Positive trends related to public IP range from the year 2025

https://isc.sans.edu/diary/Positive%20trends%20related%20to%20public%20IP%20ranges%20from%20the%20year%202025/32584

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1

https://trufflesecurity.com/blog/trufflehog-now-detects-jwts-with-public-key-signatures-and-verifies-them-for-liveness

SANS Stormcast – Friday, December 19 2025

Handler on Duty: Guy Bruneau

Title: Less Vulnerabie Devices; Critical OneView Vulnerablity; Trufflehog finds JWTs

---

Highlights

• Positive trends related to public IP ranges (2025) – Fewer industrial‑control‑system (ICS) devices and fewer systems with outdated SSL versions are exposed to the Internet. SSL 2.0 and SSL 3.0 systems have been cut down by about half.

  Source: https://isc.sans.edu/diary/Positive%20trends%20related%20to%20public%20IP%20ranges%20from%20the%20year%202025/32584

• Hewlett‑Packard Enterprise OneView – Remote Code Execution – HP OneView Software contains an unauthenticated remote‑code‑execution vulnerability (CVSS 10.0). An attacker can gain full admin access to affected systems.

  Source: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1

• Trufflehog now detects JWTs with public‑key verification – Trufflehog can locate JSON Web Tokens and validate them using public keys, confirming that the tokens are usable before reporting.

  Source: https://trufflesecurity.com/blog/trufflehog-now-detects-jwts-with-public-key-signatures-and-verifies-them-for-liveness

---

Podcast Transcript

Hello and welcome to the Friday December 19th, 2025 edition of the

SANS Internet Storm Centers Stormcast. My name is Johannes Ullrich

and today I'm recording from Jacksonville, Florida. And this episode

is brought to you by the SANS.edu Graduate Certificate Program in

Cybersecurity Engineering.



So a big note about the next couple weeks because we do have holidays

sort of midweek both weeks. I'm planning on having at least a podcast

on the Monday of each week. But aside of that, I'll ladle it by ear

and see if there's any significant news to make a podcast worthwhile.

Other than that, it'll probably just the one podcast either Monday or

Tuesday of each week.



And talking about holidays, something to celebrate is certainly that

we do appear to have less exposed industrial control system devices

and other simple exploitable devices than we had about a year ago.

Jan took a look at some of the statistics in Shodan and he sort of

has been tracking them continuously over a couple years now. And when

it comes to just industrial control system devices there, I don't think

it's a done deal yet in the sense that they're going to soon be dying

out here. There seems to be some odd sort of peaks during the summer

month when we have more industrial control devices exposed than we

had sort of during the winter. But overall, there seems to be a

downward tendency, even though we are at about the same level as we

had a year ago.



Where it looks much better is support for SSL version 3 and in

particular SSL version 2. Both dropped approximately by half over the

last year. So that's pretty good. Now, I was saying that it's unlikely

that a server will be exploited because it's running SSL version 3 or

SSL version 2 for that matter. But it's often an indicator that there's

a lot of other things wrong with this particular server that, you know,

there's just no support for more modern ciphers based on outdated

operating systems or outdated TLS libraries. So it's overall a good

thing that these numbers are going down. We don't know why they're

going down, if this is people actually cleaning them up or them

basically just dying of old age.



An HP Enterprise released update for its OneView software fixing a

single vulnerability with a CVSS score of 10.0. This vulnerability

allows an unauthenticated hacker to basically gain full remote code

execution as admin access to affected systems. So definitely that's a

patch you probably want to roll out before you close down for the

holidays if possible. But what you really should check is that these

systems are not remotely accessible. HP OneView is used essentially to

remote manage servers.



And then we got an early Christmas gift from the folks at Trufflehog.

Trufflehog, the secret scanner that's extremely popular, has added now

support for JWTs or JSON web tokens. JWTs are a little bit tricky in the

sense that, yes, you know, they're digitally signed credentials. But one

thing that Trufflehog is kind of famous for is for actually checking if

these credentials are actually valid so that they can actually be used.

And that's a little bit tricky with these JWTs unless you have the public

key to verify that these credentials are actually properly signed. That's

the support they now added to Trufflehog. So not only will it find JWTs,

it'll also try to make sure that they work. And with that, that they're

worthwhile to act on and probably remove from whatever repository

Trufflehog found them in.



Well, and this is it for today. So thanks for listening. Thanks for

liking and subscribing and talk to you again on Monday, maybe Tuesday

next week. Bye. Bye. Bye.

---

End of transcript.