SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Friday, September 26th, 2025: Webshells in .well-known; Critical Cisco Vulns Exploited; XCSSET Update; GoAnywhere MFT Exploit Details
Sep 26, 2025
Explore the alarming rise in scans targeting the .well-known directory for webshells. Cisco's critical vulnerabilities are currently being exploited, urging immediate patching to prevent unauthorized access. Delve into a new XCSSET variant that preys on Xcode projects, stealing sensitive crypto data from developers' clipboards. Additionally, learn about the serious exploits affecting the GoAnywhere MFT platform, highlighting the importance of vigilance in cybersecurity.
AI Snips
Chapters
Transcript
Episode notes
Webshells Targeting .well-known
- Honeypots saw increased scans targeting the .well-known directory for probable webshells.
- Monitor .well-known for suspicious files like webshells or unexpected ownership verification files.
Watch .well-known Closely
- Keep an eye on the .well-known directory for unknown files such as webshells.
- Send any interesting webshells to the ISC for quick analysis.
Critical Cisco VPN Server Exploits
- Cisco disclosed multiple already-exploited ASA and FTD vulnerabilities, including one allowing root code execution via VPN credentials.
- One exploit needs only normal VPN user credentials and another allows unauthenticated access to restricted endpoints.