SANS Stormcast Wednesday, December 10th, 2025: Microsoft, Adobe, Ivanti, Fortinet, and Ruby Patches

Host: Johannes B. Ullrich
Podcast: SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Date: December 10, 2025

Episode Overview

Today's episode provides a succinct yet thorough rundown of the most important security patches released on this December's Patch Tuesday. Johannes Ullrich highlights updates from major vendors—Microsoft, Adobe, Ivanti, Fortinet, and an open-source Ruby library—focusing on those issues most likely to impact IT professionals and security teams. While this month's cycle is considered somewhat lighter, a few vulnerabilities stand out for their exploitability and severity.

Key Discussion Points and Insights

1. Microsoft Patch Tuesday Breakdown

Summary:
- Total of 57 vulnerabilities addressed.
- Only 3 rated as "critical."
- 1 already exploited (in-the-wild), 2 publicly disclosed.
Privilege Escalation in Cloud Files Mini Filter ([00:51]):
- The exploited vulnerability is a privilege escalation in Microsoft's Cloud Files Mini Filter driver.
- While being used by attackers, it's "only" a privilege escalation rather than remote code execution.
- "Some of those driver issues and yes, that's already being exploited, but again only privilege escalation vulnerability." - Johannes B. Ullrich [01:08]
Publicly Known, Not Yet Exploited Vulnerabilities:
- Invoke-WebRequest PowerShell vulnerability ([01:18]):
  - Potential for code execution if 'useBasicParsing' not specified.
  - Microsoft update now warns users to add this parameter to mitigate risk.
  - "Really just clarified how to use this particular PowerShell function." [01:41]
- AI Copilot Plugin for JetBrains ([01:49]):
  - Risks of AI-powered coding tools.
  - GitHub Copilot plugin updates add new constraints to reduce malicious code execution.
  - "That's sort of where they added some additional constraints. We'll see how well they work to prevent some of these malicious code executions." [02:11]
Critical Vulnerabilities:
- All rated "critical" are found in Microsoft Office and Outlook.
- Described as the "good old Outlook/Office vulnerabilities we have every month." [02:22]
- No major surprises or threats beyond the usual.

Memorable moment:
"I don't really think that this is a terribly exciting patch Tuesday. Even like these three known and already exploited vulnerabilities aren't really that terribly big of a deal." - Johannes B. Ullrich [02:29]

2. Adobe Patch Tuesday Highlights ([02:37])

Five Products Updated:
- Considered “on the lighter side” for Adobe.
Products of Note:
- ColdFusion:
  - Arbitrary code execution via unconstrained file upload.
  - Attackers could upload a webshell; high likelihood of exploitation.
- Acrobat Reader:
  - Code execution vulnerabilities; commonly exploited through malicious PDFs.

"Two of these products are sort of on my watch list of likely to be exploited products. One cold fusion and we do have a big vulnerability here, an arbitrary code execution due to an unconstrained file upload..." [02:48]

3. Ivanti Endpoint Manager ([03:20])

Stored Cross-Site Scripting in Admin Sessions:
- High-risk with a CVSS score of 9.6.
- Allows remote control of an administrator's browser during admin sessions.
- Can lead to significant damage if exploited.

"Certainly something where an attacker could do quite a bit of damage if they can essentially remote control an administrator's browser as part of an admin session." [03:36]

4. Fortinet Authentication Bypass ([03:47])

Vulnerability Details:
- Impacts 40 Cloud Single Sign-On logins.
- Affects any product using 40 Cloud; authentication bypass risk.
- Recommended mitigation: turn off 40 Cloud SSO until devices are updated.
Likely Cause:
- Cryptographic issue, possibly algorithm confusion.

"Looks like some kind of cryptographic issue, maybe algorithm confusion or something like that... that often leads to these type of vulnerabilities." [04:01]

5. Ruby SAML Library Patch ([04:22])

Nature of Vulnerability:
- XML parser discrepancy leading to inconsistent parsing of authentication data.
- Previous similar vulnerability was only partially fixed; this patch aims to completely address it.
- Potential impact: organization authentication systems reliant on SAML.

