Risky Business #799: SharePoint Zero-Day, Fortinet SQLi, Citrix Exploitation, and More
The Risky Business #799 podcast covers a wave of critical vulnerabilities and incidents, including a Microsoft SharePoint zero-day exploited in attacks, a Fortinet pre-auth SQL injection leading to RCE, and active exploitation of a Citrix Netscaler flaw.
The Risky Business #799 podcast, hosted by Patrick Gray and Adam Boileau, returns after a two-week break to cover a flurry of cybersecurity news. The episode highlights several critical vulnerabilities and incidents that demand immediate attention from security teams.
Microsoft patched a SharePoint zero-day that has been actively exploited in attacks. The vulnerability, which allows remote code execution, was reportedly used by threat actors to compromise SharePoint servers. Microsoft's advisory urges administrators to apply the update promptly. The podcast also notes that the Pentagon's cloud maintenance outsourcing to China has raised concerns, with a review ordered by Defense Secretary Hegseth.
Fortinet disclosed CVE-2025-25257, a pre-authentication SQL injection vulnerability in the FortiWeb Fabric Connector that can lead to remote code execution. This flaw allows attackers to execute arbitrary SQL commands without authentication, potentially compromising the entire appliance. Fortinet has released patches, and administrators are advised to update immediately.
Citrix confirmed active exploitation of a critical memory leak vulnerability in Netscaler appliances. The flaw, which allows information disclosure, has been weaponized by attackers. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing the need for urgent patching.
HP warned of hardcoded credentials in Aruba access points, which could allow attackers to gain administrative access. The company has released firmware updates to address the issue. Additionally, Google reported custom backdoors being installed on SonicWall devices via user-mode rootkits, indicating sophisticated post-exploitation activity.
The episode also covers a $100 million theft from a Brazilian payment system, where hackers purchased credentials for $2,700. Brazilian police arrested an IT worker in connection with the heist. In the UK, four alleged members of the Scattered Spider ransomware group were arrested and bailed.
Other stories include a CrushFTP zero-day exploit seen in the wild, a surveillance vendor exploiting a new SS7 attack to track phone locations, and Ukrainian hackers wiping databases at Russia's Gazprom. The podcast also discusses the arrest of a suspected contractor for China's Hafnium group in Italy, and Singapore accusing Chinese state-backed hackers of attacking critical infrastructure.
This week's episode is sponsored by Airlock Digital, with CEO David Cottingham discussing building a mature management platform for security-critical systems. The show notes provide links to detailed articles on each topic, available on the Risky Business website and YouTube.