SANS Stormcast Thursday, December 11th, 2025: Possible CVE-2024-9042 Variant; React2shell Exploits; Notepad++ Update Hijacking; macOS Priv Escalation

The episode opens with a deep dive into a Kubernetes log‑query vulnerability that was patched last year but still resurfaces in a new form. The original flaw allowed OS command injection through the pattern parameter, and the latest variant moves the payload into the URL, using the classic $(…) shell expansion. The host then points out a parallel attack chain targeting React Server Components. Although many signatures flag the abuse as a Next.js issue, the underlying weakness resides in the server‑side component architecture, meaning any framework exposing RSCs can be weaponized. Administrators are urged to add header‑based filters, but these are stop‑gap measures.

Switching gears, Ulrich highlights a real‑world hijack of Notepad++’s automatic updater. The editor failed to verify digital signatures on downloaded binaries, allowing attackers to intercept traffic and deliver malicious executables. This incident underscores the critical need for end‑to‑end integrity checks: validate TLS certificates, enforce code‑signing verification, and consider using trusted package managers. For enterprises, the lesson extends beyond a single text editor—any software that auto‑updates without signature validation becomes a foothold for supply‑chain compromise.

The final segment covers an unpatched macOS privilege‑escalation bug that mirrors a previous vulnerability. When a package installer runs as root, it invokes the system C‑shell, which reads a user‑controlled .cshrc file. By planting malicious commands in that profile, an attacker can execute arbitrary code with root privileges. Although Apple is expected to release a fix soon, the discussion stresses that web‑application firewalls and request filters are only temporary shields. The only reliable defense remains timely patching, strict code‑signing policies, and monitoring for anomalous installer behavior.