SANS Stormcast Tuesday, November 4th, 2025: XWiki SolrSearch Exploits and Rapper Feud; AMD Zen 5 RDSEED Bug; More Malicious Open VSX Extensions

SANS Stormcast – Tuesday, November 4, 2025

Host: Johannes B. Ullrich
Main Theme:
A concise briefing covers significant current cybersecurity threats, exploits, and issues, including active exploits for the XWiki SolrSearch vulnerability (with an unusual twist involving a rapper feud), a critical AMD Zen 5 processor random number generator bug, and the continued rise of malicious Open VSX extensions targeting crypto developers.

Key Discussion Points & Insights

1. XWiki SolrSearch Exploit Attempts and Rapper Feud Reference

[00:26 - 03:05]

Background: Over the weekend, numerous exploit attempts targeting the XWiki SolrSearch vulnerability were observed.
- Vulnerability Status: Added to the Known Exploited Vulnerability catalog on the preceding Friday, with widespread awareness and proof-of-concept exploit code available openly.
- Peculiarities Noted:
  - “What took them so long?”: Despite early public availability and straightforward exploitation, attack activity lagged behind initial disclosure.
  - Strange User-Agent: The attacker’s user-agent string is an email address at atomicmail.io, an encrypted and somewhat anonymous provider.
    
    “So yes, certainly something that an attacker may use, but not really sure why they're sort of advertising themselves here...”
    —Johannes Ullrich [01:14]
- Unusual Payload Behavior:
  - The exploit downloads a script from a site, but visiting that site redirects to a rapper’s promotional page.
  - The exploit script and website carry names referencing a famous Chicago rapper and a rival, both known for gang affiliations and currently incarcerated—suggesting a fan or unknown entity rather than direct involvement.
    
    “The name of the exploit script happens to be an posing wrapper. They're both like in Chicago, so with different gangs, both are doing time these days. So unlike they're directly involved with this, but could be some kind of fan or whatever who came up with this exploit...”
    —Johannes Ullrich [02:08]
- Defensive Recommendation:
  - Immediate patching of XWiki instances is urged; always assume compromise if unpatched.

2. AMD Zen 5 RDSEED Random Number Generator Bug

[03:05 - 04:15]

Discovery: A flaw in the AMD Zen 5 processor’s RDSEED instruction—designed for cryptographically secure random number generation.
- Bug details: Occasionally, RDSEED returns zero (instead of a random number), falsely signaling success.
  
  “Does occasionally return zero, even though, well, that would be not the next random number it's supposed to return. And it also indicates that the result is good.”
  —Johannes Ullrich [03:24]
- Risks:
  - Could undermine security by making random number generation—and thus, things like cryptographic keys—less secure and easier to brute-force.
    
    “Of course from a security point of view, random numbers are being used for many like cryptographic keys and such. So certainly important to fix that.”
    —Johannes Ullrich [04:03]
- Workarounds:
  - AMD offers mitigations and a pending patch.
  - Practical fix: Add a Linux boot kernel option to disable the RDSEED output.
  - Bug is specific to Zen 5 and not present when using the 64-bit base instruction (RDC).
- Refer to the official AMD advisory for a full list of affected CPUs.

3. Ongoing Issue: Malicious Open VSX Extensions

[04:15 - 05:23]

Background:
- Malicious extensions in the OpenVSX marketplace persist, with enhancements to security underway but not fully resolving the issue.
- New case from security researcher John Tuckner and Secure Annex:
  - A malicious extension posing as a Solidity helper (Solidity = smart contract/crypto language).
  - The extension secretly steals crypto credentials.
    
    “It’s targeting people who are working with cryptocurrencies in order to steal credentials…”
    —Johannes Ullrich [04:49]
- Broader Pattern:
  - Majority of malicious OpenVSX extensions specifically target crypto developers—smart contract authors and coin software coders.
    
    “So if you are in the business of developing software that deal with cryptocurrency, be very, very careful. That's pretty much the exclusive target of these kind of malicious extensions.”
    —Johannes Ullrich [05:00]
  - Secondary targets: Cloud credentials and other sensitive information, but with much lower frequency.
- Defensive Recommendation:
  - Crypto and smart contract developers should exercise extreme caution before installing OpenVSX extensions.

Notable Quotes & Memorable Moments

On attacker oddities:

“Not really sure why they're sort of advertising themselves here and I haven't really seen this email address being used before, so this seems to be unique to this particular exploit...”
– Johannes Ullrich [01:22]
On possible source of naming in exploits:

“...some kind of fan or whatever who came up with this exploit and is just using these names. Really kind of a lot of stuff here with that and not sure what to make of it.”
– Johannes Ullrich [02:21]
On patching stance:

“...as always assume compromise.”
– Johannes Ullrich [02:51]
On RDSEED’s security implication:

“It will at least make it a lot easier to brute-force cryptographic keys. Even though if it may not still be trivial.”
– Johannes Ullrich [04:11]
On Open VSX risks for crypto developers:

“That's pretty much the exclusive target of these kind of malicious extensions.”
– Johannes Ullrich [05:00]

Timestamps for Important Segments

[00:26] – XWiki SolrSearch exploit discussion and the rapper feud twist
[03:05] – AMD Zen 5 RDSEED bug: explanation, impact, and mitigations
[04:15] – Malicious OpenVSX extension landscape, with focus on crypto developer targeting

Summary

In this episode, Johannes Ullrich delivers quick insight on several major cyber threats of the day: a wave of XWiki SolrSearch exploits with intriguing attacker behavior referencing rapper rivalries, a critical flaw in AMD Zen 5’s hardware random number generation posing cryptographic risk, and the relentless issue of malicious OpenVSX extensions aimed squarely at crypto developers. Listeners are advised to patch promptly, follow vendor guidance for mitigation, and remain wary of third-party code—especially in crypto-related development environments.

