EPISODE · Dec 10, 2025 · 8 MIN
RadioCSIRT – Your Cybersecurity News for Wednesday, December 10th, 2025 (Ep.46)
from RadioCSIRT - English Edition · host Marc Frédéric GOMEZ
Welcome to your daily cybersecurity podcast.Microsoft refuses to fix a critical RCE vulnerability in the .NET framework affecting the SoapHttpClientProtocol class. Revealed at Black Hat Europe by researcher Piotr Bazydło from WatchTowr, the flaw enables arbitrary file writes through SOAP URL manipulation. Exploitation relies on unexpected support for FILE and FTP protocols by a class designed to handle HTTP only. Confirmed vulnerable products include Ivanti Endpoint Manager, Umbraco 8 CMS, and Barracuda Service Center, but the actual number of affected applications is likely massive.CERT-FR publishes advisory CERTFR-2025-AVI-1088 concerning four critical vulnerabilities in Ivanti Endpoint Manager 2024. CVE-2025-10573, CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662 enable remote arbitrary code execution, security policy bypass, and XSS injection. Only versions prior to 2024 SU4 SR1 are affected. The patch has been available since December 9th, 2025.CERT-FR also issues advisory CERTFR-2025-AVI-1084 concerning 17 Fortinet security bulletins covering 18 CVEs. The entire Fortinet portfolio is affected: FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiWeb, FortiSandbox, FortiExtender, FortiAuthenticator, FortiVoice, FortiSOAR, FortiPAM, FortiSRA, FortiSASE, FortiSwitchManager, and FortiPortal. Critical vulnerabilities include remote code execution, privilege escalation, and SQL injection.Finally, Spanish National Police arrests a 19-year-old individual in Igualada for theft and sale of 64 million personal data records from nine companies. Exfiltrated data includes DNI numbers, addresses, phone numbers, emails, and IBAN codes. The suspect used six online accounts and five pseudonyms to sell databases on underground forums. Authorities seized electronic equipment and froze a crypto wallet.We don't think, we patch!Sources:The Register: https://www.theregister.com/2025/12/10/microsoft_wont_fix_net_rce/CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1088/CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1084/The Record: https://therecord.media/spain-arrests-teen-suspect-data-theft-and-saleYour feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com
NOW PLAYING
RadioCSIRT – Your Cybersecurity News for Wednesday, December 10th, 2025 (Ep.46)
No transcript for this episode yet
Similar Episodes
No similar episodes found.
Similar Podcasts
No similar podcasts found.