SANS Stormcast Friday, March 6th, 2026: Targeted or Not? pac4j-jwt auth bypass; freescout dangerous uploads; MSFT Authenticator vs Graphene OS - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

Episode Overview

Main Theme:
In the March 6th, 2026 episode of the SANS Internet Stormcenter Stormcast, host Johannes B. Ullrich delivers a compact yet information-rich summary of current cybersecurity events. Today’s focus is on the insights gleaned from honeypot data, a newly-discovered authentication bypass vulnerability in the pac4j-jwt library, a dangerous file upload vulnerability in FreeScout, and emerging compatibility issues between Microsoft Authenticator and GrapheneOS.

Key Discussion Points and Insights

1. Understanding Honeypot Data and Attack Patterns

[00:04–02:00]

Guest Diary from Joseph Kroon:
- Joseph, an intern, shares observations from honeypot deployments.
- Honeypots typically aren’t used to catch zero days or targeted attacks but rather map the “background radiation of the Internet,” i.e., the constant barrage of generic scanning and exploitation attempts.
Notable Insight:
- Johannes: “They’re really measuring sort of the background radiation of the Internet, as I sometimes call it. Basically, all the background noise that you typically end up with from these ubiquitous scans.” (01:00)
Practical Tip:
- If targeted by a suspicious IP, users can look it up on the SANS Internet Storm Center’s website to determine if the activity is widespread or unique to them.
- “Is this someone that's only attacking me, or is this someone that is basically scanning the entire Internet for this particular issue?” (01:30)

2. pac4j-jwt Library Vulnerability – JWT Auth Bypass

[02:00–04:10]

Description:
- A new vulnerability in the pac4j-jwt library (used for JWT authentication) can enable attackers to bypass authentication by crafting a JWT that is technically valid but unsigned.
- Discovered by Codeant, a company specializing in code review tools powered by AI.
Technical Details:
- The attack is similar to “algorithm confusion” issues. Attackers can substitute a symmetric for an asymmetric algorithm and misuse the public key to generate a valid token.
- In this case, a JWT without a signature is wrapped with a “valid” signature using the public key, fooling the system into accepting it as authentic due to flawed token handling.
Exploitability:
- The vulnerability is easy to exploit and Codeant has published a full methodology.
Notable Quote:
- “There's some bad logic in the code flow here that will then just consider the entire content of that token valid. So it's easy to exploit.” (03:40)
Remediation:
- Patch immediately; keeping public keys secret is not a viable solution.
- Standards like OpenID require public keys to be public; obfuscation is a weak mitigation.

3. FreeScout File Upload Vulnerability – Remote Code Execution

[04:10–05:10]

Description:
- FreeScout, an open-source help desk platform, is vulnerable to remote code execution through unsafe file upload handling.
- The vulnerability centers around inadequate filtering—specifically relying on file extensions—which is easy to bypass using whitespace or other tricks in filenames.
Technical Details:
- Attackers can upload files with malicious extensions masked by space characters, bypassing .htaccess filters and enabling execution on the server.
Best Practice Advice:
- Files should always be stored outside the document root, and uploaded files should be served through a loader script that never executes their code content.
Notable Quote:
- “If you are allowing people to upload files to your server, really the only option is save them outside the document root and then pipe them back via some kind of loader script that does not execute any code, no matter what the file type is that you're displaying.” (05:00)

4. Microsoft Authenticator vs. GrapheneOS Incompatibility

[05:10–06:10]

Description:
- Microsoft Authenticator is tightening security by blocking operation on rooted Android and iOS devices.
- However, GrapheneOS—a security-focused alternative Android OS—is misidentified as non-standard, leading Microsoft Authenticator to refuse to run even though the device is not rooted.
Implication:
- Users of GrapheneOS are currently unable to use Microsoft Authenticator and must use standard Android instead.
Notable Quote:
- “Authenticator will not run on GrapheneOS, so you pretty much have to run an Android version, not GrapheneOS version, on your phone.” (06:00)

Notable Quotes

“They’re really measuring sort of the background radiation of the Internet, as I sometimes call it.”
— Johannes B. Ullrich ([01:00])
“There's some bad logic in the code flow here that will then just consider the entire content of that token valid. So it's easy to exploit.”
— Johannes B. Ullrich ([03:40])
“If you are allowing people to upload files to your server, really the only option is save them outside the document root and then pipe them back via some kind of loader script that does not execute any code, no matter what the file type is that you're displaying.”
— Johannes B. Ullrich ([05:00])
“Authenticator will not run on GrapheneOS, so you pretty much have to run an Android version, not GrapheneOS version, on your phone.”
— Johannes B. Ullrich ([06:00])