SANS Stormcast – Tuesday, November 4, 2025

Key Discussion Points & Insights

1. XWiki SolrSearch Exploit Attempts and Rapper Feud Reference

[00:26 - 03:05]

Background: Over the weekend, numerous exploit attempts targeting the XWiki SolrSearch vulnerability were observed.
- Vulnerability Status: Added to the Known Exploited Vulnerability catalog on the preceding Friday, with widespread awareness and proof-of-concept exploit code available openly.
- Peculiarities Noted:
  - “What took them so long?”: Despite early public availability and straightforward exploitation, attack activity lagged behind initial disclosure.
  - Strange User-Agent: The attacker’s user-agent string is an email address at atomicmail.io, an encrypted and somewhat anonymous provider.
    
    “So yes, certainly something that an attacker may use, but not really sure why they're sort of advertising themselves here...”
    —Johannes Ullrich [01:14]
- Unusual Payload Behavior:
  - The exploit downloads a script from a site, but visiting that site redirects to a rapper’s promotional page.
  - The exploit script and website carry names referencing a famous Chicago rapper and a rival, both known for gang affiliations and currently incarcerated—suggesting a fan or unknown entity rather than direct involvement.
    
    “The name of the exploit script happens to be an posing wrapper. They're both like in Chicago, so with different gangs, both are doing time these days. So unlike they're directly involved with this, but could be some kind of fan or whatever who came up with this exploit...”
    —Johannes Ullrich [02:08]
- Defensive Recommendation:
  - Immediate patching of XWiki instances is urged; always assume compromise if unpatched.

2. AMD Zen 5 RDSEED Random Number Generator Bug

[03:05 - 04:15]

Discovery: A flaw in the AMD Zen 5 processor’s RDSEED instruction—designed for cryptographically secure random number generation.
- Bug details: Occasionally, RDSEED returns zero (instead of a random number), falsely signaling success.
  
  “Does occasionally return zero, even though, well, that would be not the next random number it's supposed to return. And it also indicates that the result is good.”
  —Johannes Ullrich [03:24]
- Risks:
  - Could undermine security by making random number generation—and thus, things like cryptographic keys—less secure and easier to brute-force.
    
    “Of course from a security point of view, random numbers are being used for many like cryptographic keys and such. So certainly important to fix that.”
    —Johannes Ullrich [04:03]
- Workarounds:
  - AMD offers mitigations and a pending patch.
  - Practical fix: Add a Linux boot kernel option to disable the RDSEED output.
  - Bug is specific to Zen 5 and not present when using the 64-bit base instruction (RDC).
- Refer to the official AMD advisory for a full list of affected CPUs.

3. Ongoing Issue: Malicious Open VSX Extensions

[04:15 - 05:23]

Background:
- Malicious extensions in the OpenVSX marketplace persist, with enhancements to security underway but not fully resolving the issue.
- New case from security researcher John Tuckner and Secure Annex:
  - A malicious extension posing as a Solidity helper (Solidity = smart contract/crypto language).
  - The extension secretly steals crypto credentials.
    
    “It’s targeting people who are working with cryptocurrencies in order to steal credentials…”
    —Johannes Ullrich [04:49]
- Broader Pattern:
  - Majority of malicious OpenVSX extensions specifically target crypto developers—smart contract authors and coin software coders.
    
    “So if you are in the business of developing software that deal with cryptocurrency, be very, very careful. That's pretty much the exclusive target of these kind of malicious extensions.”
    —Johannes Ullrich [05:00]
  - Secondary targets: Cloud credentials and other sensitive information, but with much lower frequency.
- Defensive Recommendation:
  - Crypto and smart contract developers should exercise extreme caution before installing OpenVSX extensions.

Notable Quotes & Memorable Moments

On attacker oddities:

“Not really sure why they're sort of advertising themselves here and I haven't really seen this email address being used before, so this seems to be unique to this particular exploit...”
– Johannes Ullrich [01:22]
On possible source of naming in exploits:

“...some kind of fan or whatever who came up with this exploit and is just using these names. Really kind of a lot of stuff here with that and not sure what to make of it.”
– Johannes Ullrich [02:21]
On patching stance:

“...as always assume compromise.”
– Johannes Ullrich [02:51]
On RDSEED’s security implication:

“It will at least make it a lot easier to brute-force cryptographic keys. Even though if it may not still be trivial.”
– Johannes Ullrich [04:11]
On Open VSX risks for crypto developers:

“That's pretty much the exclusive target of these kind of malicious extensions.”
– Johannes Ullrich [05:00]

Timestamps for Important Segments

[00:26] – XWiki SolrSearch exploit discussion and the rapper feud twist
[03:05] – AMD Zen 5 RDSEED bug: explanation, impact, and mitigations
[04:15] – Malicious OpenVSX extension landscape, with focus on crypto developer targeting

wavePod

Powered by Wave AI

Summary

SANS Stormcast – Tuesday, November 4, 2025

Key Discussion Points & Insights

1. XWiki SolrSearch Exploit Attempts and Rapper Feud Reference

2. AMD Zen 5 RDSEED Random Number Generator Bug

3. Ongoing Issue: Malicious Open VSX Extensions

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Summary

Summary

SANS Stormcast – Tuesday, November 4, 2025

Key Discussion Points & Insights

1. XWiki SolrSearch Exploit Attempts and Rapper Feud Reference

2. AMD Zen 5 RDSEED Random Number Generator Bug

3. Ongoing Issue: Malicious Open VSX Extensions

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Summary