SANS Internet StormCast
SANS Stormcast Thursday, December 11th, 2025: Possible CVE-2024-9042 Variant; React2shell Exploits; Notepad++ Update Hijacking; macOS Priv Escalation
AI Summary
The episode reviews a possible new variant of the CVE‑2024‑9042 Kubernetes OS command injection, noting its reliance on the $() syntax and the need for log‑query privileges. It then delves into React‑to‑Shell attacks (CVE‑2025‑55182), emphasizing that the underlying flaw lies in React Server Components and can affect frameworks beyond Next.js, so WAFs are only a stop‑gap. A critical Notepad++ update is highlighted for fixing a hijacked‑update attack that exploited missing signature verification, urging users to validate certificates and signatures. Finally, an unpatched macOS PackageKit privilege‑escalation (CVE‑2024‑27822) is described, where a malicious user‑owned C‑profile can run code as root during installer execution.
Episode Description
Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection)
https://isc.sans.edu/diary/Possible%20exploit%20variant%20for%20CVE-2024-9042%20%28Kubernetes%20OS%20Command%20Injection%29/32554
https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive
https://notepad-plus-plus.org/news/v889-released/
https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html
Show Notes
SANS Stormcast – Thursday, December 11 2025
Handler on Duty: Brad Duncan
Podcast Detail
Title: Possible CVE‑2024‑9042 variant; react2shell exploits; notepad++ update hijacking; macOS privilege escalation
Audio: https://traffic.libsyn.com/securitypodcast/9734.mp3
Topics & Links
-
Possible exploit variant for CVE‑2024‑9042 (Kubernetes OS Command Injection)
https://isc.sans.edu/diary/Possible%20exploit%20variant%20for%20CVE-2024-9042%20%28Kubernetes%20OS%20Command%20Injection%29/32554
-
React2Shell – Technical Deep‑Dive & In‑the‑Wild Exploitation of CVE‑2025‑55182
https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive
-
Notepad++ Update Hijacking (v8.9.9 release notes)
https://notepad-plus-plus.org/news/v889-released/
-
New macOS PackageKit Privilege Escalation (CVE‑2024‑27822) – PoC (no patch yet)
https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html
Podcast Transcript
Hello and welcome to the Thursday, December 11th, 2025 edition of the
SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich,
recording today from Jacksonville, Florida. And this episode is
brought to you by the SANS.edu Master's Degree Program in Information
Security Engineering.
Well, in diaries today we do have a detect that I associate with a
Kubernetes vulnerability that was patched last year, an OS command
injection vulnerability. This vulnerability was a fairly straightforward
OS command injection in the node log query feature. It wasn’t widely
exploited in part because at least at a time this feature was still in
beta and wasn’t enabled by default. Also, the user in order to attack
this feature must have the privileges to actually query logs.
Now, the way the exploit works was you just sent essentially data to the
logs endpoint and the pattern parameter was injectable. The OS command
injection can be done with backticks, pipes, or ampersands. In this case,
the attack worked by enclosing the operating system commands in
parentheses leading with a dollar symbol – the common shell extrapolation
used for these types of attacks.
Today I was actually looking for some React exploits and while sorting
through my logs I found another request that reminded me a little bit of
this particular Kubernetes vulnerability, so I wonder if it’s related.
In this case the OS command injection is not a command‑line parameter;
instead it’s part of the URL, but it still uses that same $() pattern.
Also, at the end of the URL we have a static string “/logs/” just like
for the Kubernetes vulnerability. If anyone has ideas about what this
could be, let me know – it might be a slightly different variant of the
exploit or something new.
Talking about React‑to‑Shell, Wiz has a very nice blog summarizing some
of the attacks that are currently going around, which matches what we
are seeing. One point I think is important: we see most of the exploits
targeting Next.js, but the vulnerability is actually in the React Server
Components (RSCs); Next.js is just the most popular way those RSCs are
exposed. Other frameworks that expose RSCs could also be vulnerable, and
the exploit may work with some modifications, as Wiz points out, even
without Next.js. Keep that in mind when setting up your filters. Web
application firewall filters are meant to buy you time; they are not a
substitute for patching.
We also have a new update for Notepad++. Typically I don’t talk about
Notepad++ updates, but this one fixes an interesting and already
exploited security issue. Notepad++ didn’t verify signatures when it
downloaded updates, and attackers have hijacked traffic to Notepad++
servers. This is the only significant issue being fixed. Be careful when
updating software: verify server certificates and the executable’s
signatures.
Finally, there’s an interesting privilege‑escalation vulnerability in macOS
that currently has no patch and is relatively straightforward to exploit.
It’s similar to an older vulnerability patched last year (linked in the
show notes). The newer one hasn’t received a thorough write‑up yet, but
the basics are that the installer runs as root, uses the default C
shell, and can load a malicious C‑profile file owned by the user. That
allows a user‑controlled file to execute commands as root. I’m hoping
Apple will release patches soon; they’re due this week.
That’s it for today. Thanks again for any likes and recommendations.
If you leave comments on Apple Podcasts, let me know. Talk to you again
tomorrow. Bye.
End of transcript.
Comments
Want to join the conversation?
Loading comments...