SANS Stormcast Thursday, December 11th, 2025: Possible CVE-2024-9042 variant; react2shell exploits; notepad++ update hijacking; macOS priv escalation
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 11 December 2025
⏱️ 7 minutes
🧾️ Download transcript
Summary
Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection)
We observed HTTP requests with our honeypot that may be indicative of a new version of an exploit against an older vulnerability. Help us figure out what is going on.
https://isc.sans.edu/diary/Possible%20exploit%20variant%20for%20CVE-2024-9042%20%28Kubernetes%20OS%20Command%20Injection%29/32554
React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182
Wiz has a writeup with more background on the React2Shell vulnerability and current attacks
https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive
Notepad++ Update Hijacking
Notepad++ s vulnerable update process was exploited
https://notepad-plus-plus.org/news/v889-released/
New macOS PackageKit Privilege Escalation
A PoC was released for a new privilege escalation vulnerability in macOS. Currently, there is no patch.
https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Thursday, December 11th, |
| 0:07.9 | 2025 edition of the Sands and then at Storm Center's Stormcast. |
| 0:12.9 | My name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:18.0 | And this episode is brought you by the sands.edu master's degree program in |
| 0:22.8 | information security engineering. Well, in diaries today, we do have a detect that I associate |
| 0:31.2 | with a Kubernetes vulnerability that was patched last year, an OS command injection vulnerability. |
| 0:39.3 | This vulnerability was a fairly straightforward OS command injection in the node log query feature. |
| 0:45.3 | Wasn't widely exploited in part because at least at a time, this feature was still in beta and wasn't enabled by default. |
| 1:02.0 | Also, the user in order to attack this feature must have the privileges to actually query logs. Now, the way the export works was, you just sent essentially data to the logs endpoint, |
| 1:08.0 | and the pattern parameter was injectable. |
| 1:12.0 | Now, the OS command injection, there are a couple different ways how to often do that with |
| 1:16.0 | like backtakes or pipes or ampersand. |
| 1:19.2 | In this case, the attack worked by enclosing the operating system commands in parentheses, |
| 1:25.7 | leading with a dollar simple. |
| 1:28.0 | So that very common shell extrapolation that is often used for these types of attacks. |
| 1:35.3 | Well, today I was actually looking for some React exploits. |
| 1:40.8 | And while sort of going to my logs, I found this other request that, well, |
| 1:47.8 | reminded me a little bit of this particular Kubernetes vulnerability. |
| 1:52.5 | So I wonder if it's related. |
| 1:54.9 | However, in this case, the OS command injection is not a command line parameter. |
| 1:59.9 | Instead, it's part of the URL. |
| 2:03.1 | But it still uses that same dollar parentheses pattern. |
... |
Transcript will be available on the free plan in 26 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.