"Apparently this is sort of one of those parser discrepancy issues where different XML parsers interpret data slightly different and that often leads then to vulnerabilities..." [04:32]

Notable Quotes and Memorable Moments

"Only 57 vulnerabilities being addressed here. Only three of these vulnerabilities were rated as critical." – Johannes B. Ullrich [00:18]
"Really just clarified how to use this particular PowerShell function." [01:41]
"Two of these products are sort of on my watch list of likely to be exploited products." [02:41]
"Certainly something where an attacker could do quite a bit of damage if they can essentially remote control an administrator's browser as part of an admin session." [03:36]
"Looks like some kind of cryptographic issue, maybe algorithm confusion or something like that and that's very common like in these single sign on systems..." [04:01]

Timestamps for Key Segments

00:05 – Introduction and episode theme
00:18 – Microsoft Patch Tuesday summary
00:51 – Exploited privilege escalation vulnerability
01:18 – PowerShell Invoke-WebRequest update
01:49 – AI Copilot plugin and IDE risks
02:22 – Critical Office/Outlook vulnerabilities
02:37 – Adobe patches, focus on ColdFusion and Acrobat Reader
03:20 – Ivanti Endpoint Manager, XSS vulnerability
03:47 – Fortinet SSO authentication bypass
04:22 – Ruby SAML library discrepancy patch

Conclusion

December’s Patch Tuesday is considered lighter but not without important issues, particularly for Adobe ColdFusion, Ivanti Endpoint Manager, and Fortinet SSO implementations. While Microsoft’s critical vulnerabilities tend toward the routine, security teams should pay special attention to the evolving patch for the Ruby SAML library and the potential for exploitation in products with high-value administrative access.

For further details and the latest analysis, listeners are encouraged to visit the SANS Internet Stormcenter website.

SANS Stormcast Wednesday, December 10th, 2025: Microsoft, Adobe, Ivanti, Fortinet, and Ruby Patches

Host: Johannes B. Ullrich
Podcast: SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Date: December 10, 2025

Episode Overview

Key Discussion Points and Insights

1. Microsoft Patch Tuesday Breakdown

Summary:
- Total of 57 vulnerabilities addressed.
- Only 3 rated as "critical."
- 1 already exploited (in-the-wild), 2 publicly disclosed.
Privilege Escalation in Cloud Files Mini Filter ([00:51]):
- The exploited vulnerability is a privilege escalation in Microsoft's Cloud Files Mini Filter driver.
- While being used by attackers, it's "only" a privilege escalation rather than remote code execution.
- "Some of those driver issues and yes, that's already being exploited, but again only privilege escalation vulnerability." - Johannes B. Ullrich [01:08]
Publicly Known, Not Yet Exploited Vulnerabilities:
- Invoke-WebRequest PowerShell vulnerability ([01:18]):
  - Potential for code execution if 'useBasicParsing' not specified.
  - Microsoft update now warns users to add this parameter to mitigate risk.
  - "Really just clarified how to use this particular PowerShell function." [01:41]
- AI Copilot Plugin for JetBrains ([01:49]):
  - Risks of AI-powered coding tools.
  - GitHub Copilot plugin updates add new constraints to reduce malicious code execution.
  - "That's sort of where they added some additional constraints. We'll see how well they work to prevent some of these malicious code executions." [02:11]
Critical Vulnerabilities:
- All rated "critical" are found in Microsoft Office and Outlook.
- Described as the "good old Outlook/Office vulnerabilities we have every month." [02:22]
- No major surprises or threats beyond the usual.

Memorable moment:
"I don't really think that this is a terribly exciting patch Tuesday. Even like these three known and already exploited vulnerabilities aren't really that terribly big of a deal." - Johannes B. Ullrich [02:29]

2. Adobe Patch Tuesday Highlights ([02:37])

Five Products Updated:
- Considered “on the lighter side” for Adobe.
Products of Note:
- ColdFusion:
  - Arbitrary code execution via unconstrained file upload.
  - Attackers could upload a webshell; high likelihood of exploitation.
- Acrobat Reader:
  - Code execution vulnerabilities; commonly exploited through malicious PDFs.

