Handler on Duty: Jan Kopriva
Threat Level: green
Podcast Detail
SANS Stormcast Thursday, December 18th, 2025: More React2Shell; Donicwall and Cisco Patch; Updated Chrome Advisory
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9744.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
Maybe a Little Bit More Interesting React2Shell Exploit
Attackers are branching out to attack applications that initial exploits may have missed. The latest wave of attacks is going after less common endpoints and attempting to exploit applications that do not have Next.js exposed.
https://isc.sans.edu/diary/Maybe%20a%20Little%20Bit%20More%20Interesting%20React2Shell%20Exploit/32578
UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
Cisco’s Security Email Gateway and Secure Email and Web Manager patch an already-exploited vulnerability.
https://blog.talosintelligence.com/uat-9686/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
SONICWALL SMA1000 APPLIANCE LOCAL PRIVILEGE ESCALATION VULNERABILITY
A local privilege escalation vulnerability, which SonicWall patched today, is already being exploited.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019
Google releases vulnerability details
Google updated last week’s advisory by adding a CVE to the “mystery vulnerability” and adding a statement that it affects WebGPU. No new patch was released.
https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 26th 2026 |
Podcast Transcript
Hello and welcome to the Thursday, December 18th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Bachelor's Degree Program in Applied Cybersecurity. The React2Shell vulnerability is the gift that keeps on giving in a sense that, well, we keep seeing new variations of the exploit. What's happening now is that attackers probably have realized that the original exploits, well, have been run against all available systems. So there is really diminishing returns in scanning the internet yet again with the same exploit. And we do see attackers vary a little bit. So, for example, they are changing the URL that they're targeting. We had this one that now looks for example for /api and /app and various variations of that. While the initial wave really just looked for the index page, which usually works sort of in these simple, not customized kind of applications. We also see them at the RSC action header, which shows that they're going a little bit away from just looking for a next.js, which of course, again, was the initial target of a lot of the exploits. But also looking for other reasons why the React server components may be installed and may be reachable. So, as before, well, if you have still an unpatched vulnerable system, assume compromise, even if the initial exploits may not have necessarily shown your system as vulnerable. We now definitely see attackers customizing and maybe also understanding the vulnerability a little bit better and how to get. And then we do have a couple of vulnerabilities to talk about that are already being exploited. The first one affects the Cisco secure email gateway and the Cisco secure email and web manager. This particular vulnerability is actually, I don't think there's a patch available yet, but some configuration guidance. Also, Cisco has observed that there are specific backdoors being planted on exploited systems. So, Cisco actually released two articles here. One is sort of their standard security advisory. The second one is a report by their TALUS research team that also includes additional indicators of compromise and talks more about the backdoors and their particular capabilities. This particular vulnerability is only exposed if you enable the spam quarantine feature on these appliances and if you're exposing this feature to the internet, which according to Cisco is not required. And neither of these is a default configuration, even though in an email gateway, I would imagine that a lot of people are enabling some kind of spam quarantine feature. Not sure how enticing it is to expose that to the internet. So, definitely check this article or both of these articles if you are using one of these devices. And this is sort of still a developing story. So, there may be updates to the advisory by the time you're actually listening to this. And the second already exploited vulnerability that we have a patch now for is for SonicWall's SMA 1000 appliances. This is only a privilege escalation vulnerability. Apparently, it's being used in conjunction with a vulnerability that was patched early this year in order to take over affected devices. One interesting note in the recommendations here is that you should not only limit access to the SSL VPN admin interface for these devices, but also you should limit access to SSL VPN admin interface. So, don't allow access to SSL via the public internet, but instead put some kind of VPN or other restricted access rules in between the user and the SSL interface on these appliances. That should be implemented regardless of whether you have the patch applied or not. So, it is not just sort of as a workaround for this particular of vulnerability. And remember last week Google released that sort of mystery update for Google Chrome where they stated that there is a vulnerability that's already being exploited, but they didn't really have a ton or really any details about it, including no CVE number. Well, today Google did re-release and update this particular advisory and now states that it's a vulnerability in WebGPU. And they assigned it a CVE number 2025 1476.5. So, we have now a little bit more detail here. Still, the links are broken and well, there's also a little bit of numbering change here. I'm not really sure what to make out of it. Maybe I'm just a little bit too tired to find the right link here, but either way, it doesn't look like it's any specific new update. But before you shut down your system update, just double check that Google Chrome is up to date, just in case. Well, and that's it for today. So, thanks for listening. And just a reminder, I'm teaching this week actually an online class, but it's sort of time zone -wise located in Europe. In April, I'll actually be teaching the same class, our Intrusion Detection class, SEC 503, in Amsterdam. So, if you're interested, take a look at it and hope to see some of you there. And that's it for today. Thanks for listening. Talk to you again tomorrow. Bye.
Follow the Internet Storm Center on Twitter
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 