INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Apple Patches Exploited Vulnerability
Published: 2025-04-16
Last Updated: 2025-04-16 18:44:59 UTC
by Johannes Ullrich (Version: 1)
Today, Apple patched two vulnerabilities that had already been exploited. The vulnerabilities were exploited against iOS but also exist in macOS, tvOS, and visionOS. Apple released updates for all affected operating systems ...
Read the full entry: https://isc.sans.edu/diary/Apple+Patches+Exploited+Vulnerability/31866/
Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248)
Published: 2025-04-12
Last Updated: 2025-04-13 00:21:28 UTC
by Johannes Ullrich (Version: 1)
Two weeks ago, version 1.3.0 of Langflow was released. The release notes list many fixes but do not mention that one of the "Bug Fixes" addresses a major vulnerability. Instead, the release notes state, "auth current user on code validation."
Its website states, "Langflow is a low-code tool for developers that makes it easier to build powerful AI agents and workflows that can use any API, model, or database." It can be installed as a Python package, a standalone desktop application, or as a cloud-hosted service. DataStax provides a ready-built cloud-hosted environment for Langflow.
The vulnerability went somewhat unnoticed, at least by me, until Horizon3 created a detailed writeup showing how easy it is to exploit the vulnerability and provide proof of concept exploit. Horizon3 published its blog on April 9th. We saw a first hit to the vulnerable URL [...] on April 10th. Today (April 12th), we saw a significant increase in hits for this URL ...
Read the full entry:
https://isc.sans.edu/diary/Exploit+Attempts+for+Recent+Langflow+AI+Vulnerability+CVE20253248/31850/
Network Infraxploit [Guest Diary]]
Published: 2025-04-09
Last Updated: 2025-04-10 00:38:56 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by Matthew Gorman, an ISC intern as part of the SANS.edu BACS program]
Background
I recently had the opportunity to get hands on with some Cisco networking devices. Due to being a network engineer prior to my current job as a network forensics analyst, I have a relatively solid understanding of these infrastructure devices and how they work. I wanted to write this blog detailing some of the critical oversights I see in my current job that are common for these devices and how they are abused by attackers that are also familiar with how they work. To demonstrate this I will be walking through a vulnerability that was first discovered in 2018 for these network Infrastructure devices, CVE-2018-0171, a Remote Code Execution exploit targeting Cisco's Smart Install feature.
CVE-2018-0171
Cisco's Smart Install feature is a 'plug and play' configuration feature that allows for new networking devices to be deployed remotely and when plugged in they will configure themselves automatically without needing the support of a network administrator. This greatly eases the burden of network administrators needing to go on site where the device is to make the basic initial configuration changes to ensure it is remotely accessible.
The problem with smart install is three pronged. First, this feature is enabled by default on Cisco devices. The second is that, by design, Smart Install protocol does not require authentication prior to use. The third, and last, prong is that due to the nature of the devices facilitating the flow of network traffic in and out of organizations, the port is often publicly accessible. In fact, doing a cursory search on Censys for this port and the service name associated with Cisco Smart Install (SMI) pulled up 1,239 devices with this service publicly accessible ...
Read the full entry: https://isc.sans.edu/diary/Network+Infraxploit+Guest+Diary/31844/