SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, November 11th, 2025: 3CX Related Scans; Watchguard Default Password;
Nov 11, 2025
Honeypots are revealing username scans related to 3CX business phone systems, highlighting vulnerabilities in predictable usernames and passwords. A controversy unfolds around a default password issue in WatchGuard products, which has garnered CVE attention following a firmware update. Additionally, a code execution vulnerability in the JavaScript expr-eval library raises security concerns, with recommendations for developers to patch and audit their code using npm. Tune in for critical insights into the evolving landscape of cybersecurity!
AI Snips
Chapters
Transcript
Episode notes
Product Names Reveal Account Targets
- Attackers probe for product-related usernames because documentation and common practice reveal them.
- Johannes Ulrich observed ftp_3cx attempts likely stem from documented FTP backup setups rather than vendor defaults.
Documentation Leads To Predictable Users
- Johannes recounts how documentation uses predictable usernames like '3CX FTP user', making them common choices.
- He suggests attackers may harvest such credentials from prior breaches and reuse them against other targets.
Randomize Backup Account Credentials
- Use random, unique usernames and strong passwords for service accounts instead of product-related names.
- Restrict backup FTP accounts so they cannot log in via SSH or Telnet to limit lateral access if credentials leak.