SANS Stormcast Thursday, December 18th, 2025: More React2Shell; Donicwall and Cisco Patch; Updated Chrome Advisory
Cybersecurity

SANS Internet StormCast

SANS Stormcast Thursday, December 18th, 2025: More React2Shell; Donicwall and Cisco Patch; Updated Chrome Advisory

SANS Internet StormCastDec 18, 2025

AI Summary

The episode highlights evolving React2Shell attacks that now target less‑common endpoints and non‑Next.js applications, urging operators to assume compromise if systems remain unpatched. It also covers active exploits in Cisco Secure Email Gateway (UAT‑9686) and a SonicWall SMA1000 local privilege escalation, emphasizing configuration hardening and restricted VPN admin access. Finally, Google’s updated Chrome advisory reveals the exploited WebGPU vulnerability (CVE‑2025‑1476.5), reminding listeners to keep browsers current. Host Johannes Ullrich also promotes his upcoming intrusion detection class.

Episode Description

Maybe a Little Bit More Interesting React2Shell Exploit

https://isc.sans.edu/diary/Maybe%20a%20Little%20Bit%20More%20Interesting%20React2Shell%20Exploit/32578

https://blog.talosintelligence.com/uat-9686/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019

https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html

Show Notes

SANS Stormcast – Thursday, December 18 2025

Handler on Duty: Jan Kopriva

More React2Shell; Donicwall and Cisco Patch; Updated Chrome Advisory

Maybe a Little Bit More Interesting React2Shell Exploit

Attackers are branching out to attack applications that initial exploits may have missed. The latest wave of attacks is going after less‑common endpoints and attempting to exploit applications that do not have Next.js exposed.

https://isc.sans.edu/diary/Maybe%20a%20Little%20Bit%20More%20Interesting%20React2Shell%20Exploit/32578

UAT‑9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager

Cisco’s Security Email Gateway and Secure Email and Web Manager patch an already‑exploited vulnerability.

https://blog.talosintelligence.com/uat-9686/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

SONICWALL SMA1000 Appliance Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability, which SonicWall patched today, is already being exploited.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019

Google releases vulnerability details

Google updated last week’s advisory by adding a CVE to the “mystery vulnerability” and adding a statement that it affects WebGPU. No new patch was released.

https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html

Podcast Transcript


Hello and welcome to the Thursday, December 18th, 2025

edition of the SANS Internet Storm Center's Stormcast. My

name is Johannes Ullrich, recording today from

Jacksonville, Florida. And this episode is brought to you

by the SANS.edu Bachelor's Degree Program in Applied

Cybersecurity. The React2Shell vulnerability is the

gift that keeps on giving in a sense that, well, we keep

seeing new variations of the exploit. What's happening now

is that attackers probably have realized that the

original exploits, well, have been run against all available

systems. So there is really diminishing returns in

scanning the internet yet again with the same exploit.

And we do see attackers vary a little bit. So, for example,

they are changing the URL that they're targeting. We had this

one that now looks for example for /api and /app

and various variations of that. While the initial wave

really just looked for the index page, which usually

works sort of in these simple, not customized kind of

applications. We also see them at the RSC action header,

which shows that they're going a little bit away from just

looking for a next.js, which of course, again, was the

initial target of a lot of the exploits. But also looking for

other reasons why the React server components may be

installed and may be reachable. So, as before,

well, if you have still an unpatched vulnerable system,

assume compromise, even if the initial exploits may not have

necessarily shown your system as vulnerable. We now

definitely see attackers customizing and maybe also

understanding the vulnerability a little bit

better and how to get. And then we do have a couple of

vulnerabilities to talk about that are already being

exploited. The first one affects the Cisco secure email

gateway and the Cisco secure email and web manager. This

particular vulnerability is actually, I don't think

there's a patch available yet, but some configuration

guidance. Also, Cisco has observed that there are

specific backdoors being planted on exploited systems.

So, Cisco actually released two articles here. One is sort

of their standard security advisory. The second one is a

report by their TALUS research team that also includes

additional indicators of compromise and talks more

about the backdoors and their particular capabilities. This

particular vulnerability is only exposed if you enable the

spam quarantine feature on these appliances and if you're

exposing this feature to the internet, which according to

Cisco is not required. And neither of these is a default

configuration, even though in an email gateway, I would

imagine that a lot of people are enabling some kind of spam

quarantine feature. Not sure how enticing it is to expose

that to the internet. So, definitely check this article

or both of these articles if you are using one of these

devices. And this is sort of still a developing story. So,

there may be updates to the advisory by the time you're

actually listening to this. And the second already

exploited vulnerability that we have a patch now for is for

SonicWall's SMA 1000 appliances. This is only a

privilege escalation vulnerability. Apparently,

it's being used in conjunction with a vulnerability that was

patched early this year in order to take over affected

devices. One interesting note in the recommendations here is

that you should not only limit access to the SSL VPN admin

interface for these devices, but also you should limit

access to SSL VPN admin interface. So, don't allow

access to SSL via the public internet, but instead put some

kind of VPN or other restricted access rules in

between the user and the SSL interface on these appliances.

That should be implemented regardless of whether you have

the patch applied or not. So, it is not just sort of as a

workaround for this particular of vulnerability. And remember

last week Google released that sort of mystery update for

Google Chrome where they stated that there is a

vulnerability that's already being exploited, but they

didn't really have a ton or really any details about it,

including no CVE number. Well, today Google did re-release

and update this particular advisory and now states that

it's a vulnerability in WebGPU. And they assigned it a

CVE number 2025 1476.5. So, we have now a little bit more

detail here. Still, the links are broken and well, there's

also a little bit of numbering change here. I'm not really

sure what to make out of it. Maybe I'm just a little bit

too tired to find the right link here, but either way, it

doesn't look like it's any specific new update. But

before you shut down your system update, just double

check that Google Chrome is up to date, just in case. Well,

and that's it for today. So, thanks for listening. And just

a reminder, I'm teaching this week actually an online class,

but it's sort of time zone‑wise located in Europe. In

April, I'll actually be teaching the same class, our

Intrusion Detection class, SEC 503, in Amsterdam. So, if

you're interested, take a look at it and hope to see some of

you there. And that's it for today. Thanks for listening.

Talk to you again tomorrow. Bye.

Comments

Want to join the conversation?

Loading comments...