SANS Stormcast Thursday, March 19th, 2026: Adminer Scans; Apple WebKit Patch; another telnetd vuln; screenconnect vuln - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary3 min read

SANS Stormcast – March 19, 2026: Adminer Scans, Apple WebKit Patch, Telnetd Vulnerability, ScreenConnect Patch
Host: Johannes B. Ullrich

Episode Overview

In this concise briefing, Johannes B. Ullrich summarizes the day's most pressing cybersecurity topics for security professionals. The episode covers:

A surge in attacks targeting Adminer (a PHP-based database administration tool)
The debut usage of Apple’s new background security improvements, with a minor WebKit patch
A fresh telnetd (inetutils Telnet) vulnerability
A critical patch for ConnectWise ScreenConnect

Key Discussion Points & Insights

1. Adminer Scans and Security Practices

[00:27] Johannes details a recent uptick in honeypot scans focusing on Adminer, a single-file, feature-rich database admin tool often used as an alternative to phpMyAdmin.
- Adminer Overview:
  - A single PHP script for administering MySQL, Postgres, and other databases.
  - Has enjoyed a "pretty good security history" compared to alternatives.
  - Vulnerabilities reported have been fewer and less severe than phpMyAdmin.
- Current Attacker Tactics:
  - Attackers are scanning a wide range of Adminer file names ("a dozen different file names for each release"), enumerating languages, versions, and configurations to locate installations.
  - Weaknesses primarily relate to password management, as Adminer typically relies on the database’s own access controls.
- Recommended Mitigations:
  - Deploy Adminer's optional two-factor authentication module:
    
    “It even offers an optional module that allows you to have some two factor authentication and that’s something you should definitely consider...” [01:20]
  - Add extra web server authentication (like HTTP digest authentication) to further obscure its presence.
  - Consider basic hardening: restricting access, keeping updated, and limiting public exposure.
- Notable Quote:
  
  “This attacker apparently enumerated all of these file names and is now attempting to find them on your system.” [01:45]

2. Apple WebKit Patch: New Background Security Updates

[02:19] Apple rolled out its first update using the new "background security improvements" feature, enabling minor security hotfixes to be pushed independently from major OS updates.
- About the Patch:
  - First use is a fix for a “same origin issue” in WebKit (not critical, not yet exploited).
  - Tests the new delivery method before bigger vulnerabilities are patched this way.
- User Experience:
  - Rollback and manual application are possible (Settings > Security and Privacy > Background Security Improvements).
  - Small, fast download but a reboot is still required.
  - Updates become part of the next regular OS update.
- Notable Quote:
  
  “Interesting concept, makes things faster. The download was very small and quick. It will still reboot your device after it’s done applying the update.” [03:08]

3. New inetutils Telnetd Vulnerability

[03:24] Johannes reports "another" telnetd issue, shortly after a previous embarrassing flaw.
- Vulnerability Details:
  - Buffer overflow in “line mode SLC set local characters” during the initial client/server telnet handshake.
  - A pre-authentication vulnerability—can be exploited before any login checks.
- Severity and Advice:
  - “Straightforward buffer overflow. Definitely get it patched, but of course you really shouldn't run telnet.” [03:39]
  - Continues to advise deprecation of legacy protocols like Telnet.

4. ScreenConnect (ConnectWise) Critical Patch

[03:54] ConnectWise ScreenConnect 26.1 issued a critical patch.
- Patch Details:
  - Addresses unauthenticated exposure of certain machine keys.
  - Machine keys are now encrypted after patching.
  - CVSS score is 9.0 (critical).
- Notable Quote:
  
  “It’s definitely critical, something that you want to address and patch quickly.” [04:10]

Memorable Moments & Quotes

“One reason that these scans sort of really attract my attention is not just the number of scans, but really the number of different URLs that are being scanned here…” (Johannes, [01:16])
On Apple’s hotfix experiment: “I suspect that maybe they wanted to try it out with sort of not a very severe vulnerability.” (Johannes, [02:40])
“Definitely get it patched, but of course you really shouldn’t run telnet.” (Johannes, [03:39])

