Welcome back to the InfoSec.Watch Podcast, your weekly briefing on the security threats that matter.

In Episode 120, we break down a clear and recurring theme across this week’s incidents: control planes have become prime attack planes.

We start with active exploitation of a critical flaw in HPE OneView, underscoring why management-plane software must be treated as Tier Zero infrastructure. From there, we examine unpatchable risk posed by actively exploited, end-of-life D-Link DSL gateways, and a critical unauthenticated RCE (CVSS 9.8) in Trend Micro Apex Central, where compromise could allow attackers to disable security controls at scale.

In the Vulnerability Spotlight, we cover:

• A jsPDF path traversal flaw highlighting real-world software supply chain risk
• Multiple Veeam Backup & Replication fixes, reinforcing why backup platforms remain high-value ransomware targets

Our Trend to Watch looks at a growing enterprise data-loss vector: prompt-poaching via malicious browser extensions, where entire GenAI conversations — including sensitive code and data — are being exfiltrated from tools like ChatGPT.

We also discuss:

• CISA’s move to formally retire early Emergency Directives in favor of a mature KEV-driven vulnerability process
• Why organizations should adopt their own “KEV-style” prioritization model
• Chainsaw, a high-performance open-source tool for rapid Windows EVTX triage

In this week’s Actionable Defense Move, we walk through a 30-minute management-plane exposure sweep — a fast, high-impact exercise to identify publicly exposed admin interfaces before attackers do.

Final takeaway: attackers will always gravitate toward systems where privileges are concentrated. If a control plane must exist, it must be tightly restricted, aggressively patched, and continuously monitored.

For a full written breakdown of these stories and more, subscribe to the InfoSec.Watch newsletter at infosec.watch, and follow us on X, Facebook, and LinkedIn for updates throughout the week.

In this week’s episode of the InfoSec.Watch Podcast, hosts Grant Lawson and Sloane Parker break down the security stories that defenders can’t afford to ignore.

The episode opens with urgent patching guidance for an actively exploited WatchGuard IKEv2 VPN remote code execution flaw, followed by analysis of “MongoBleed” (CVE-2025-14847)—a memory disclosure vulnerability in MongoDB now seeing real-world exploitation. Grant and Sloane walk through not just why these issues matter, but what defenders should be doing after patching, including log review, threat hunting, and hardening exposed services.

The discussion then turns to a growing threat targeting security teams themselves: malicious GitHub proof-of-concept repositories that masquerade as exploit code but actually deploy WebRAT malware. The hosts explain how researchers and blue teams can safely handle PoCs without becoming the next breach.

Other highlights include:

• A breakdown of the Aflac breach notification affecting 22.65 million individuals and why incident response doesn’t end at containment
• Ongoing DDoS disruptions impacting French postal and banking services, with a focus on operational resilience and customer communication
• A Vulnerability Spotlight on a critical SmarterMail flaw enabling arbitrary file upload and likely RCE
• Tool of the Week: Praetorian’s Gato, which maps attack paths in CI/CD environments using GitHub Actions and self-hosted runners
• A Deep Dive into the accelerating weaponization of AI-driven phishing campaigns

The episode wraps with an Actionable Defense Move of the Week, outlining a formal, repeatable process for safely handling exploit code, and a Final Word on why fundamentals—patching, exposure management, and disciplined workflows—still define the fastest path to compromise.

For full analysis, links, and takeaways, subscribe to the newsletter at infosec.watch and follow along on X, LinkedIn, and Facebook.

In this week’s InfoSec.Watch Podcast, we break down a series of critical security developments shaping the threat landscape. The episode opens with urgent guidance on two actively exploited, unauthenticated remote-code-execution vulnerabilities—one affecting WatchGuard Firebox appliances and the other impacting HPE OneView across multiple versions. The hosts outline the immediate actions every defender must take, from emergency patching to post-patch hunting and access-control validation.

