Ivanti CSA zero-days from last fall, and it's certainly something. Attackers are chaining together multiple vulns (two RCEs, path traversal, and SQLi) to pop these boxes. They found two different exploit chains - one using CVE-2024-8963 with 8190 and 9380, the other using 8963 with 9379. Once they're in, it's the usual webshell and credential theft party.

The good news is that the three orgs CISA mentioned caught the attacks before the bad guys could do much damage. In one case, the attackers tried to pivot to a Jenkins server and then to VPN but got shut down. Still, CISA's telling everyone to assume any credentials stored on these boxes are toast and to start hunting through their logs. Ivanti CSAs are everywhere in enterprise networks, so this one's going to be keeping IR teams busy for a while. (read more)

SonicWall 0-day time. A critical alert went out about their SMA1000 series that you might want to pay attention to. There's a pre-auth deserialization bug (CVE-2025-23006) scoring a 9.8 CVSS that lets unauthenticated attackers execute arbitrary OS commands. They're saying it's already being exploited in the wild, according to Microsoft's Threat Intel team who found it.

If you're running SMA1000 versions 12.4.3-02804 or earlier, time to patch up to 12.4.3-02854 or higher. At least the SMA 100 series and firewalls aren't affected this time. But given it's pre-auth RCE and already being targeted, probably don't wait for the weekend to fix this one. (read more)

Weā€™ve talked a fair bit about these North Korean spies getting hired as IT employees here via laptop farms in residential areas.

This time they nabbed two Americans, a Mexican national, and indicted two North Koreans for helping NK IT workers pose as U.S.-based employees at 64 different companies. The scheme was pretty lucrative - they pulled in about $866K before getting caught, though NK's government apparently keeps up to 90% of what their workers earn.

The FBI says these NK workers aren't just collecting paychecks anymore. When companies start catching on, they're switching to straight-up extortion, threatening to leak stolen code and data unless they get paid. The feds are seeing them copy entire GitHub repos and snag company credentials. (read more)

Remember that FortiGate config dump from last week? Well, now we've got a clearer picture of who got hit. Security researchers Kevin Beaumont and Florian Roth have published a list of about 5,000 email addresses from the leaked configs, helping defenders identify which orgs might need to check their systems. The leak stems from that 2022 zero-day (CVE-2022-40684) that The Belsen Group exploited.

Among the leaked data were 12,000 site-to-site IPsec VPN tunnel configurations. As Beaumont points out, this means attackers could potentially pop up on victims' networks even if they weren't initially compromised. Roth's not mincing words either - he's telling affected organizations to treat this like the serious security incident it is and run full compromise assessments. Just patching isn't enough when attackers might have been camping in your network for years. (read more)

Miscellaneous mattjay

If you missed it, Silk Road Founder was pardoned

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay