SANS Stormcast Tuesday, November 4th, 2025: XWiki SolrSearch Exploits and Rapper Feud; AMD Zen 5 RDSEED Bug; More Malicious Open VSX Extensions - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

SANS Stormcast – Tuesday, November 4, 2025

Host: Johannes B. Ullrich
Main Theme:
A concise briefing covers significant current cybersecurity threats, exploits, and issues, including active exploits for the XWiki SolrSearch vulnerability (with an unusual twist involving a rapper feud), a critical AMD Zen 5 processor random number generator bug, and the continued rise of malicious Open VSX extensions targeting crypto developers.

Key Discussion Points & Insights

1. XWiki SolrSearch Exploit Attempts and Rapper Feud Reference

[00:26 - 03:05]

Background: Over the weekend, numerous exploit attempts targeting the XWiki SolrSearch vulnerability were observed.
- Vulnerability Status: Added to the Known Exploited Vulnerability catalog on the preceding Friday, with widespread awareness and proof-of-concept exploit code available openly.
- Peculiarities Noted:
  - “What took them so long?”: Despite early public availability and straightforward exploitation, attack activity lagged behind initial disclosure.
  - Strange User-Agent: The attacker’s user-agent string is an email address at atomicmail.io, an encrypted and somewhat anonymous provider.
    
    “So yes, certainly something that an attacker may use, but not really sure why they're sort of advertising themselves here...”
    —Johannes Ullrich [01:14]
- Unusual Payload Behavior:
  - The exploit downloads a script from a site, but visiting that site redirects to a rapper’s promotional page.
  - The exploit script and website carry names referencing a famous Chicago rapper and a rival, both known for gang affiliations and currently incarcerated—suggesting a fan or unknown entity rather than direct involvement.
    
    “The name of the exploit script happens to be an posing wrapper. They're both like in Chicago, so with different gangs, both are doing time these days. So unlike they're directly involved with this, but could be some kind of fan or whatever who came up with this exploit...”
    —Johannes Ullrich [02:08]
- Defensive Recommendation:
  - Immediate patching of XWiki instances is urged; always assume compromise if unpatched.

2. AMD Zen 5 RDSEED Random Number Generator Bug

[03:05 - 04:15]

Discovery: A flaw in the AMD Zen 5 processor’s RDSEED instruction—designed for cryptographically secure random number generation.
- Bug details: Occasionally, RDSEED returns zero (instead of a random number), falsely signaling success.
  
  “Does occasionally return zero, even though, well, that would be not the next random number it's supposed to return. And it also indicates that the result is good.”
  —Johannes Ullrich [03:24]
- Risks:
  - Could undermine security by making random number generation—and thus, things like cryptographic keys—less secure and easier to brute-force.
    
    “Of course from a security point of view, random numbers are being used for many like cryptographic keys and such. So certainly important to fix that.”
    —Johannes Ullrich [04:03]
- Workarounds:
  - AMD offers mitigations and a pending patch.
  - Practical fix: Add a Linux boot kernel option to disable the RDSEED output.
  - Bug is specific to Zen 5 and not present when using the 64-bit base instruction (RDC).
- Refer to the official AMD advisory for a full list of affected CPUs.

3. Ongoing Issue: Malicious Open VSX Extensions

[04:15 - 05:23]

Background:
- Malicious extensions in the OpenVSX marketplace persist, with enhancements to security underway but not fully resolving the issue.
- New case from security researcher John Tuckner and Secure Annex:
  - A malicious extension posing as a Solidity helper (Solidity = smart contract/crypto language).
  - The extension secretly steals crypto credentials.
    
    “It’s targeting people who are working with cryptocurrencies in order to steal credentials…”
    —Johannes Ullrich [04:49]
- Broader Pattern:
  - Majority of malicious OpenVSX extensions specifically target crypto developers—smart contract authors and coin software coders.
    
    “So if you are in the business of developing software that deal with cryptocurrency, be very, very careful. That's pretty much the exclusive target of these kind of malicious extensions.”
    —Johannes Ullrich [05:00]
  - Secondary targets: Cloud credentials and other sensitive information, but with much lower frequency.
- Defensive Recommendation:
  - Crypto and smart contract developers should exercise extreme caution before installing OpenVSX extensions.

Notable Quotes & Memorable Moments

On attacker oddities:

“Not really sure why they're sort of advertising themselves here and I haven't really seen this email address being used before, so this seems to be unique to this particular exploit...”
– Johannes Ullrich [01:22]
On possible source of naming in exploits:

“...some kind of fan or whatever who came up with this exploit and is just using these names. Really kind of a lot of stuff here with that and not sure what to make of it.”
– Johannes Ullrich [02:21]
On patching stance:

“...as always assume compromise.”
– Johannes Ullrich [02:51]
On RDSEED’s security implication:

“It will at least make it a lot easier to brute-force cryptographic keys. Even though if it may not still be trivial.”
– Johannes Ullrich [04:11]
On Open VSX risks for crypto developers:

“That's pretty much the exclusive target of these kind of malicious extensions.”
– Johannes Ullrich [05:00]

Timestamps for Important Segments

[00:26] – XWiki SolrSearch exploit discussion and the rapper feud twist
[03:05] – AMD Zen 5 RDSEED bug: explanation, impact, and mitigations
[04:15] – Malicious OpenVSX extension landscape, with focus on crypto developer targeting

Summary

In this episode, Johannes Ullrich delivers quick insight on several major cyber threats of the day: a wave of XWiki SolrSearch exploits with intriguing attacker behavior referencing rapper rivalries, a critical flaw in AMD Zen 5’s hardware random number generation posing cryptographic risk, and the relentless issue of malicious OpenVSX extensions aimed squarely at crypto developers. Listeners are advised to patch promptly, follow vendor guidance for mitigation, and remain wary of third-party code—especially in crypto-related development environments.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Tuesday, November 4, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the SANS Edu Master's Degree program in Information Security Engineering. This weekend we did see a large number of exploit attempts for the Ex Wiki Solar Surge vulnerability. This vulnerability was added to the known exploited vulnerability catalog on Friday, so no real surprise that we see some exploits for it. In particular, since this vulnerability has gotten quite a bit of coverage over the weekend. There are a couple odd things about these exploit attempts. First of all, what took them so long? The original advisory that was published by Xwiki to alert users of this vulnerability actually pretty much had exploit code attached to it. It had a proof of concept exploit that showed you how to take advantage of this vulnerability and it was pretty straightforward how to do so. The other odd thing here was the user agent being used by the actor who according to our data is pretty much responsible for all of the exploits. But, well, this was actually an email address. The email address is with atomicmail IO which is an encrypted and somewhat anonymous email provider. So yes, certainly something that an attacker may use, but not really sure why they're sort of advertising themselves here and I haven't really seen this email address being used before, so this seems to be unique to this particular exploit, but let me know if you have seen it before. The other thing is that, well, pretty much as expected, the exploit is used to download an additional script from a website and then execute it. But if you go to this website you actually end up on a rapper's sort of promotional page and the name of the exploit script happens to be an posing wrapper. They're both like in Chicago, so with different gangs, both are doing time these days. So unlike they're directly involved with this, but could be some kind of fan or whatever who came up with this exploit and is just using these names. Really kind of a lot of stuff here with that and not sure what to make of it. If anybody has any more details, let me know. I reached out to the email address and user agent but haven't gotten any reply yet so far. Either way, patch your X wikis if you are using them and at this point as always assume compromise. And then we have an interesting and a little bit tricky vulnerability that affects AMD's Zen 5 processors. And for a change it's not one of those speculative execution vulnerabilities or anything like this, but instead a weak Random number Generator the rdseed function which is meant to create good random numbers is intel has similar functions in their CPUs. Does occasionally return zero, even though, well, that would be not the next random number it's supposed to return. And it also indicates that the result is good. There's a flag that is being set whenever it returns. A random number basically tells you if it's a good random number or not. Well, in this case the signaling shows success, but the random number is just zero and that happens more often than zero should show up just randomly. There is a patch in the works from AMD for this, but they also offered a couple of workarounds. One probably that's the easiest in my opinion to deploy is where you just to the boot options of your Linux kernel add an option in order to basically turn off that behavior. Also, if you're using the 64 bit version of RDC, then you're not affected by this particular bug. And then again it's just the Zen 5 processors, even though other processors of course have that RDC command, but they're not affected by it. For a complete list of all the processes that fall into that Zen5 category, well refer to AMD's advisory for this. A little bit hard to tell how exploitable this is. Depends on how often that zero result is coming back. But of course from a security point of view, random numbers are being used for many like cryptographic keys and such. So certainly important to fix that. Eventually it will at least make it a lot easier to brute force cryptographic keys. Even though if it may not still be trivial. And well, malicious extensions via OpenVSX appear to not be going away. I mentioned yesterday how they're trying to improve the security of their ecosystem somewhat. The latest example here comes from John Tuckner with Secure Annex. And interestingly here that they basically found this extension that's supposed to help with solidity, which is a language or configuration language used for smart contracts. And yes, it's supposed to like, you know, properly mark them up. But of course it's targeting people who are working with cryptocurrencies in order to steal credentials. And this is something that really sort of, I think I noted with all of these malicious extensions that they pretty much exclusively target crypto developers. So if you are in the business of developing software that deal with cryptocurrency, be very, very careful. That's pretty much the exclusive target of these kind of malicious extensions. Yes. Doesn't mean that other developers should be careful because we also have seen a little bit stuff like cloud credentials and such being stolen, but the number one target here is really developers of smart contracts and crypto coin software. Well, and this is it for today. So thanks for listening and thanks for recommending and liking and whatever you do to make this podcast more popular. And as always, if there is a story I missed, if there's a story I should not have covered, well, please let me know. Thanks and talk to you again tomorrow. Bye.