SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Friday, December 5th, 2025: Compromised Govt System; React Vuln Update; Array Networks VPN Attacks
Dec 5, 2025
A honeypot capture reveals an SSH scan from an IP linked to the Indonesian government, raising questions of whether it's a nation-state attack or a compromised system. Recent updates disclose that exploits for a serious React vulnerability exist, urging vigilance. Additionally, there's an active threat against Array Networks VPN gateways, emphasizing the importance of patching and verifying updates from VPN vendors, even smaller ones. Tune in for crucial insights into these pressing cybersecurity issues!
AI Snips
Chapters
Transcript
Episode notes
Government IP Used By Compromised Host
- An intern observed an SSH scan that used a weak username and password and came from an IP tied to the Indonesian government.
- Jackie concluded it was likely a compromised host inside a government network rather than a deliberate government operation.
Treat React Vuln As Compromise
- Working proof-of-concept exploits for the React vulnerability now exist and can be adapted to run arbitrary code on vulnerable systems.
- Despite few honeypot hits so far, assume compromise if you find a vulnerable React instance.
Follow Official Guidance For React Checks
- Check the React blog post first to determine if your system is vulnerable and use reputable scanning scripts or vulnerability scanner modules.
- Be careful which scanning tools you download and run and prefer trusted sources for detection scripts.