SANS Stormcast Friday, December 12th, 2025: Local AI Models; Mystery Chrome 0-Day; SOAPwn Attack

The episode opens with a practical guide to deploying local AI models, specifically Gamma 3, on a modest home lab using a Horizon chip and Proxmox virtualization. Running models locally gives organizations greater data sovereignty and reduces reliance on cloud APIs, but the host notes several configuration hurdles—device passthrough, memory allocation, and networking quirks—that can trip up even seasoned engineers. By documenting these pitfalls, the discussion highlights the growing accessibility of edge AI while reminding practitioners that hardware compatibility and container orchestration remain critical success factors for secure, performant deployments.

The hosts then shift to a newly disclosed Chrome vulnerability described only as a “mystery 0‑day.” No CVE identifier has been assigned, and Google’s advisory offers a single line—“under coordination”—suggesting that the flaw may affect multiple browsers or shared libraries. This lack of detail underscores the challenges of coordinated vulnerability disclosure when multiple vendors are involved. Listeners are urged to keep Chrome up‑to‑date, as the patch is already rolling out, and to monitor vendor bulletins for related browsers that might share the same underlying component.

Finally, the show examines a critical SOAP handling weakness in .NET that can turn crafted file‑scheme URLs into arbitrary file writes or remote code execution. Watchtower Labs demonstrated a proof‑of‑concept exploit against Barracuda appliances, proving the issue is exploitable in real‑world products. Microsoft’s response places responsibility on developers rather than the framework, a stance that raises concerns for enterprises building .NET services. Coupled with a CISA report on hacktivist campaigns targeting small manufacturers’ OT sensors, the episode stresses the need for secure coding practices, timely patching, and robust monitoring across both IT and operational environments.