Stormcast Week of Oct 24, 2025: WSUS RCE, Magento "SessionReaper" exploitation, DNS cache-poisoning fixes, and an Android/Termux infostealer

SANS Internet Storm Center’s Oct 24, 2025 Stormcast flags four items that should immediately shape triage and detection content across enterprise environments: an Android infostealer abusing Termux, active exploitation of Adobe Commerce/Magento “SessionReaper,” new cache-poisoning fixes for BIND and Unbound resolvers, and a released exploit for a critical WSUS deserialization RCE. Reference the minimal Stormcast entry and the full podcast summary for context (ISC diary 32418, podcast detail).

Below is a forensics-first breakdown: what to collect, where to hunt, and how to contain.

1) Android infostealer abusing Termux

SANS ISC documented a Python-based infostealer that relies on the Termux environment on Android to enumerate contacts, SMS, call logs, and location, exfiltrating via Telegram APIs (ISC diary). The sample (SHA-256: 7576cdb835cd81ceb030f89fe5266649ed4a6201547c84da67144f407684a182) was initially 0/64 on VirusTotal (VT record). Termux provides command wrappers like termux-contact-list, termux-sms-list, termux-call-log, and termux-location that the stealer invokes, with storage access granted via termux-setup-storage to map shared storage under /storage/emulated/0/… (Termux wiki, Termux filesystem docs).

Actionable artefacts and hunts:

• On-device file system (rooted acquisition or EMM/DFIR-capable MTD):
  • Termux app data and home: /data/data/com.termux/files/usr (prefix) and /data/data/com.termux/files/home (home). Look specifically for backdoor.py and references to termux-*-list commands as noted by ISC (ISC diary, Termux FS layout).
  • Mapped shared storage if termux-setup-storage was granted: symbolic links under ~/storage to /storage/emulated/0/… (Termux storage doc).
• Network indicators:
  • Outbound to Telegram Bot API domains/paths (e.g., api.telegram.org/bot<token>/sendMessage) as described in the malware’s exfil routine (ISC diary).
• Quick ADB triage (if you have custody and consent):

  # Is Termux installed?
  adb shell pm list packages | grep com.termux
  
  # Inspect Termux home (root or full-disk acquisition preferred)
  adb shell ls -la /data/data/com.termux/files/home
  adb shell grep -R "termux-contact-list\|termux-sms-list\|termux-call-log\|termux-location" \
      /data/data/com.termux/files/home 2>/dev/null || true
  

• MDM policy: if your fleet does not require developer shells on mobile, consider prohibiting Termux installation and enforce play-store allowlists/managed app catalogs (Termux app behavior).

Response guidance:

• Revoke Termux storage permission, review app inventory, and quarantine affected devices. If Telegram Bot tokens are recovered from the script, revoke them server-side.
• Treat exfiltrated device data (contacts/SMS/WhatsApp media paths referenced by malware) as compromised scope (ISC diary).

2) Adobe Commerce/Magento “SessionReaper” (CVE-2025-54236) actively exploited

Sansec reports active exploitation roughly six weeks after Adobe’s emergency patch, with only ~38% of stores patched, and observed payloads including PHP webshell drops and phpinfo probes (Sansec exploitation note, Oct 22). The root issue is a nested deserialization path in Magento’s Web API that can enable unauthenticated RCE under certain session storage configurations; Assetnote published a detailed patch-diff and exploitation analysis (Assetnote/Searchlight write-up). Adobe confirmed the bug and issued APSB25-88 with CVSS 9.1, noting in-wild exploitation and hotfix availability (Adobe APSB25-88, NVD entry). Sansec also highlighted active probes via /customer/address_file/upload and provided example attacking IPs, reinforcing mass-scan behavior (Sansec exploitation note).

Forensic artefacts and scoping (Magento hosts):

• Web logs:
  • Look for unauthenticated POSTs to Commerce REST API and to /customer/address_file/upload around Oct 22–present, spikes in phpinfo probes, and uploads to media/temp directories (Sansec exploitation note).
• Magento logs and paths:
  • Application logs: <magento-root>/var/log/system.log, debug.log, exception.log (Adobe Commerce logging, log locations).
  • Common webshell drop zones observed in past Magento compromises: under pub/media/, var/tmp/, var/, and other web-writable dirs; cross-check any new .php files created since the suspected intrusion window (Sansec exploitation note).

