SANS Stormcast Friday, March 13th, 2026: IOT Device Discovery; Apple Patches; Veeam Patches - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

SANS Stormcast Friday, March 13, 2026: IoT Device Discovery; Apple Patches; Veeam Patches

Episode Overview

In this succinct, daily update from SANS Internet Storm Center, host Johannes B. Ullrich focuses on essential security news for March 13, 2026. Today's episode centers on ongoing issues with IoT device security (specifically default SSH login vulnerabilities), notable Apple security updates for legacy devices, critical Veeam backup vulnerabilities, and a remote code execution flaw in Splunk. The episode includes insights from SANS intern Adam Thorman.

Key Discussion Points & Insights

1. IoT Device Discovery & Default Password Risks

Featured Diary by Adam Thorman

IoT Device Risks:
Johannes highlights Adam Thorman’s diary on SSH logins with default passwords, “something attackers are finding very, very useful and successful,” particularly for webcams and other consumer IoT devices.
- Connection made to previous reports of these devices being targeted in relation to military actions in Iran.
- Emphasizes the prevalence of “uncontrolled deployments” and calls out the persistent danger of default credentials in consumer hardware.
Device Fingerprinting:
Adam's contribution also discussed fingerprinting methods to discover insecure IoT devices on networks.
Key Quote:

“Organizations must get control over… these very simple, sort of uncontrolled deployments of often consumer IoT devices.” (Johannes B. Ullrich, [01:08])

2. Apple Releases Security Patches for Older Devices

Patch Details:
- Apple released urgent updates for iOS 15 and iOS 16, extending patch coverage back to the iPhone 6s (released in 2015).
- iOS 15 patch addresses four vulnerabilities (one kernel, three WebKit).
- iOS 16 patch addresses one WebKit vulnerability.
Threat Context:
- Vulnerabilities have been actively exploited in the wild by sophisticated, “government associated” threat actors via CORONA spyware activity.
Update Urgency:
Johannes warns against neglecting older devices:

“If you still have one of those old devices around, please update as what we have seen in the past is that some of these more sophisticated vulnerabilities and exploits are sort of trickling down over the years.” ([02:13])
- Notes the vulnerabilities are not new:
  “It has been exploited as soon as September 2023. So at this point, already sort of a two and a half year old vulnerability.” ([02:45])

3. Critical Veeam Backup and Replication Vulnerabilities

Scope:
- Veeam released updates for Backup and Replication Suite (v12).
- Five vulnerabilities are fixed: 3 critical (allow remote code execution), 2 high.
Impact:
- Two critical bugs allow remote code execution if an attacker has any authenticated domain user credentials. “No specific role required.”
- A third critical bug also enables remote code execution — attackers need 'backup viewer' role, and exploitation yields execution as the Postgres user. Johannes suspects SQL injection:
  “Makes me believe that is probably some form of SQL injection fault here that is exploitable.” ([03:25])
Mitigation Advice:

“Definitely get them updated. Like I said, yes, it requires authentication, but the actual authentication you need is not really that much of a threshold here. You really need just some domain user credentials which usually is obtainable.” ([03:40])

4. New Remote Code Execution Flaw in Splunk

Vulnerability Overview:
- RCE vulnerability exists in Splunk, tied to accounts with the 'edit command' capability.
- Can be exploited via the 'unarchive' command parameter in the preview REST endpoint.
Remediation Guidance:
Johannes advises reviewing user assignments:

“This is one of those things where you probably want to review whether or not all the users actually have that capability assigned — actually need it.” ([04:14])
Exploit Mechanics:
Exploitation leverages file decompression in REST endpoints, with difficulty constraining which unarchive commands users may execute.