Timestamps for Important Segments

[00:04] – Introduction and theme of episode
[01:00] – Value and methodology of honeypot data
[02:00] – pac4j-jwt vulnerability explanation
[03:40] – Bypass exploit mechanics
[04:10] – FreeScout file upload vulnerability
[05:00] – Secure handling of file uploads
[05:10] – Microsoft Authenticator vs. GrapheneOS issue

Episode Takeaways

Honeypots provide valuable insights into broad, untargeted adversarial activity on the Internet—check the SANS ISC if you’re investigating unusual connections.
pac4j-jwt has a severe authentication bypass vulnerability; patch urgently and don’t rely on obscuring public keys.
FreeScout suffers from a common and dangerous file upload flaw; save uploads outside your document root.
Microsoft Authenticator’s anti-root policy inadvertently blocks it from running on certain secure Android derivatives like GrapheneOS—a reminder of edge cases in device attestation.

A quick but impactful update, this episode equips listeners with actionable insights and critical vulnerability updates.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Friday, March 6, 2026 edition of the SANS Internet Storm Centers Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida. And this episode is brought to you by the SANS EDU Graduate Certificate Program in Cloud Security. Today we got another guest diary from one of our undergraduate interns. This time it was Joseph Kroon's turn to write up some of his observations from Honeypot. Now, one of the things about honeypots is that honeypots are usually easy to identify as a honeypot and they're not typically getting you sort of these zero days or targeted exploits, but they're really measuring sort of the background radiation of the Internet, as I sometimes call it. Basically sort of all the background noise that you typically end up with from these ubiquitous scans. And Joseph is going, going over one particular actor like that. What you often have happening here is that these individual scanners are then sort of zooming in on a particular type of exploit, type of artifact they're looking for. Now where this becomes kind of valuable then is also when you're looking at our honeypot network and the data we publish on the Internet storms on our website. If you're getting attacked by an IP address and you wonder, hey, is this someone that's only attacking me or is this someone that is basically scanning the entire Internet for this particular issue? Well, just search for the IP address on the Internet storms on our website and see what our sensors picked up about that IP address and whether the activity that you are seeing is different in some ways. And then sadly, we do have another one of those open source library vulnerabilities to talk about that may send you scrambling to figure out which particular systems in your network are using this particular library. The library in question Here is the pack 4J JWT library and codeant, which is a company that sort of delivers AI tools for code review, did find this particular vulnerability. JWT or jwt, it's sometimes called, or JSON Web tokens, if you want to spell it out, is a commonly used format to deliver authentication information. It's basically JSON data that's digitally signed. So it can for all kinds of authentication purposes, maybe with OAuth, but also sort of in other contexts. The problem has been with jwt, like many of these standards, it's a fairly flexible standard. There were issues where the signature was optional in some cases or a problem. And this one is a little bit like it, but not quite called algorithm Confusion, where I can replace asymmetric algorithm with a symmetric algorithm and then I can just use the public key to sign the statement instead of the secret key. That's a little bit like this here. So what happens here is that we do have a JWT JSON web token that's actually not signed. We wrap it in a signature created by using the public key and then the signature works out. It's basically a valid signature. And because the token itself doesn't really say that it needs to be signed, there is some bad logic in the code flow here that will then basically just consider the entire content of that token valid. So it's easy to exploit. And yes, codeant has released basically all the steps you need in order to make a good and valid token using this vulnerability. There's also this issue a little bit with making the public keys public and well, they're called public keys, so shouldn't really be an issue. But some implementations are hesitating to do this in part because of some of these algorithm confusion issues. But on the other hand, there are many standards around GWT like OpenID and such that require the public keys to to be actually public as the name implies. So far. Patch this vulnerability. Keeping the public keys secret is probably not the right solution here. The next vulnerability we have to talk about is another favorite of mine, and that's Unicode Free Scout. It's an open source help desk and shared mailbox solution. Well, it has the ability to deal with file uploads and that's what help desks and email systems have to deal with. So not that they can easily get around it, but they make sort of a classic mistake here and that's relying on filtering for malicious content by extension. That usually fails. And if you then allow unrestricted file uploads as a result, you end up with remote code execution. The problem here is white spaces again that can get sort of inserted that really don't change how the extension works and well are then bypassing the htaccess filters used if you are allowing people to upload files to your server, really the only option is save them outside the document root and then pipe them back via some kind of loader script that does not execute any code, no matter what the file type is that you're displaying. Well, in a few episodes ago I talked about how Microsoft is going to tighten up how it's going to run its Microsoft authenticator on iOS and on Android by basically not allowing it to run on rooted devices. There's one case where this is causing issues and that's GrapheneOS. GrapheneOS is a well respected sort of more secure Android version but well it's not Android so it's not being recognized as non rooted and as a result right now authenticator will not run on graphene os so you pretty much have to run an Android version, not graphene OS version on your phone. Well, and this is it for today. Thanks for listening, thanks for liking, thanks for commenting in your favorite podcast platform and talk to you again on Monday. Bye.