SANS Stormcast Friday, December 19th, 2025: Less Vulnerabie Devices; Critical OneView Vulnerablity; Trufflehog Finds JWTs

The latest Stormcast shows a promising decline in publicly exposed industrial control system (ICS) devices. Jan’s Shodan analysis reveals fewer vulnerable PLCs and SCADA endpoints than a year ago, with seasonal peaks still visible but overall numbers trending downward. At the same time, support for legacy SSLv2 and SSLv3 protocols has been cut roughly in half, indicating that many operators are retiring outdated TLS stacks. Reducing these attack surfaces limits automated scans and ransomware footholds, reinforcing the broader industry push toward hardened network perimeters.

A more urgent alert centers on HPE OneView, where a newly disclosed vulnerability earned a perfect CVSS 10.0 rating. The flaw permits unauthenticated attackers to execute arbitrary code with full administrative privileges, effectively compromising any remotely managed server. Vendors recommend deploying the emergency patch immediately, especially before the holiday shutdown when IT staff may be scarce. Administrators should also verify that OneView interfaces are not exposed to the internet, as remote management portals are frequent targets for lateral movement.

TruffleHog, the open‑source secret scanner, has expanded its capabilities to locate JSON Web Tokens (JWTs) and validate their signatures against known public keys. This addition helps differentiate harmless test tokens from active credentials that could grant access to APIs or services. By confirming token authenticity, security teams can prioritize removal of truly exploitable secrets from code repositories and configuration files. Incorporating JWT verification into regular scanning pipelines strengthens secret‑management hygiene and reduces the risk of credential leakage in the era of cloud‑native development.