SANS Stormcast Friday, March 13, 2026: IoT Device Discovery; Apple Patches; Veeam Patches

Episode Overview

In this succinct, daily update from SANS Internet Storm Center, host Johannes B. Ullrich focuses on essential security news for March 13, 2026. Today's episode centers on ongoing issues with IoT device security (specifically default SSH login vulnerabilities), notable Apple security updates for legacy devices, critical Veeam backup vulnerabilities, and a remote code execution flaw in Splunk. The episode includes insights from SANS intern Adam Thorman.

Key Discussion Points & Insights

1. IoT Device Discovery & Default Password Risks

Featured Diary by Adam Thorman

• IoT Device Risks:
  Johannes highlights Adam Thorman’s diary on SSH logins with default passwords, “something attackers are finding very, very useful and successful,” particularly for webcams and other consumer IoT devices.

  • Connection made to previous reports of these devices being targeted in relation to military actions in Iran.
  • Emphasizes the prevalence of “uncontrolled deployments” and calls out the persistent danger of default credentials in consumer hardware.

• Device Fingerprinting:
  Adam's contribution also discussed fingerprinting methods to discover insecure IoT devices on networks.

• Key Quote:

  “Organizations must get control over… these very simple, sort of uncontrolled deployments of often consumer IoT devices.” (Johannes B. Ullrich, [01:08])

2. Apple Releases Security Patches for Older Devices

• Patch Details:

  • Apple released urgent updates for iOS 15 and iOS 16, extending patch coverage back to the iPhone 6s (released in 2015).
  • iOS 15 patch addresses four vulnerabilities (one kernel, three WebKit).
  • iOS 16 patch addresses one WebKit vulnerability.

• Threat Context:

  • Vulnerabilities have been actively exploited in the wild by sophisticated, “government associated” threat actors via CORONA spyware activity.

• Update Urgency:
  Johannes warns against neglecting older devices:

  “If you still have one of those old devices around, please update as what we have seen in the past is that some of these more sophisticated vulnerabilities and exploits are sort of trickling down over the years.” ([02:13])

  • Notes the vulnerabilities are not new:
    “It has been exploited as soon as September 2023. So at this point, already sort of a two and a half year old vulnerability.” ([02:45])

3. Critical Veeam Backup and Replication Vulnerabilities

• Scope:

  • Veeam released updates for Backup and Replication Suite (v12).
  • Five vulnerabilities are fixed: 3 critical (allow remote code execution), 2 high.

• Impact:

  • Two critical bugs allow remote code execution if an attacker has any authenticated domain user credentials. “No specific role required.”
  • A third critical bug also enables remote code execution — attackers need 'backup viewer' role, and exploitation yields execution as the Postgres user. Johannes suspects SQL injection:
    “Makes me believe that is probably some form of SQL injection fault here that is exploitable.” ([03:25])

• Mitigation Advice:

  “Definitely get them updated. Like I said, yes, it requires authentication, but the actual authentication you need is not really that much of a threshold here. You really need just some domain user credentials which usually is obtainable.” ([03:40])

4. New Remote Code Execution Flaw in Splunk

• Vulnerability Overview:

  • RCE vulnerability exists in Splunk, tied to accounts with the 'edit command' capability.
  • Can be exploited via the 'unarchive' command parameter in the preview REST endpoint.

• Remediation Guidance:
  Johannes advises reviewing user assignments:

  “This is one of those things where you probably want to review whether or not all the users actually have that capability assigned — actually need it.” ([04:14])

• Exploit Mechanics:
  Exploitation leverages file decompression in REST endpoints, with difficulty constraining which unarchive commands users may execute.

Notable Quotes & Memorable Moments

• “Organizations must get control over… these very simple, sort of uncontrolled deployments of often consumer IoT devices.” — Johannes B. Ullrich, [01:08]
• “If you still have one of those old devices around, please update as what we have seen in the past is that some of these more sophisticated vulnerabilities and exploits are sort of trickling down over the years.” — Johannes B. Ullrich, [02:13]
• “Makes me believe that is probably some form of SQL injection fault here that is exploitable.” — Johannes B. Ullrich, [03:25]
• “You really need just some domain users credentials which usually is obtainable.” — Johannes B. Ullrich, [03:40]
• “Probably want to review whether or not all the users actually have that capability assigned — actually need it.” — Johannes B. Ullrich, [04:14]

Important Timestamps

• 00:04–01:20: Introduction, SANS Edu mention, IoT and SSH login vulnerabilities
• 01:20–02:45: Apple iOS patch discussion, threat actor context
• 02:45–03:55: Veeam vulnerabilities (scope, impact, update urgency)
• 03:55–04:35: Splunk RCE issue and recommended user capability review

Summary

Johannes efficiently covers a range of urgent security topics:

• Persistent threats to unmanaged IoT devices via default credentials.
• Apple’s commitment to patching even decade-old hardware due to ongoing exploitation.
• High-risk Veeam Backup vulnerabilities that require only minimal authentication to exploit, and the growing risk posed by SQL injection flaws.
• Awareness around privilege assignment in Splunk to mitigate a new RCE vector.

This episode balances immediate vulnerability information with actionable advice—crucial for early-riser security professionals wanting to stay ahead of threats.