SANS Stormcast Monday, December 8th, 2025: AutoIT3 FileInstall; React2Shell Update; Tika Vuln

December 07, 2025

Episode Transcript

AutoIT3 Compiled Scripts Dropping Shellcodes
Malicious AutoIT3 scripts are usign the FileInstall function to include additional scripts at compile time that are dropped as temporary files during execution.
https://isc.sans.edu/diary/AutoIT3%20Compiled%20Scripts%20Dropping%20Shellcodes/32542
React2Shell Update
The race is on to patch vulnerable systems. Various groups are aggressively scanning the internet with different exploit variants. Some attempt to bypass WAFs.
https://blog.cloudflare.com/5-december-2025-outage/
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
Apache Tika XXE Flaw
Apache s Tika library patched a XXE flaw.
https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Monday December 8th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Undergraduate Certificate Program in Cybersecurity Fundamentals. Xavier lately found a wave of different malicious files that all took a similar route in order to obfuscate some of the code in AutoIT3. AutoIT3 is an automation system. It's quite old going back to the early 2000s, but it's still being maintained, it's still being updated, and it's still frequently being used to manage Windows systems and essentially create small scripts to automate some tasks on Windows systems. Now, AutoIT3 has an interesting function called File Install. File Install sounds a little bit like an include function. If the script is parsed, then it's just read from the file system. Now, what gets interesting is once you're running a compiled AutoIT script, and that's kind of one of the advantages of AutoIT. It's very easy to create the binary executables, so you don't, as a malware author, have to first install all of AutoIT on the system, but you just run the executable or have the victim run the executable. So when it's compiled, then the file is included in the binary at compile time, but what Xavier also saw is that then a temporary file is being created at runtime of the script, which of course then makes it easy to extract that file and analyze it, and Xavier is going a little bit over the different obfuscation techniques being used in this particular example. Let me have a quick update here on the React vulnerability or React to shell as it has been known under now for the last couple of days. There's a wide range of numbers that's being quoted out there for as many systems are vulnerable. Of course, not every system running React or every system running Next.js is vulnerable to this particular issue. There was a quote there from Palo Alto that they observed 30 organizations being actually compromised. Of course, we do see in Honeypots and others have seen in Honeypots also many, many exploit attempts and as a result, if you are vulnerable, you probably have been exploited as I mentioned already on Friday. There was also a little sort of side effect of this particular React vulnerability and that was a brief Cloudflare outage on Friday morning. What apparently happened here is that Cloudflare tried to push out a configuration change in order to better detect this vulnerability. There is also a little bit of race going on there trying to find versions of the exploit that bypass web application firewall signatures. In response to that, Cloudflare made changes to their systems that then in the end led to this outage which I believe lasted about 20 minutes. So keep patching and keep assuming a compromise. Web application firewalls will help but like I said, there are active efforts to find the exploit versions that will bypass web application firewalls. So definitely don't solely rely on your web application firewall. It may buy you time but it will ultimately probably not prevent exploitation. I'm not sure how many are familiar with the Apache Tika project but it is an important project in that it is often used to parse, possibly test file uploads and essentially look at files whether or not they are potentially malicious. Now the main reason for the Apache Tika library is to extract metadata and it can do so for an extremely large set of file types including PDFs. But the vulnerability addressed now in the Apache Tika core and Apache Tika parsers. In particular the PDF module would allow an attacker to submit a malicious PDF that will then lead to an XML external entity attack. So something that you probably want to address in particular if you are using this library to look at malicious PDFs or use them to screen PDFs to possibly detect any malicious content. Well and this is it for today. So thanks for listening, thanks for liking, thanks for subscribing and as always special thanks for anybody leaving a comment in your favorite podcast platform. That's it and talk to you again tomorrow. Bye. aboutiau

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show