Interesting Stuff

Security briefing: December 2025

Sysdig
Security briefing: December 2025

December 2025 closed with multiple high-impact disclosures and incidents, including the unauthenticated React2Shell RCE (CVE-2025-55182), the resurfacing of the BRICKSTORM backdoor, widespread MongoBleed data exposure (CVE-2025-14847), and a novel EtherRAT campaign using Ethereum smart contracts for C2. Organizations were urged to patch vulnerable software, audit and segment MongoDB deployments, apply published IOCs and detections from NSA/CISA and Sysdig, and strengthen visibility and resilience heading into 2026. #React2Shell #BRICKSTORM

Keypoints

  • React2Shell (CVE-2025-55182) is an unauthenticated RCE in React Server Components; a public proof-of-concept appeared quickly, prompting urgent patching and monitoring guidance from Sysdig TRT.
  • BRICKSTORM, attributed to China state-sponsored actors, targets Linux cloud environments, mounts remote servers to victim VMs, extracts credentials, abuses cloud tooling/APIs, and enables lateral movement; NSA, CISA, and Canada’s CCS published a detailed report with IOCs and detections.
  • MongoBleed (CVE-2025-14847) is a long-standing zlib compression path flaw in MongoDB that allows unauthenticated memory probing and data leakage; tens of thousands of instances were reported at risk, requiring audits, patches, authentication, and segmentation.
  • Sysdig TRT discovered EtherRAT, a multi-stage campaign exploiting React2Shell that uses Ethereum blockchain smart contracts for command-and-control and deployed five distinct payloads; Sysdig published technical analyses and accompanying IOCs.
  • The European Space Agency confirmed a breach with Bitbucket and JIRA access compromised and ~200GB of source code, tokens, and credentials stolen, though network segmentation limited impact to core internal systems.
  • Operational events in December — Kubernetes 1.35 release and DDoS disruptions to La Poste/La Banque Postale — reinforced lessons to prioritize visibility, design for resilience, and share threat intelligence.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – React2Shell allowed unauthenticated remote code execution against React Server Components, enabling arbitrary code injection and RCE. (‘ReactShell is a maximum severity, unauthenticated RCE vulnerability affecting applications built with React Server Components.’)
  • [T1003 ] Credential Dumping – BRICKSTORM extracts credentials from compromised systems to support persistence and lateral movement. (‘The malware enables persistent remote system control by mounting a remote server to the victim’s local VM, extracts credentials, and enables lateral movement.’)
  • [T1021 ] Remote Services – BRICKSTORM mounts a remote server to a victim VM and uses remote access mechanisms to move laterally within cloud environments. (‘The malware enables persistent remote system control by mounting a remote server to the victim’s local VM… and enables lateral movement.’)
  • [T1102 ] Web Service – EtherRAT uses the Ethereum blockchain and smart contracts as a command-and-control channel to receive commands. (‘…uses Ethereum blockchain smart contracts for command and control.’)
  • [T1498 ] Network Denial of Service – Threat actors launched a DDoS that disrupted La Poste and La Banque Postale services, taking websites and apps offline for hours. (‘On December 22, La Poste and La Banque Postale were impacted by a DDoS attack…’)
  • [T1078 ] Valid Accounts – BRICKSTORM abuses legitimate cloud tooling and APIs (and likely valid credentials) to evade detection and persist in cloud environments. (‘It also abuses legitimate cloud tooling and APIs to evade detection and uses multiple layers of encryption to hide C2 communications.’)

Read more: https://www.sysdig.com/blog/security-briefing-december-2025