Podcast Detail

SANS Stormcast Wednesday, October 8th, 2025: FreePBX Exploits; Disrupting Teams Threats; Kibana and QT SVG Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9646.mp3

previous
Podcast Logo
FreePBX Exploits; Disrupting Teams Threats; Kibana and QT SVG Patches
00:00

FreePBX Exploit Attempts (CVE-2025-57819)
A FreePBX SQL injection vulnerability disclosed in August is being used to execute code on affected systems.
https://isc.sans.edu/diary/Exploit%20Against%20FreePBX%20%28CVE-2025-57819%29%20with%20code%20execution./32350

Disrupting Threats Targeting Microsoft Teams
Microsoft published a blog post outlining how to better secure Teams.
https://www.microsoft.com/en-us/security/blog/2025/10/07/disrupting-threats-targeting-microsoft-teams/

Kibana XSS Patch CVE-2025-25009
Elastic patched a stored XSS vulnerability in Kibana
https://discuss.elastic.co/t/kibana-8-18-8-8-19-5-9-0-8-and-9-1-5-security-update-esa-2025-20/382449

QT SVG Vulnerabilities CVE-2025-10728, CVE-2025-10729,
The QT group fixed two vulnerabilities in the QT SVG module. One of the vulnerabilities may be used for code execution
https://www.qt.io/blog/security-advisory-uncontrolled-recursion-and-use-after-free-vulnerabilities-in-qt-svg-module-impact-qt

Podcast Transcript

 Hello and welcome to the Wednesday October 8, 2025
 edition of the SANS Internet Storm Centers Stormcast. My
 name is Johannes Ullrich, recording today from Denver,
 Colorado. And this episode is brought to you by the SANS.edu
 graduate certificate program in Incident Response. In
 diaries today I wrote about exploit attempts that we have
 been seen against FreePBX. FreePBX is the popular voice
 over IP system and it had a critical vulnerability
 disclosed about two months ago. This vulnerability had
 already been exploited at the time it was disclosed and yes
 of course many of these FreePBX systems hadn't been
 patched at the time. What we are seeing here is an
 interesting way to leverage SQL injection to actually
 achieve remote code execution. FreePBX maintains a database
 table called cronjobs. That table can be used to
 essentially add system cronjobs via the SQL injection
 vulnerability. So the SQL injection vulnerability is
 just used to insert an additional row into this table
 which will then launch a cronjobs every minute. That
 cronjobs will create a file in the web document root
 directory that just echoes back. Well that the system is
 essentially vulnerable. It does also echo back the output
 of uname-a and then deletes the file deletes itself which
 I don't think actually makes a big difference because the
 cronjobs keeps running and will continuously recreate the
 file. But the file it's a PHP file so it's only executed if
 it's actually loaded in a browser. At this point we
 haven't really seen any attempts to access this file
 but our honeypots aren't really sort of claiming to be
 vulnerable so it's possible that the attacker figures out
 after trying to deploy this particular file using the
 vulnerability that the exploit actually didn't work.
 Microsoft published a very extensive blog post about
 disrupting threats targeting Microsoft Teams. In the first
 part of this blog post they are discussing various threats
 that Teams is exposed to. They analyze the entire attack
 chain that some of the attackers have taken the past.
 How they did reconnaissance. How they gained initial
 access. How they then gained persistent access to a
 particular Teams environment. We have talked about some of
 the methods before like for example the abuse of device
 codes with Teams. Microsoft is also explaining how to protect
 yourself from these different attacks at every stage of the
 attack chain. So multi-factor altercation that should be a
 given at this point but the advice goes way beyond that.
 For example just-in-time access for privileged accounts
 like your Teams administrators but also how to secure some of
 the endpoints that you're using to connect to Teams.
 Very good blog post. I think anybody managing a Teams
 environment should probably take a look and of course pen
 testers, red teamers also take a look because there are a lot
 of tools mentioned that these attackers are using in order
 to successfully breach Teams environments. And we got a
 couple of updates to talk about. The first patch is a
 patch released by Elasticsearch for Kibana. The
 problem here is that if you allow an attacker to upload
 files which is a scenario that can happen when you have
 untrusted you essentially uploading files to Kibana well
 you may have a stored cross -site scripting vulnerability
 that of course in the context of Kibana could allow them for
 additional access to the system by the attacker.
 Patches have been made available. CVSS score of 8.7
 meaning it's a high vulnerability not a critical
 one. Second vulnerability I want to mention is actually
 two vulnerabilities. Both apply to the QT-SVG module. The
 main reason I really cover this is first of all SVG has
 been in the news a couple times in recent weeks months
 and the first vulnerability here is a stack-based
 overflow. The QT group mentions this as a denial of
 service and it's very likely that this is not exploitable
 on modern systems as a remote code execution. The second one
 is labeled as a use after free vulnerability. It doesn't
 state what kind of access an attacker could gain here but
 it does have a CVSS score of 9 .4 suggesting that the code
 execution is certainly possible here. As with
 everything they state well if you use trusted input nothing
 bad can happen but on the other hand SVG is used in so
 many contexts and the QT-SVG library is certainly one of
 the main sources used to deal with SVG which is why you
 probably should take a look whether any of your systems
 need patching. Well that's it for today so thanks again for
 listening and thanks for liking and thanks for
 subscribing to this podcast and talk to you again tomorrow
 bye
 just a few of them. Reedu