"Two of these products are sort of on my watch list of likely to be exploited products. One cold fusion and we do have a big vulnerability here, an arbitrary code execution due to an unconstrained file upload..." [02:48]

3. Ivanti Endpoint Manager ([03:20])

Stored Cross-Site Scripting in Admin Sessions:
- High-risk with a CVSS score of 9.6.
- Allows remote control of an administrator's browser during admin sessions.
- Can lead to significant damage if exploited.

"Certainly something where an attacker could do quite a bit of damage if they can essentially remote control an administrator's browser as part of an admin session." [03:36]

4. Fortinet Authentication Bypass ([03:47])

Vulnerability Details:
- Impacts 40 Cloud Single Sign-On logins.
- Affects any product using 40 Cloud; authentication bypass risk.
- Recommended mitigation: turn off 40 Cloud SSO until devices are updated.
Likely Cause:
- Cryptographic issue, possibly algorithm confusion.

"Looks like some kind of cryptographic issue, maybe algorithm confusion or something like that... that often leads to these type of vulnerabilities." [04:01]

5. Ruby SAML Library Patch ([04:22])

Nature of Vulnerability:
- XML parser discrepancy leading to inconsistent parsing of authentication data.
- Previous similar vulnerability was only partially fixed; this patch aims to completely address it.
- Potential impact: organization authentication systems reliant on SAML.

"Apparently this is sort of one of those parser discrepancy issues where different XML parsers interpret data slightly different and that often leads then to vulnerabilities..." [04:32]

Notable Quotes and Memorable Moments

"Only 57 vulnerabilities being addressed here. Only three of these vulnerabilities were rated as critical." – Johannes B. Ullrich [00:18]
"Really just clarified how to use this particular PowerShell function." [01:41]
"Two of these products are sort of on my watch list of likely to be exploited products." [02:41]
"Certainly something where an attacker could do quite a bit of damage if they can essentially remote control an administrator's browser as part of an admin session." [03:36]
"Looks like some kind of cryptographic issue, maybe algorithm confusion or something like that and that's very common like in these single sign on systems..." [04:01]

Timestamps for Key Segments

00:05 – Introduction and episode theme
00:18 – Microsoft Patch Tuesday summary
00:51 – Exploited privilege escalation vulnerability
01:18 – PowerShell Invoke-WebRequest update
01:49 – AI Copilot plugin and IDE risks
02:22 – Critical Office/Outlook vulnerabilities
02:37 – Adobe patches, focus on ColdFusion and Acrobat Reader
03:20 – Ivanti Endpoint Manager, XSS vulnerability
03:47 – Fortinet SSO authentication bypass
04:22 – Ruby SAML library discrepancy patch

Conclusion

For further details and the latest analysis, listeners are encouraged to visit the SANS Internet Stormcenter website.

wavePod

SANS Stormcast Wednesday, December 10th, 2025: Microsoft, Adobe, Ivanti, Fortinet, and Ruby patches.

Powered by Wave AI

Summary

SANS Stormcast Wednesday, December 10th, 2025: Microsoft, Adobe, Ivanti, Fortinet, and Ruby Patches

Episode Overview

Key Discussion Points and Insights

1. Microsoft Patch Tuesday Breakdown

2. Adobe Patch Tuesday Highlights ([02:37])

3. Ivanti Endpoint Manager ([03:20])

4. Fortinet Authentication Bypass ([03:47])

5. Ruby SAML Library Patch ([04:22])

Notable Quotes and Memorable Moments

Timestamps for Key Segments

Conclusion

Summary

SANS Stormcast Wednesday, December 10th, 2025: Microsoft, Adobe, Ivanti, Fortinet, and Ruby Patches

Episode Overview

Key Discussion Points and Insights

1. Microsoft Patch Tuesday Breakdown

2. Adobe Patch Tuesday Highlights ([02:37])

3. Ivanti Endpoint Manager ([03:20])

4. Fortinet Authentication Bypass ([03:47])

5. Ruby SAML Library Patch ([04:22])

Notable Quotes and Memorable Moments

Timestamps for Key Segments

Conclusion