The Vulnerability Spotlight shifts to escalating attacks on email security gateways, a high-leverage target where compromise grants adversaries deep visibility and control across an organization’s communications. Grant and Sloane detail how attackers are abusing these systems for redirection, injection, and lateral movement—and why defenders must adopt a more aggressive hunt posture on these assets.

In Trend to Watch, they examine a troubling new campaign uncovered by Kaspersky: a WebRAT distributed through GitHub repositories masquerading as Proof-of-Concept exploits. The campaign specifically targets students and early-career researchers, weaponizing curiosity to compromise analyst workstations. The hosts share essential operational security guidance for safely handling PoCs and research tooling.

This week’s Quick Hits include new FBI IC3 warnings about rapport-building scams that shift victims to encrypted messaging apps—along with a reminder to expand phishing simulations to include voice and messaging impersonation scenarios.

The Actionable Defense Move of the Week highlights a powerful preparedness tactic: creating a one-hour response checklist for critical edge devices and administrative interfaces. Grant and Sloane walk through what belongs on that list—from isolation steps and forensic captures to credential rotations and enhanced monitoring—emphasizing that speed, not perfection, wins the first hour of a zero-day event.

They close with a Final Word on attacker strategy: adversaries are increasingly targeting high-leverage choke points such as email gateways, identity pathways, and management services. Real resilience now depends on reducing time-to-mitigate and protecting systems that function as force multipliers for attackers.

Stay ahead of the threats that matter with this week’s briefing, and subscribe at infosec.watch for full coverage and daily updates.

In this week's InfoSec.Watch Podcast, we dive into the latest high-impact threats targeting enterprise security choke points.

Key stories include:

• A sophisticated campaign against Cisco Secure Email appliances, with essential guidance on hardening management interfaces and proactive threat hunting.
• Chainalysis' alarming report on North Korea-linked actors stealing a record $2.02 billion in cryptocurrency in 2025 through fewer, more targeted attacks.
• Ongoing disruption of municipal services, underscoring the urgent need for OT/IT segmentation and manual failover planning.

The Vulnerability Spotlight focuses on two actively exploited Apple WebKit zero-days (now added to CISA's KEV catalog), emphasizing rapid patching via MDM and broader attack surface awareness.

Also covered: FBI warnings on AI-generated voice deepfakes in impersonation scams, a new security tool called Proximity for scanning AI agent MCP servers, and practical defenses against evolving social engineering.

The Actionable Defense Move of the Week: Build a pre-prepared one-hour containment checklist for critical edge and admin systems to enable fast, decisive incident response.

Wrap-up theme: Attackers are zeroing in on high-leverage assets—make "time-to-mitigate" a core KPI for resilience in 2026 and beyond.

Subscribe at infosec.watch for deeper analysis and daily updates. Stay secure!

This week’s episode dives into a packed slate of high-impact cybersecurity threats shaking the industry. We break down React2Shell (CVE-2025-55182) — a rapidly evolving remote code execution flaw driving mass scanning across the internet and prompting CISA to issue an urgent KEV directive. They also unpack Apple’s emergency WebKit zero-day patches and Microsoft’s latest actively exploited kernel and security-bypass vulnerabilities from December Patch Tuesday.

The team explores BRICKSTORM, a stealthy backdoor campaign targeting VMware vSphere hypervisors through fileless techniques and persistent access to virtualization control planes — a growing focus for state-sponsored actors. They then analyze the massive Global Mart data breach, a four-month compromise stemming from a single misconfigured cloud storage bucket.

Tool of the Week spotlights GreyNoise Threat Explorer, a powerful resource for separating malicious activity from internet background noise — especially valuable amid surging React2Shell exploitation.

The episode closes with a look at Phantom Voice, a new wave of AI-generated voice-cloning phishing attacks capable of convincingly mimicking executives to trigger financial fraud and data exposure.

Topics Covered:

• React2Shell RCE and widespread exploitation
• Apple & Microsoft zero-day patches underway
• BRICKSTORM: hypervisor-level persistence against VMware
• Global Mart breach impacting 50M customers
• GreyNoise Threat Explorer
• Phantom Voice AI-driven voice-clone phishing

Stay ahead of emerging threats at infosec.watch and follow us on X, Facebook, and LinkedIn.

