SANS Stormcast Thursday, December 18th, 2025: More React2Shell; Donicwall and Cisco Patch; Updated Chrome Advisory

The latest Stormcast highlights a noticeable shift in the React2Shell attack chain. Early variants targeted generic index pages, but today’s scanners probe deeper, looking for paths like "/api" or custom headers such as "RSC-Action." This evolution suggests threat actors have exhausted low‑hanging fruit and are now fine‑tuning payload delivery to bypass basic defenses. Organizations running React server components should treat any unpatched instance as compromised, even if the original exploit does not surface, because attackers appear to understand the underlying flaw better than before.

Cisco’s Secure Email Gateway and Secure Email and Web Manager face a new exposure tied to the optional spam‑quarantine feature. When that service is internet‑facing, attackers can plant backdoors and exfiltrate data, a risk amplified by the lack of a formal patch. Cisco’s advisory and Talus research report provide configuration hardening steps, emphasizing that the feature should remain internal‑only. In parallel, SonicWall’s SMA‑1000 appliances received a privilege‑escalation patch that mitigates a chain exploit leveraging an earlier SSL‑VPN flaw. The vendor advises restricting both SSL‑VPN admin and SSH access to trusted networks or VPN tunnels, a best practice that remains vital regardless of patch status.

Google’s recent Chrome advisory finally identified the mysterious web‑GPU vulnerability as CVE‑2025‑1476‑5, confirming active exploitation in the wild. Enterprises must verify that Chrome deployments are up‑to‑date to block this attack vector, as the broken advisory links hint at rapid response cycles. The episode also reminds listeners of upcoming SANS SEC 503 intrusion‑detection training in Amsterdam, underscoring the continuous need for skilled analysts to interpret evolving threats. Staying current on patches, configurations, and threat intel remains the cornerstone of effective cyber defense.