Important Timestamps

00:27 – Adminer scan details begin
01:45 – Attacker enumeration tactics
02:19 – Apple background security improvements and WebKit patch
03:24 – New telnetd (inetutils) vulnerability
03:54 – ScreenConnect (ConnectWise) critical patch

Summary

Johannes Ulrich offers a brisk yet detailed overview of evolving security threats and hotfixes. Standouts include the prevalence of sophisticated Adminer scans (recommendation: harden and add 2FA), the debut of Apple’s rapid “background security improvements” feature, and the critical need to patch both telnetd’s new issue and the ConnectWise 26.1 vulnerability. Listeners are urged to take prompt action, maintain layered defenses, and expect increasingly agile security update mechanisms from major vendors.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Thursday, March 19, 2026 edition of the SANS Internet Storm Centers Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the SANS EDU Graduate Certificate Program in Penetration Testing and Ethical Hacking in Diaries. Today I wrote up scans that we are seeing against our honeypots against Adminer. Adminer is a PHP script that allows you to administer your database. It works for MySQL and Postgres, I believe, and it's similar in its approach kind of to phpmyadmin. If you're familiar with phpmyadmin, it's one of the big targets out there. Had a very rich history of vulnerabilities and it's sort of the first and original web based database admin tool. Adminer takes a different approach and so far that it's just one PHP file, it's very feature rich and has actually a pretty good security history. There have been a couple of vulnerabilities, but far less and far lower in severity than what we have with phpmyadmin. So why are attackers scanning for it? Well, the weakness that we still have is passwords. Now Adminer does not really have the user usually set up passwords for the tool itself. Instead it just uses the databases access control system. And that actually makes quite a bit of sense. It even offers an optional module that allows you to have some two factor authentication and that's something you should definitely consider, even though it deviates somewhat from the original goal of just having everything in one file. One reason that these scans sort of really attract my attention is not just the number of scans, but really the number of different URLs that are being scanned here when you're downloading and installing Admin or what you usually download is like this one big PHP file and it comes in different versions, different languages and such, and also for different databases. And that's all part of the file name. So if you just download the file and install it, well, there's about a dozen different file names that are possible for each release and it's an actively maintained tool. So you have releases coming out ever so often. And this attacker apparently enumerated all of these file names and is now attempting to find them on your system. As I said, you probably want to install the two factor authentication plugin, but also maybe just throw some basic digest authentication in front of the tool in order to have an additional layer to make it less easy to find this particular tool that you even have it installed. Then we got something new from Apple and that's background security improvements. This feature was added to the latest version of their operating systems and allows them to basically push out smaller security updates. They just yesterday used this feature the first time and they pushed out an update for WebKit. It fixes a single vulnerability, not a super critical vulnerability. It's a same origin issue, it's not yet exploited. I suspect that maybe they wanted to try it out with sort of not a very severe vulnerability. If you want to apply the update manually, you have to go into security and privacy. That's where you find the background security improvements. You can also disable them if you don't want them to be applied automatically. But it's a different spot in the operating system than the normal security updates that you sort of get via software updates. And you can also undo these updates if you want to. They're then typically rolled into the next operating system update. So they will still basically include all of these background security improvements that were moved live before. Interesting concept, makes things faster. The download was very small and quick. It will still reboot your device after it's done applying the update. I'd imagine that we got another vulnerability in the inetutils Telnet. Indeed. Remember we just had a vulnerability a couple of weeks ago with the embarrassing F option IntelnetD that basically bypassed login. This is a new distinct vulnerability. It's a buffer overflow in the line mode SLC set local characters. Essentially during the sort of initial handshake, the telnet client and the server can negotiate a couple of parameters and this is one of these parameters. So this is pre authentication and it's a straightforward buffer overflow. Definitely get it patched, but of course you really shouldn't run telnet. And if you're using connectwise stringconnect, be aware there is a patch available for you for version 26.1. This patch does encrypt certain machine keys that are accessible without authentication before the patch was applied. So they assess this with a css score of 9.0. So it's definitely critical, something that you want to address and patch quickly. Well, and that's it for today. So thanks for listening, thanks for liking, thanks for subscribing, and thanks for sharing this podcast in your favorite social network and talk to you again tomorrow. Bye.