Skip to content
.ca
sign in
4 minhigh

Intelligence Center

The Talos 2025 Year in Review highlights a dual threat landscape where attackers rapidly exploit newly discovered vulnerabilities like React2Shell while continuing to heavily target legacy flaws in embedded components such as Log4j and PHPUnit. Threat actors are increasingly focusing on identity-adjacent systems and network infrastructure to bypass authentication and segmentation, aided by Agentic AI accelerating exploit development.

Conf:highAnalyzed:2026-04-07reports

Authors: Kri Dontje

React2ShellToolShellIdentity SystemsVulnerability TrendsLog4Shell

Source:Cisco Talos

Key Takeaways

  • React2Shell (CVE-2025-55182) became the most targeted vulnerability in 2025 within just three weeks of disclosure.
  • Attackers continue to heavily exploit legacy vulnerabilities in embedded components like PHPUnit, ColdFusion, and Log4j.
  • Agentic AI is significantly reducing the time-to-exploit by rapidly building new proofs-of-concept and exploit kits.
  • Threat actors are prioritizing identity-centric systems, network management platforms, and perimeter devices to bypass MFA and segmentation.

Affected Systems

  • React Server Components
  • PHPUnit
  • Microsoft SharePoint
  • Adobe ColdFusion
  • Apache Log4j
  • Network management platforms
  • Firewalls and NGFWs
  • ADCs and load balancers
  • VPNs
  • Routers

Vulnerabilities (CVEs)

  • CVE-2025-55182
  • CVE-2017-9841
  • CVE-2025-49704
  • CVE-2025-49706
  • CVE-2025-53770
  • CVE-2025-53771
  • CVE-2013-0632
  • CVE-2021-44228
  • CVE-2021-44832
  • CVE-2021-45046

Attack Chain

Attackers leverage both newly disclosed vulnerabilities (like React2Shell) and legacy flaws (like Log4Shell) to gain initial access, specifically targeting remote code execution (RCE) flaws. They prioritize network appliances, identity-adjacent systems, and perimeter devices lacking EDR coverage. By compromising these identity and access brokers, attackers successfully bypass multi-factor authentication (MFA) and network segmentation to establish deeper control over the environment.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Medium — EDR is highly effective on standard endpoints, but the article explicitly notes attackers target perimeter devices and network appliances specifically because they often lack EDR coverage. Network Visibility: High — Exploitation of network management platforms, firewalls, and load balancers relies heavily on network traffic, making network-based detection and WAF logs crucial. Detection Difficulty: Moderate — While legacy vulnerabilities have known signatures, the rapid weaponization of new CVEs via AI and the targeting of unmonitored perimeter devices makes consistent detection challenging.

Required Log Sources

  • Network IDS/IPS logs
  • Authentication logs
  • Web application firewall (WAF) logs
  • VPN and remote access logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Search for anomalous inbound network connections targeting known vulnerable endpoints associated with React Server Components, SharePoint, or legacy Log4j/PHPUnit deployments.WAF logs, Network flow dataInitial AccessMedium
Monitor for unexpected authentication bypasses or unusual access patterns originating from perimeter network devices (e.g., VPNs, load balancers) indicating identity system compromise.Authentication logs, Identity Provider (IdP) logsCredential AccessLow

Control Gaps

  • Lack of EDR on perimeter devices
  • Unpatched legacy embedded dependencies
  • Slow patch cycles for newly disclosed vulnerabilities

Key Behavioral Indicators

  • Exploitation of RCE flaws on perimeter devices
  • MFA bypass anomalies

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Identify and patch systems vulnerable to the top 10 targeted CVEs of 2025, particularly React2Shell, ToolShell, and Log4Shell.
  • Audit internet-facing perimeter devices for exposure and apply available vendor updates.

Infrastructure Hardening

  • Evaluate identity-centric network components and management platforms for security gaps.
  • Implement strict network segmentation to limit lateral movement from perimeter devices.
  • Deploy EDR solutions to all compatible network appliances and servers.

User Protection

  • Enforce robust MFA policies and monitor for anomalous authentication events that might indicate MFA bypass.

Security Awareness

  • Educate IT and security teams on the accelerated exploit timelines driven by Agentic AI and the importance of rapid patching.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1078 - Valid Accounts
  • T1556 - Modify Authentication Process

Related