Summary4 min read

SANS Stormcast: April 17, 2026 — DVRs, Cisco, Windows Defender & Sonatype

Episode Overview

In this edition of the SANS Internet Storm Center's Stormcast, host Johannes B. Ullrich delivers a succinct yet comprehensive update on recurring cybersecurity threats and recent vulnerabilities. The episode focuses on longstanding security issues with DVRs and IoT devices, new vulnerabilities in Cisco products and Microsoft Windows Defender, and a noteworthy patch from Sonatype, all emphasizing persistent security hygiene gaps.

Key Discussion Points & Insights

1. The Ongoing Threat of Compromised DVRs and IoT Devices

[00:30] Johannes reflects on the repeated discovery of compromised digital video recorders (DVRs) and other IoT devices over the years. Despite years of advisories, the same fundamental issues persist.
Reference to a new ISC diary by intern Alec Yaffe, detailing a fresh analysis of an attack campaign targeting DVRs.
Attackers are still able to compromise devices with default credentials almost instantly after exposure.

"If you're connecting a system to the Internet with a well known password, well, it's going to get compromised within probably less than a minute."
— Johannes B. Ullrich, [01:07]
The changes attackers make are minor; core attack methods remain largely the same.

2. New Cisco Vulnerabilities: WebEx & Identity Services Engine

[01:25] Recent vulnerabilities in Cisco’s WebEx introduce a critical risk: WebEx doesn’t verify the signature on single sign-on (SSO) assertions, allowing user impersonation.
Additional flaw in Cisco Identity Services Engine: a remote code execution vulnerability (CVSS 9.9). Exploitation requires read access, but privilege escalation to root is trivial if left unpatched.

"It's not just WebEx where you have problems. It's also the Cisco Identity Services engine that is suffering from...remote code execution vulnerabilities."
— Johannes B. Ullrich, [01:54]
The recurrence of such “old style” vulnerabilities underlines the need for consistent patching and monitoring.

3. Microsoft Windows Defender — ‘Red Sun’ Privilege Escalation Vulnerability

[02:22] Microsoft’s latest Patch Tuesday included a fix for the “Blue Hammer” vulnerability, a privilege escalation bug in Windows Defender previously disclosed before a patch was ready.
The same security researcher has now released “Red Sun," another privilege escalation vulnerability, described as a "file override" issue.
Critique of Microsoft’s vulnerability response process, which wasn’t satisfactory to the researcher, leading to the public disclosure of “Red Sun.”

"Yes, we still have privilege escalation vulnerabilities in Windows Defender and sadly Bridge escalation vulnerabilities are kind of common in anti malware all the time."
— Johannes B. Ullrich, [03:02]

4. Sonatype Hardcoded Credentials in OrientDB (Nexus)

[03:20] Despite Sonatype’s reputation for secure development, a recent patch addressed hardcoded credential vulnerabilities in its OrientDB database component.
Vulnerability is active when running in “legacy HAC mode” with Nexus clustered true enabled—exposing the database to network attack if the configuration is careless.

"Don't expose your security orchestration software here directly to the Internet. And yes, please keep it patched."
— Johannes B. Ullrich, [03:57]
Recommendation: Double-check exposure and ensure prompt patching, just as with more commonly targeted IoT devices.

Notable Quotes & Memorable Moments

On IoT Threats:
"I often call [IoT devices] the mosquitoes of the Internet. They're around everywhere, they're really annoying, but sometimes deadly."
— Johannes B. Ullrich, [00:25]
On the Importance of Basic Cyber Hygiene:
"Ultimately the old thing still applies. If you're connecting a system to the Internet with a well known password, well, it's going to get compromised within probably less than a minute."
— Johannes B. Ullrich, [01:07]
On Recurring Vulnerabilities:
"Still kind of old style vulnerabilities and still happening today."
— Johannes B. Ullrich, [02:04]
On Exposed Security Tools:
"Don't expose your security orchestration software here directly to the Internet. And yes, please keep it patched."
— Johannes B. Ullrich, [03:57]

Important Timestamps

00:04 — Introduction, background on the ongoing IoT/DVR problems
01:25 — New Cisco vulnerabilities (WebEx SSO & Identity Services Engine)
02:22 — Windows Defender “Blue Hammer” and “Red Sun” vulnerabilities discussed
03:20 — Sonatype patch for OrientDB hardcoded credential vulnerability
04:14 — Closing advice on patching and not exposing critical systems

Summary

This episode underscores the frustrating persistence of foundational vulnerabilities—from DVRs consistently compromised due to default credentials, to “old style” remote code execution bugs in Cisco products, to privilege escalation flaws in Microsoft Windows Defender. Johannes B. Ullrich drives home the message that whether it’s commodity IoT or core infrastructure like Sonatype Nexus, the basics—patching, good configuration, and not exposing critical services to the Internet—remain critical to defense.

