SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, December 16th, 2025: Current React2Shell Example; SAML woes; MSMQ issues after patch;
Dec 16, 2025
Explore the surge of React2Shell exploits detected in honeypots, highlighting variances in malware delivery. Delve into the complexities of SAML authentication, where misalignments in XML parsing can lead to security vulnerabilities. Discover how attackers misuse signed SAML error messages for fraud. Lastly, uncover issues with Microsoft Message Queuing failures linked to a recent update, shedding light on the cascading effects of software patches. This discussion is packed with insights for anyone interested in cybersecurity!
AI Snips
Chapters
Transcript
Episode notes
Honeypots Show Repeated React2Shell Patterns
- Johannes Ulrich describes honeypot sightings of React2Shell variants that mostly repeat existing malware distribution patterns.
- One exploit attempted to download and mark a file executable but apparently failed to launch it, suggesting a partial or flawed payload.
Broad Scanning Indicates Exploit Maturity
- Johannes notes that Iranian actors scanning for React2Shell means the exploit wave is mature and widely known.
- When nation-state actors beyond initial exploiters show up, unpatched vulnerable systems are likely already exploited or scarce.
SAML Fragility From XML Parser Inconsistencies
- PortSwigger's analysis shows SAML is fragile because XML parsers and normalization disagree across libraries.
- Signed messages like error responses can be abused to craft assertions when signature verification and parsing are inconsistent.