Handler on Duty: Johannes Ullrich
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, February 24th, 2026: Malicious JPEG Analysis; Calibre Vuln; jsPDF object injection; Roundcube Exploited
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9822.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
Another day, another malicious JPEG
https://isc.sans.edu/diary/Another%20day%2C%20another%20malicious%20JPEG/32738
Calibre Path Traversal Leading to Arbitrary File Write and Potentially Code Execution CVE-2026-26064 CVE-2026-26065
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-72ch-3hqc-pgmp
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w
CVE-2026-25755: PDF Object Injection in jsPDF (addJS Method)
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md
Roundcube Webmail Exploited CVE-2025-49113 https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
https://www.openwall.com/lists/oss-security/2025/06/02/3
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 26th 2026 |
Podcast Transcript
Hello and welcome to the Tuesday, February 24, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Bachelor's Degree Program in Applied Cybersecurity. Well, in diaries today, we have a malware analysis diary from Jan. Jan looked at, well, as he calls it, yet another malicious JPEG file. An image in this case, but what actually arrived initially, and Jan focused a little bit more on the downloader here, it was, well, a good old compressed, zip-compressed JavaScript file. Once decompressed, there was over a megabyte of data. However, most of data was garbage. So first obfuscation technique here, where the attacker is just adding some random garbage to the file in order to extend its size, make it a little bit more difficult to sort of analyze it. Sometimes also, you know, fool then anti -malware engines into not actually looking at the file. Well, once all of that was removed, there were only a couple kilobytes left. Actually, in the end, only about a dozen or so lines that Jan actually had to de -obfuscate further. And, well, that's where he ended up with your standard downloader that would then download an image with attached scripts that would then, in the end, end up installing the Remco RAD, well, remote access tool. So overall, fairly standard malware. A couple lessons here from this one. The from was actually faked and would not make it past properly configured. DMARC, DKIM, SPF. So those techniques are definitely very useful. Often, even simple stuff like this gets missed by some anti -malware engines. So having that extra layer of basically fairly straightforward and simple defenses like DMARC certainly can make a difference here. And if you're using Calibre in order to read e-books, well, pay attention. There are two critical vulnerabilities that were patched a couple days ago that allow for arbitrary path transversal and with that also for code execution. The way this would be exploited is by someone tricking you into opening a crafted malicious e -book and that would then save files in arbitrary directories as you're opening it. And with that, of course, you easily then have arbitrary code execution if these files are then being saved in the right directories. This is a very common issue we've talked about is a lot with sort of various compressed formats. Of course, e-books are often distributed in these compressed formats that then extract into multiple files. And that's exactly sort of what's here happening where Calibre isn't careful enough as to where it actually extracts those files. And then you have sort of a standard path traversal. Again, there are two distinct vulnerabilities, but they're very similar and both same CSS score of 9.3. And then we have a little bit e-book related to a vulnerability in jsPDF. jsPDF is a JavaScript library to create, read, parse PDFs. Of course, the problem with PDFs is that they may include JavaScript and that sort of know where you have that good old problem, data code being mixed, not properly sort of separated from each other. And yes, if a particular JavaScript segment is open, but they're not properly closed, you may have this execution of the JavaScript happening. This vulnerability is a little bit tricky in the sense that yes, it's something patch available, exploit is available as well for it. But whether or not there's a problem for you depends a little bit on how you're using jsPDF, like what kind of PDFs you're rendering, what PDFs you're creating with it, where the data is coming from. So lots of dependencies here. So how risky this is in your particular use case, of course, all depends then on what untrusted data is really being fed here to jsPDF. I would still plead with you to just get it updated. The next vulnerability that I was a little bit contemplating when I should cover it. And the reason I do cover it is that, well, it's in a webmail system. And I have the utmost respect for people who dare to create webmail systems. I think it's a very difficult thing to do securely given the complexities and of course the attack surface of email. But most people don't really use webmail systems that much that they created themselves or that are open sourced. So many people are going cloud these days for email and with that also for their webmail. The problem is that these systems are often used by people, well, that deal with more sensitive data that they don't just want to put in possibly an adversary's cloud. So that's why I think these probably these kind of vulnerabilities are more important than one would sort of think offhand. Latest example here is RoundCube. There was a PHP, this cellularization vulnerability, was patched last June. It's now actively being exploited. We also had a couple of weeks ago, I didn't cover it back then, probably should have, in SmarterMail, another sort of open source and commercial webmail system that also is actively being exploited. Actually a more recent vulnerability that got hit there. So if you're running your own webmail system on -prem, make sure it's up to date. These vulnerabilities are often exploited fairly soon after they have been made public. Well, and this is it for today. So thanks for listening. Thanks for liking and thanks for subscribing to this podcast. And just a reminder, if you're interested in any classes, the next class I'll be teaching is in April in Orlando and then end of April in Amsterdam. So take a look on the United Storm Center's website just below the show notes for the podcast. Thanks and talk to you again tomorrow. Bye. volt at前 away Thank you.
Learn about the Internet Storm Center and our volunteer InfoSec handlers
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 