Bottom line: Old vulnerabilities don’t die, and attackers don’t stop looking for easy targets. Stay vigilant, patch promptly, and enforce strong configurations—even in “secure” products.

For further detail, check out Alec Yaffe’s attack analysis diary mentioned in the podcast.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Friday, April 17, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Stockheim, Germany and this episode is brought to you by the Sans Edu credit certificate program in Purple Team Operations. Before starting this podcast, I did a quick look to see when we first talked about DVRs, digital video recorders getting compromised at scale. And this was about 12 years ago in 2014. One of the sad things about doing this kind of work for so long is that often the problem isn't of the flashy new stuff, but what I often call the mosquitoes of the Internet. They're around everywhere, they're really annoying, but sometimes deadly. And that's these IoT devices and these video devices that are still being attacked. We do have a diary by one of our interns, Alec Yaffe, just dissecting one of these attacks yet again. And yes, there are still thousands of these devices exposed and the same number pretty much being attached to Alex Botnet here that he found. Well, take a look at his work. It is evolving. There are ever so often some little tweaks they're making to their software, but ultimately the old thing still applies. If you're connecting a system to the Internet with a well known password, well, it's going to get compromised within probably less than a minute. So let's talk about something new and exciting. Well, imagine that we do have still Cisco vulnerabilities. First one WebEx. WebEx apparently doesn't care what certificate was used to sign your single sign on assertion. So anybody is let in and you're easily able to impersonate arbitrary users. But it's not just WebEx where you have problems. It's also the Cisco Identity Services engine that is suffering from in this case remote code execution vulnerabilities. This has a base year score of 9.9. But I believe Net hacker at least needs read access here. But well that is then easily elevated to root privileges if this particular vulnerability isn't patched. So yeah, still kind of old style vulnerabilities and still happening today. And when Microsoft released its patches last Tuesday, it also patched the Blue Hammer vulnerability. This was the vulnerability that was already disclosed before the patch came out. It was a vulnerability privileged escalation vulnerability in Microsoft Windows Defender. Well the author of Bluehammer who originally released the proof of concept because this particular author wasn't happy with how Microsoft's responsible notification program worked. So this individual now released a second vulnerability in Microsoft Windows Defender, this time called Red sun and it's sort of one of those file override vulnerabilities. Pretty interesting and as this write up also says, funny. So yes, we still have privilege escalation vulnerabilities in Windows Defender and sadly Bridge escalation vulnerabilities are kind of common in anti malware all the time. When I started this podcast with what I refer to as the mosquitoes of the Internet which is these cheap IoT devices like DVRs with default passwords could possibly not apply to the leader of secure development, Sonatype Sonatype just patched hard coded credentials in internal database component vulnerability. This vulnerability applies to its OrientDB database which usually is not enabled by default unless you are running it in legacy HAC mode which then has this very obvious setting Nexus clustered true in its configuration. So in this case OrientDB will be enabled and listening Definitely something to watch out for. So if you are running the Sonatype components here, double check that. First of all they're not reachable from the network. Just like your cheap DVRs, don't expose your security orchestration software here directly to the Internet. And yes, please keep it patched well and that's it for today. So thanks again for listening. Thanks for liking and subscribing to this podcast. I'm on my way to Amsterdam next week. Tuesday evening I'll be giving a talk at the Sans event in Amsterdam. If you're interested attending, please don't just show up, but let me know if you're not already registered for the event. I'll also be teaching in May in San Diego, end of June in Riyadh and then in July again. We have Sans Fire coming up in Washington D.C. already starting to plan a lot of Internet StormCenter related events as usual for Sans Fire. Thanks everybody and talk to you again on Monday. Bye.