SANS Stormcast Tuesday, April 21st, 2026: CVE and EPSS; Windows Server 2025 OOB; QEMU Abuse; - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary3 min read

SANS Stormcast Tuesday, April 21, 2026: CVE and EPSS; Windows Server 2025 OOB; QEMU Abuse

Overview

In this episode, Johannes B. Ullrich provides a concise briefing on critical current issues in cybersecurity. The focus centers on vulnerability management alternatives to CVE/NVD enrichment, urgent updates for Windows Server 2025, and an evolving technique wherein threat actors leverage QEMU virtualization to evade detection.

Key Discussion Points & Insights

1. CVE Flood and EPSS as an Alternative (00:37)

Growing CVE Challenges: An overwhelming influx of new vulnerabilities is straining the CVE database, causing the National Vulnerability Database (NVD) to struggle with providing timely, enriched data.
Introduction to EPSS:
- The Exploit Probability Scoring System (EPSS), by FIRST, helps predict the likelihood of a vulnerability being exploited.
- EPSS is newer, scalable, and based on automatic score generation (unlike traditional NVD enrichment).
- "What it attempts to accomplish is to essentially assign a probability to a vulnerability to figure out how likely it is to actually be exploited, which of course then assists you in properly prioritizing this vulnerability.” (Johannes, 01:17)
Integration Example: Xavier demonstrated integrating EPSS into Wazoo for automatic enrichment of vulnerability data. Listeners are encouraged to check out the referenced "diary" for further information and implementation advice.

2. Windows Server 2025 Out-of-Band Patch Issues (02:20)

Emergency Patch Release:
- Microsoft issued an out-of-band (OOB) patch for Windows Server 2025 to fix issues introduced in the previous week's security update.
Patch Consequences:
- Some servers entered reboot loops after the update.
- On others, the patch failed to apply at all.
Actionable Advice:
- "Take a look at last weekend's update and you probably want to apply that if you're falling into either group. The uninstalled patch of course, particularly tricky, because that may easily go unnoticed." (Johannes, 02:48)
- All Windows 2025 users should check Microsoft’s guidance to ensure their patch status is correct.

3. Abuse of QEMU in Ransomware Operations (03:17)

Sophos Blog Highlight – Payout King Ransomware:
- Attackers using QEMU, an open-source virtualization/emulation tool, as part of their toolkit.
- QEMU is legitimate software, commonly used for positive purposes, so it is less likely to be flagged by antimalware.
- "The attacker is then able to actually run a little virtual machine ... and hide additional malicious activity inside the virtual machine.” (Johannes, 03:42)
Technique Details:
- Attackers spin up a minimal Linux (Alpine) VM on compromised systems.
- They establish a reverse SSH channel from the VM, allowing remote access.
- Inside the VM, they preload attack tools and can operate freely, bypassing endpoint protection (which usually does not monitor inside VMs).
Defense Recommendations:
- “Definitely watch out for QEMU or any virtualization technology that may be deployed unapproved within your network and, well, flag it as possibly malicious. But again, this is something that's often used legitimately, so inventory and knowing where it's needed, where it's legitimately used, is certainly an important task here.” (Johannes, 04:23)

Notable Quotes & Memorable Moments

On EPSS versus traditional CVE enrichment:
"This system developed by FIRST is based on an automatic generation of these EPSS scores. So that makes it sort of more inherently scalable than some of the work that NIST has been doing." (Johannes, 01:32)
On Windows Server 2025 hotfix complications:
"Apparently some subset of Server 2025 installs did enter a reboot loop after this patch was installed. And for others, well, the patch just didn't apply at all." (Johannes, 02:36)
On the risks of virtualization abuse:
"Endpoint protection does not cover any processes typically happening in a virtual machine, whether it's Qemu, VMware or any other virtualization technology within this virtual machine." (Johannes, 04:02)

Timestamps for Important Segments

00:37–02:13 – CVE challenges & EPSS overview
02:20–03:17 – Windows Server 2025 OOB Patch issues
03:17–04:45 – QEMU abuse in recent ransomware campaigns & defensive strategies

Recommendations for Listeners

Review and consider implementing EPSS for better vulnerability prioritization.
Windows Server 2025 administrators must verify recent patch status and apply the OOB update if affected by previous issues.
Monitor for unexpected virtualization technology deployments, especially QEMU, and maintain thorough software inventories to distinguish legitimate from suspicious usage.

End of Summary
For more technical details and implementation advice, refer to the mentioned SANS diary and related Microsoft and Sophos advisories.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Tuesday, April 21, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Amsterdam, Netherlands and this episode is brought to you by the Sans Edu Creative Certificate Program in Cybersecurity Leadership. Well, I already mentioned that we do have this flood of new vulnerabilities that's currently sort of hitting the CVE database that has caused issues like for example NVD no longer being able to really provide enrichment for many of the new discovered vulnerabilities. So what are some of the alternatives? And we do have an option here by Xavier the epss. EPSS stands for the Exploit Probability Scoring System. And what it attempts to accomplish is to essentially assign a probability to a vulnerability to figure out how likely it is to actually be exploited, which of course then assists you in properly prioritizing this vulnerability. What also makes this interesting is that this is a newer system was just introduced a few years ago and updated and again three years ago. Well, this system developed by FIRST is based on an automatic generation of these EPSS scores. So that makes it sort of more inherently scalable than some of the work that NIST has been doing. So pretty interesting number that you can add to your vulnerability management process. And to help you out with this, Xavier also demonstrated how to optimize automatically use it to enrich your data. And as an example, Xavier implemented this enrichment in Wazoo. So take a look at the diary and see if this is something that may be useful for your vulnerability management program and talking about all the things that can go wrong when you are rolling out patches. Well, Microsoft this weekend did release an out of band patch for Server 2025 to address issues that were introduced with the security upd updates released last Tuesday. Apparently some subset of Server 2025 installs did enter a reboot loop after this patch was installed. And for others, well, the patch just didn't apply at all. So in this case, well take a look at last weekend's update and you probably want to apply that if you're falling into either group. The uninstalled patch of course, particularly tricky because that may easily go unnotice. So any Windows 2025 user probably should take a look at this particular message from Microsoft to figure out what group you fall into. Or well, maybe you're one of the lucky ones where the patch just applied. Fine. And we got an interesting blog post by Sophos pointing to some late developments with the Payout King ransomware. This is not new ransomware, but they Sort of have some new tricks up their sleeve. And one interest trick I find is the use of qemo. QEMO is an open source virtualization and emulation package. So essentially it allows you to run a virtual machine by itself. It's not malicious software. It's actually quite often used for a lot of good purposes. And as such, of course, antimalware will not necessarily flag it. But by running this virtualization environment, the attacker is then able to actually run a little virtual machine. They're using Alpine, the stripped down Linux distribution on your system, and hide additional malicious activity inside the virtual machine just from using virtual machines all day long in class. Well, that often then evades detection because anti malware. Well, endpoint protection does not cover any processes typically happening in a virtual machine, whether it's Qemu, VMware or any other virtualization technology within this virtual machine. The attacker then establishes a reverse SSH channel in order to then remotely connect to the virtual machine. And the virtual machine comes preloaded with various attack tools that then can be further used to compromise the system or the rest of your network. So, pretty interesting technique. Definitely watch out for QEMU or any virtualization technology that may be deployed unapproved within your network and, well, flag it as possibly malicious. But again, this is something that's often used legitimately, so inventory and knowing where it's needed, where it's legitimately used, is certainly an important task here. Well, and that's it for today, so thanks for listening, thanks for liking and subscribing this podcast and talk to you again tomorrow. Bye.