SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Monday, September 22nd, 2025: Odd HTTP Reuqest; GoAnywhere MFT Bug; EDR Freeze
Sep 22, 2025
Unusual HTTP requests are causing a stir in honeypots, raising questions among cybersecurity experts. A critical deserialization vulnerability has been discovered in Fortra's GoAnywhere MFT, posing serious risks. Meanwhile, a new tool called EDR Freeze is enabling users to suspend endpoint detection and response processes, allowing for unique security strategies. Stay informed with insights on these pressing topics in the ever-evolving world of cybersecurity!
AI Snips
Chapters
Transcript
Episode notes
Public Call To Investigate Odd Requests
- Johannes Ulrich shared he posted an observation asking readers to help identify odd HTTP requests seen by honeypots.
- He noted the requests resembled proxy-auth bypass attempts and included mobile-like headers and QR URLs.
Unusual X‑Forwarded‑App Requests
- Honeypots see unusual requests using an X-Forwarded-App header that mimic proxy headers and mobile device fields.
- The requests include app.<random> strings and QR-like URLs, suggesting reconnaissance or auth-bypass attempts.
Patch And Limit GoAnywhere Exposure
- Apply the GoAnywhere MFT patch immediately because the license servlet deserialization allows unauthenticated RCE with CVSS 10.0.
- Also avoid exposing the product's admin interface to the public internet to reduce attack surface.