SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Friday, October 3rd, 2025: More .well-known Scans; RedHat Openshift Patch; TOTOLINK Vuln;
Oct 3, 2025
Attackers are exploiting .well-known directories to gather sensitive API documentation for reconnaissance. A critical vulnerability in Red Hat's OpenShift AI Service allows low-privileged users to escalate their access to cluster administrator. The podcast highlights serious flaws in the TOTOLINK X6000R routers, particularly a dangerous unauthenticated command injection. Lastly, a memory corruption flaw in DrayTek's Vigor series routers could let unauthorized users execute arbitrary code, making swift patching essential.
AI Snips
Chapters
Transcript
Episode notes
Public .well-known Files Aid Reconnaissance
- Attackers are scanning the .well-known directory to harvest API and configuration metadata for reconnaissance.
- Those files can leak sensitive details like API secrets if misconfigured, increasing attack surface.
Verify And Monitor .well-known Endpoints
- Check .well-known endpoints regularly to confirm only intended data is published and no secrets are leaked.
- Monitor those locations and remove or fix any responses that expose confidential keys or configuration.
Patch OpenShift AI Service And Restrict Notebooks
- Patch Red Hat OpenShift AI Service promptly if you allow Jupyter notebook users, since a low-privileged user can escalate to cluster admin.
- Treat access to Jupyter notebooks cautiously and apply least-privilege controls.