SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Monday, December 8th, 2025: AutoIT3 FileInstall; React2Shell Update; Tika Vuln
Dec 8, 2025
Malicious scripts are using AutoIT3's FileInstall to drop shellcodes during execution, revealing new obfuscation techniques. Meanwhile, the React2Shell vulnerability is causing a frantic race to patch systems, with aggressive scanning and exploit attempts. Additionally, a recently patched XXE flaw in the Apache Tika library highlights the importance of updating software, especially for PDF parsing. This episode dives deep into these pressing cybersecurity issues.
AI Snips
Chapters
Transcript
Episode notes
AutoIT3 Compilation Tricks Exposed
- Johannes Ulrich describes how malicious AutoIT3 scripts use FileInstall to embed additional scripts at compile time and drop temp files at runtime for extraction.
- He notes attackers use various obfuscation techniques in compiled AutoIT to hide shellcode delivery.
Rapid Exploitation Of React2Shell
- Active exploitation followed the React2Shell disclosure and many vulnerable systems were likely targeted and compromised quickly.
- Web application firewalls may delay exploitation but attackers rapidly craft variants to bypass WAFs and signatures.
Patch Quickly And Assume Compromise
- Patch vulnerable React/Next.js systems immediately and assume compromise if you were exposed.
- Do not rely solely on web application firewalls; use layered defenses and incident response plans.