Quick hunts:

# Grep for suspicious admin-less uploads and phpinfo/webshell probes in access logs
zgrep -HnE "(POST|PUT) .*(/customer/address_file/upload|\.php\?a=phpinfo|phpinfo\.php)" \
  /var/log/httpd/*access* /var/log/nginx/*access* 2>/dev/null

# New PHP files in writable paths since Oct 21 UTC
find <magento-root>/pub/media <magento-root>/var -type f -name "*.php" -newermt "2025-10-21" -ls

Network/WAF tip:

# Suricata (very coarse) – flag uploads to the known probed path
alert http any any -> $HOME_NET any (msg:"Magento SessionReaper path probe"; \
  http.method; content:"POST"; http.uri; content:"/customer/address_file/upload"; \
  classtype:web-application-attack; sid:252554236; rev:1;)

Response and hardening:

• Patch immediately using Adobe’s hotfix or upgrade channels; APSB25-88 is the authoritative guidance (Adobe APSB25-88).
• If patching lags, place Commerce behind a capable WAF and scrutinize unauthenticated API endpoints; Sansec cautions mass exploitation is underway (Sansec exploitation note).
• Validate session storage configuration per the technical analysis and minimize attack preconditions (Assetnote/Searchlight).

3) DNS resolvers: BIND and Unbound cache-poisoning fixes

BIND 9 fixed CVE-2025-40780, a cache-poisoning risk due to weaknesses in the PRNG used for source-port and query-ID selection (CVSS 8.6; upgrade paths 9.18.41/9.20.15/9.21.14) (ISC advisory). Unbound released 1.24.1 for CVE-2025-11411, mitigating cache-poisoning via promiscuous NS RRSets in authority sections; the patch scrubs unsolicited NS/A records from replies (Unbound 1.24.1 release, Ubuntu CVE note). ISC noted no known active exploits for the BIND issue at publication (ISC advisory).

Resolver validation and logging (for scoping/anomaly review):

• Confirm versions on resolvers and upgrade per vendor guidance (ISC advisory, Unbound 1.24.1 release).
• Ensure DNSSEC validation is enabled (dnssec-validation auto;) on BIND, which is the recommended default in modern builds (BIND docs).
• Enable resolver query logging during scoping:
  • BIND named.conf logging example with category queries to file or syslog (NXLog BIND logging guide).
  • Unbound: logfile: "/var/log/unbound/unbound.log", log-queries: yes per manpage (Unbound manpage).
• Optional Unbound hardening knobs to reduce poisoning risk in general operations: harden-referral-path: yes, harden-below-nxdomain: yes, qname-minimisation: yes (use judiciously; some options have performance/compatibility notes) (Unbound manpages).

4) WSUS RCE (CVE-2025-59287): exploit released and out-of-band patches

The Stormcast notes a released exploit for a critical WSUS RCE from October Patch Tuesday; research shows an unsafe deserialization path in WSUS where the AuthorizationCookie provided to the GetCookie SOAP method is decrypted and passed to a legacy .NET BinaryFormatter without proper type validation, enabling unauthenticated RCE as SYSTEM (HawkTrace technical blog). Microsoft shipped an out-of-band update (e.g., KB5070892) and temporarily removed certain WSUS sync error details as a mitigation side effect (Microsoft support KB5070892, Microsoft WSUS monthly rollup note). Multiple advisories indicate active exploitation and urge immediate patching (Canadian Centre for Cyber Security, ACSC Australia, media coverage).

Key protocol references to align detections:

• WSUS SOAP methods and cookies: GetCookie on Client Web Service and GetAuthorizationCookie on DssAuth/SimpleAuth services (MS-WUSP GetCookie, MS-WSUSSS GetAuthorizationCookie, MS-WUSP GetAuthorizationCookie). HawkTrace shows the vulnerable flow and a PoC POST to /ClientWebService/Client.asmx with SOAPAction .../ClientWebService/GetCookie (HawkTrace).

