SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, January 27th, 2026: PWD scanning; MSFT Office OOB Patch; Exposed Clawdbot
10 snips
Jan 27, 2026 Scanners are appending pwd output to web URLs to hunt for exposed OS paths and config files. A new out-of-band Microsoft Office patch fixes an actively exploited COM/OLE bypass. Many CloudBot instances are left exposed without access control, risking full remote takeover. Brief notes on Apple updates and recommended mitigations round out the discussion.
AI Snips
Chapters
Transcript
Episode notes
* pwd In Web Scans Reveals Path-Guessing Trend*
- Attackers are appending the literal output of pwd to web scan URLs to try to reveal filesystem paths mapped to web roots.
- This technique may succeed against certain misconfigurations or reveal data leakage in exposed files.
Apply Microsoft Office OOB Patch Now
- Install Microsoft's out-of-band Office patch or run the provided fix-it script to block unsafe COM control execution.
- For older Office versions apply the specified registry change manually to mitigate active exploitation of CVE-2026-21509.
Lock Down CloudBot Instances
- Do not expose CloudBot instances to the Internet without access controls; add passwords or stop publishing proxies.
- Prefer connecting via VPN and restrict CloudBot to loopback to avoid giving attackers full system access.