Notable Quotes & Memorable Moments

“Organizations must get control over… these very simple, sort of uncontrolled deployments of often consumer IoT devices.” — Johannes B. Ullrich, [01:08]
“If you still have one of those old devices around, please update as what we have seen in the past is that some of these more sophisticated vulnerabilities and exploits are sort of trickling down over the years.” — Johannes B. Ullrich, [02:13]
“Makes me believe that is probably some form of SQL injection fault here that is exploitable.” — Johannes B. Ullrich, [03:25]
“You really need just some domain users credentials which usually is obtainable.” — Johannes B. Ullrich, [03:40]
“Probably want to review whether or not all the users actually have that capability assigned — actually need it.” — Johannes B. Ullrich, [04:14]

Important Timestamps

00:04–01:20: Introduction, SANS Edu mention, IoT and SSH login vulnerabilities
01:20–02:45: Apple iOS patch discussion, threat actor context
02:45–03:55: Veeam vulnerabilities (scope, impact, update urgency)
03:55–04:35: Splunk RCE issue and recommended user capability review

Summary

Johannes efficiently covers a range of urgent security topics:

Persistent threats to unmanaged IoT devices via default credentials.
Apple’s commitment to patching even decade-old hardware due to ongoing exploitation.
High-risk Veeam Backup vulnerabilities that require only minimal authentication to exploit, and the growing risk posed by SQL injection flaws.
Awareness around privilege assignment in Splunk to mitigate a new RCE vector.

This episode balances immediate vulnerability information with actionable advice—crucial for early-riser security professionals wanting to stay ahead of threats.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Friday, March 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the Sans Edu Credit Certificate program in Cybersecurity leadership. Well, and today we have another guest diary by one of our undergraduate interns. This time it's Adam Thorman who's talking about, well detects to the HoneyPot yet again. SSH logins with default passwords, something attackers are finding very, very useful and successful. I mentioned it earlier this week with some of the attacks against webcams and such in connection with the military action in Iran. But overall this is something that really organizations must get control over. And I think the biggest problem, particularly for these very simple, are sort of uncontrolled deployments of often consumer IoT devices. And well, in this example here Adam talks a bit about fingerprinting and how to discover some of these devices. And yes, Apple did it again. Apple released updates for fairly old iOS devices and iPads. This is going back to iPhone 6s which was released in 2015, so about 10 years ago now that this device has been out. Now the reason for the release of these two updates, one for iOS 15 and then another one for iOS 16 is that some of the vulnerabilities being patched here have been exploited in the CORONA activity and that's essentially malware spyware that has been deployed by more sophisticated and government associated actors. The iOS 15 patch fixes four four different vulnerabilities, one kernel vulnerability and then three WebKit vulnerability. The iOS 16 update only patches one WebKit vulnerability. So if you still have one of those old devices around, please update as what we have seen in the past is that some of these more sophisticated vulnerabilities and exploits are sort of trickling down over the years. And this is not a terribly new vulnerability. It has been exploited as soon as September 2023. So at this point already sort of a two and a half year old vulnerability. And Veeam released an update for its backup and replication suite. This particular update fixes five vulnerabilities, three of which are rated critical and two are rated high. It affects the version 12 of Veeam Backup and replication. Among the gradle vulnerabilities there are two that do allow remote code execution on the backup server. However they do require authenticated domain user, but then again only domain user, so no specific role required here. The third critical vulnerability is also a remote code execution vulnerability. It requires the backup viewer role in order to take advantage of of this vulnerability and then remote code execution happens as the postgres user, which makes me believe that is probably some form of SQL injection fault here that is exploitable. So definitely get them updated. Like I said, yes, it requires authentication, but the actual authentication you need is not really that much of a threshold here. You really need just some domain users credentials which usually is obtainable. And then we have one more remote code execution vulnerability that does require authentication, this time in splunk. Now this particular vulnerability does require a higher privileged role. It does require the edit command capability. This is one of those things where you probably want to review whether or not all the users actually have that capability assigned actually need it. And then it's roughly straightforward by using the unarchive command parameter in the preview rest endpoint in order to, well, execute operator commands. This is sort of a typical issue where you are able to basically provide some command to pre process a file like in this case here for the preview capability, like for example your decompress. But then it's always difficult to kind of constrain what actual unarchive commands you are allowing in this particular case. Well, and this is it for today. So thanks for listening, thanks for liking, and thanks for subscribing to this podcast. And as always, thanks for listening and talk to you again on Monday. Bye.