Podcast Detail

SANS Stormcast Monday, August 18th, 2025: 5G Attack Framework; Plex Vulnerability; Fortiweb Exploit; Flowise Vuln

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9574.mp3

previous
Podcast Logo
5G Attack Framework; Plex Vulnerability; Fortiweb Exploit; Flowise Vuln
00:00

SNI5GECT: Sniffing and Injecting 5G Traffic Without Rogue Base Stations
Researchers from the Singapore University of Technology and Design released a new framework, SNI5GECT, to passively sniff and inject traffic into 5G data streams, leading to DoS, downgrade and other attacks.
https://isc.sans.edu/diary/SNI5GECT%3A%20Sniffing%20and%20Injecting%205G%20Traffic%20Without%20Rogue%20Base%20Stations/32202

Plex Vulnerability
Plex patched a vulnerability in the Plex Media Server. Make sure you have updated to at least 1.42.1.
https://forums.plex.tv/t/plex-media-server-security-update/928341

FortiWeb Exploit Public
A security researcher published details about the recent FortiWeb vulnerability, including demonstrating a PoC exploit.
https://www.bleepingcomputer.com/news/security/researcher-to-release-exploit-for-full-auth-bypass-on-fortiweb/

Flowise OS vulnerability
https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578/

Podcast Transcript

 Hello and welcome to the Monday August 18th, 2025
 edition of the SANS Storm Internet Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Bachelor's Degree Program in Applied
 Cybersecurity. On Friday we had a diary by Yee Ching. Yee
 Ching is associated with the Singapore University of
 Technology and Design and a group at the university did
 introduce at a recent USENIX conference a new tool to
 passively sniff but then also inject data into 5G
 connections. That's something that has been sort of quite
 common in attacks against Wi -Fi and such. Not so much for
 5G or other cell phone protocols. They have really
 relied more on rogue base stations and the like. But of
 course yes you know once you understand a protocol, once
 you're able to sniff data from the air, you're also typically
 enabled then to inject data just passively. And that's
 what they looked at here with this framework they created.
 Now the pronunciation guideline here is Sni-f-Gect if
 I get it correctly. SNI5GECT is how the tool is being
 spelled. And while it's derived from sniff, 5G and
 inject. So it's just a compression of those three
 terms. But yeah their full paper is also available via
 USENIX and you do for example have so quick overview how it
 works. The tool here is basically just listening in
 passively on the traffic and then able to and that's really
 more of a timing attack in this case inject carefully
 timed frames into the data traffic. The simplest task
 here is of course a denial of service attack. But the one
 tricky attack here also allows for downgrades by essentially
 sort of making authentication fail here. And then you can
 force a client to downgrade to 4G which of course has its own
 security issues and that can then be attacked more easily.
 And in vulnerabilities it's Plex's turn again the famous
 video and the media player has a severe vulnerability that
 has been addressed last week. Usually Plex doesn't really
 point that much attention to vulnerabilities. I would
 definitely take this one serious even though there is
 sadly no CVE number and absolutely no details about
 what the vulnerability exactly entails. Remember last pass
 that's sort of the big warning here when they were breached
 the original entry point was a vulnerability in a Plex media
 server on a developer's machine. Well don't be that
 developer be quicker in updating Plex and that's your
 chance now. And then for any FortiWeb users out there we now
 have a proof of concept additional detail regarding
 the FortiWeb vulnerability that was patched about a week ago.
 This vulnerability had already been exploited but now some of
 the details are public. It's one of those standard web
 application issues where you do have a parameter that's
 security relevant being supplied by the user. The
 parameter in question here is referred to as ERA, E-R-A.
 It's a part of the cookie parameter and it essentially
 points to memory that's being used as a key in order to then
 validate the payload that's also part of the cookie. Well
 it turns out that by supplying an out of bound error
 parameter it's possible to essentially have a zero or all
 null encryption key which then bypasses that security feature
 and well allows an attacker to essentially impersonate
 arbitrary users. Pretty interesting vulnerability.
 Don't remember having seen something quite like that but
 you know it's really sort of that very basic web
 application security issue. Don't trust the user users are
 always evil. And to talk about more traditional web
 application vulnerabilities we have to look at the latest AI
 tools. Flowwise suffers from an OS command remote command
 injection. This vulnerability was discovered by JFrog and
 JFrog also delivered a very trivial and easy to reproduce
 use proof of concept exploit to basically show you how to
 potentially execute this. The problem here is again as so
 often MCP that's of course the protocol that well as I
 mentioned I think last week or the week before often needs to
 these vulnerabilities because it sees itself just as a proxy
 forwarding data and exploitability happens if you
 accept data from untrusted endpoints. Well and this is it
 for today so thanks for listening and talk to you
 again tomorrow. Bye