IIS artefacts and quick hunts:

• Default IIS access logs: %SystemDrive%\inetpub\logs\LogFiles\W3SVC# (W3C format; confirm fields) (Microsoft IIS logging, Huntress IIS log paths).
• Hunt for anomalous, unauthenticated POSTs to WSUS SOAP endpoints, especially POST /ClientWebService/Client.asmx with high cs-bytes and subsequent worker crashes (500s) during the window between Oct 14–24.

PowerShell using LogParser to surface suspicious GetCookie calls:

$logRoot = "$env:SystemDrive\inetpub\logs\LogFiles"
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' \
  "SELECT to_timestamp(date,time) AS ts, c-ip, cs-method, cs-uri-stem, sc-status, sc-substatus, cs-bytes, sc-bytes, time-taken \
   FROM '$logRoot\W3SVC*\u_ex*.log' \
   WHERE cs-method='POST' AND (cs-uri-stem LIKE '%/ClientWebService/Client.asmx%' OR cs-uri-stem LIKE '%/SimpleAuthWebService/%' OR cs-uri-stem LIKE '%/DSSAuthWebService/%') \
   ORDER BY ts DESC" -i:W3C -resolveSIDs:ON

Microsoft Defender for Endpoint hunting (servers with network telemetry):

DeviceNetworkEvents
| where RemotePort in (8530, 8531) and InitiatingProcessFileName =~ "w3wp.exe"
| where Protocol =~ "Tcp" and ActionType in ("ConnectionSuccess", "InboundConnectionAccepted")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessCommandLine
| order by Timestamp desc

Immediate response:

• Apply the out-of-band WSUS update (e.g., KB5070892 for Windows Server 2022; see Microsoft’s guidance and OS-specific KBs) and plan for a reboot on WSUS servers (Microsoft KB5070892).
• If patching is delayed, temporarily disable the WSUS role or block inbound 8530/8531 at the host firewall to render WSUS non-operational, per government advisories (Canadian Centre for Cyber Security, ACSC).
• Retrospective scoping with IIS logs and EDR for suspicious w3wp.exe child processes (RCE -> arbitrary process start), and review Windows Application logs for ASP.NET event 1309 spikes around exploit attempts (HawkTrace technical flow).

Priorities to update in your detection content this week

• WSUS servers:
  • Surface unauthenticated POSTs to /ClientWebService/Client.asmx and related SOAP endpoints; flag large cs-bytes requests and 500 errors clustering by source IPs (IIS W3C logging) (Microsoft IIS logging).
  • Alert on w3wp.exe spawning unexpected binaries or command shells post-request.
• Magento/Adobe Commerce:
  • Detect unauthenticated hits to /customer/address_file/upload and sudden new .php files in web-writable directories (Sansec exploitation note).
  • Monitor outbound connections from web servers to unfamiliar IPs immediately after suspicious API calls.
• DNS resolvers:
  • Inventory and patch BIND/Unbound versions; verify dnssec-validation on BIND and enable query logging during scoping (ISC advisory, BIND DNSSEC guide).
• Android fleet:
  • Alert on installation of Termux in corporate-managed environments unless explicitly required; watch for mobile egress to Telegram Bot APIs as an exfil channel (ISC diary).

Takeaways

• Patch now: WSUS (CVE-2025-59287) and Adobe Commerce/Magento (CVE-2025-54236) show active exploitation; apply Microsoft’s OOB updates and Adobe’s APSB25-88 hotfixes without delay (Microsoft KB5070892, Adobe APSB25-88, Sansec).
• DNS resolvers: upgrade BIND/Unbound and confirm DNSSEC validation; enable query logging temporarily to observe anomalies (ISC advisory, Unbound 1.24.1 release, BIND DNSSEC guide).
• Magento scoping: sweep logs and web-writable dirs for webshells and suspicious uploads; review var/log/*.log and audit recent file creates (Sansec, Adobe logging docs).
• WSUS detection: mine IIS W3C logs for SOAP POSTs to GetCookie endpoints and pivot to w3wp.exe child processes; if you can’t patch immediately, disable or isolate WSUS at 8530/8531 (HawkTrace, Canadian advisory).
• Mobile DFIR: for the Termux-based infostealer, pull app data under /data/data/com.termux/files/… and check for Telegram-based exfil; consider blocking Termux in managed fleets (ISC diary, Termux docs).