In this week’s episode of InfoSec.Watch Weekly, Grant Lawson and Sloane Parker take listeners on a guided tour of the entire modern attack surface — from developer laptops to mobile devices to the physical circuit boards inside IoT hardware. Three major security stories illustrate how deeply interconnected and exposed the stack has become.
We begin with React2Shell, a newly surfaced command-injection vulnerability in the widely used react-dev-utils package. Grant and Sloane break down how an attacker can hijack a developer’s workstation simply by manipulating the BROWSER environment variable — turning a harmless npm start command into a reverse shell. The discussion dives into real-world implications: source code theft, credential compromise, CI/CD tampering, and supply chain subversion. The hosts outline the immediate fixes, and the long-term lessons around SCA tooling, EDR visibility on developer endpoints, and securing the build environment itself.
Next, the conversation shifts to two actively exploited Android zero-days uncovered in the latest Android Security Bulletin — one in the kernel and another in the Mali GPU driver. The hosts explain why GPU-level vulnerabilities are so dangerous, enabling screen capture, keystroke interception, and attack overlays at the hardware layer. The pair discuss BYOD risk, commercial spyware operators, and why MDM-powered patch gating and user education remain critical for corporate resilience.
Finally, Grant and Sloane descend to the bottom of the stack with BRICKSTORM, a new piece of destructive malware designed not to steal or encrypt data but to permanently kill hardware. By abusing exposed JTAG debug ports, BRICKSTORM halts the CPU and overwrites the device’s bootloader with garbage — bypassing Secure Boot entirely and rendering the device unrecoverable. The hosts dig into what this means for critical infrastructure, operational technology, IoT fleets, and why cybersecurity strategy must now include physical security, supply chain controls, and hardware tamper protections.
Throughout the episode, a recurring theme emerges: the corporate perimeter no longer exists.
React2Shell targets the dev environment, Android zero-days compromise personal devices tied into corporate systems, and BRICKSTORM attacks the hardware itself. Defense-in-depth isn’t optional — it’s the only workable model across modern organizations.
Tune in for practical insights, technical breakdowns, and the connective tissue between these headline stories.
Follow us on X, Facebook, and LinkedIn — and subscribe at infosec.watch to get every briefing first.

In this week’s InfoSec.Watch episode, hosts Grant Lawson and Sloane Parker analyze the top cybersecurity stories: an actively exploited Oracle IdM zero-day added to CISA’s Known Exploited Vulnerabilities catalog, OpenAI cutting off Mixpanel after a data breach, and ransomware disrupting the CodeRED emergency alert system. Additional coverage includes FortiWeb WAF vulnerabilities, SonicWall SSL VPN exploitation by Akira ransomware, Windows kernel privilege-escalation flaws, and the escalating risks posed by third-party vendor ecosystems.
Stay ahead by subscribing at https://www.infosec.watch

In this episode of the InfoSec.Watch Podcast, we unpack one of the most consequential weeks of cybersecurity developments in 2025. This episode covers a rare convergence of AI-augmented state-backed espionage, logistics and retail supply-chain ransomware, and Europe’s accelerating drive toward digital sovereignty—and this episode takes you step-by-step through every story, every insight, and every actionable takeaway.

Whether you're a CISO, a threat intelligence analyst, a red teamer, SOC lead, architect, or anyone responsible for defending modern infrastructure, this episode will help you make sense of a rapidly shifting threat landscape.

We’ll explore how adversaries are leveraging cutting-edge technologies, why certain industries are becoming high-value systemic targets, and what new policies and vulnerabilities demand your immediate attention. From the rise of agentic AI in offensive operations, to the expanding blast radius of supply-chain–centric ransomware, to the geopolitical drivers behind Germany’s NIS2 implementation act, this episode equips you with the context you need to stay ahead.