Mastodawn

Yooo @yeslikethefood wrote a neat bunch of words about developing an exploit for Gladinet Triofox CVE-2025-12480 that closely followed the real-world attack pattern Mandiant wrote about last month and attributed to UNC6485.

20+ requests, an AV config trigger, and an embedded PostgreSQL server later:

https://www.vulncheck.com/blog/triofox-exploit-cve-2025-12480

Tales from the Exploit Mines: Gladinet Triofox CVE-2025-12480 RCE | Blog | VulnCheck

Triofox CVE-2025-12480 exploitation from beginning to end, all sharp edges included.

VulnCheck

Caitlin Condon 3d ago

RE: https://infosec.exchange/@catc0n/115652530269125057

I'm still hiring 'em! Forever! Well probably not forever. But for the foreseeable future!

Caitlin Condon 3d ago

We wrote a little bit on FortiCloud SSO login bypass CVE-2025-59718 (and 59719). Both the known PoCs for the former are fake / invalid. There does appear to be real exploitation evidence, but detections based on fake PoCs ain't it (and it seems like that's where a lot of chatter is coming from)

https://www.vulncheck.com/blog/forticloud-sso-login-bypass

FortiCloud SSO Login Bypass Vulnerabilities Exploited in the Wild | Blog | VulnCheck

Fortinet disclosed two critical vulnerabilities on December 9 that arise from improper cryptographic signature verification and enable remote attackers to bypass SSO login on vulnerable devices. The vulnerabilities are being exploited in the wild.

VulnCheck

Caitlin Condon 4d ago

Adam Caudill 5d ago

I suspect that current unemployment numbers are missing something. The numbers don't seem to reflect the reality I'm seeing on here or on LinkedIn. The number of people looking is higher than I've seen in my career, but the official numbers aren't that bad (4.6% in the US). So let's run a little unscientific experiment.

If you work in tech, or something broadly tech-adjacent, please vote and boost for reach.

	Unemployed
	Underemployed
	Employed

Poll ends at Dec 23 at 6:29pm.

Caitlin Condon 5d ago

React2Shell beyond Next.js: Our team tested exploitability and analyzed exploit patterns for *other* frameworks vulnerable to CVE-2025-55182. Notes on the four other frameworks we exploited successfully are in this blog, but it's important to note that none of these is anywhere close to the viable attack surface area that Next.js apps presented.

In other words, in an alternate universe where Next.js apps weren't vulnerable by default, this probably would've been a nothing-burger after all. Unfortunately (gestures at everything).

https://www.vulncheck.com/blog/react2shell-beyond-nextjs

What's Next: React2Shell Beyond Next.js | Blog | VulnCheck

VulnCheck's Initial Access Intelligence team analyzes React2Shell CVE-2025-55182 exploitability in frameworks that utilize the vulnerable components outside of Next.js alone, with emphasis on exploitation steps and potential fingerprinting paths.

VulnCheck

Caitlin Condon Dec 12

VulnCheck analyzed several hundred #React2Shell CVE-2025-55182 exploits so you don't have to!

Amid all the slop (and there's so, so much slop) were some interesting finds that understandably escaped attention, including an early in-memory webshell variant, a PoC with logic that loads the Godzilla webshell, and a repo that deploys a lightweight WAF to block React2Shell payloads entirely (!)

@albinolobster wrote about exploit characteristics in aggregate and broke out the cooler examples here:

https://www.vulncheck.com/blog/react2shell-github

React2Shell Exploits on GitHub | Blog | VulnCheck

VulnCheck reviewed the full wave of React2Shell exploits published on GitHub, discarding about half as broken or misleading and surfacing several genuinely interesting techniques from the rest. We curated the usable set, highlighted the notable variants, and made the entire approved dataset freely available in VulnCheck's Exploit Database (XDB).

VulnCheck

Caitlin Condon Dec 9

New analysis of #React2Shell CVE-2025-55182 probes and payloads hitting our canaries via @albinolobster. Upshot is that attackers don't seem to be doing all they *could* do with this vulnerability yet, have mostly been sticking to familiar patterns for now.

https://www.vulncheck.com/blog/react2shell-canaries

react2shell and What Our Canaries See | Blog | VulnCheck

We're already seeing active react2shell exploitation, and defenders need to know what it looks like. VulnCheck Canary Intelligence has captured real attacker probes and payloads, offering early insight into how operators are weaponizing the vulnerability. The post includes detailed examples and a list of observed IPs to support immediate defensive action.

VulnCheck

Caitlin Condon Dec 8

I've lost count of how many #React2Shell exploits our initial access intel group has reviewed, but it's a lot. Canary detections also going brr, unsurprisingly.

@yeslikethefood has a new blog out with:

• Common exploit variants and potential payload modifications
• The current PoC ecosystem
• VulnCheck canary detections (exploit attempts ongoing)
• Attack path observations
• Challenges for defenders, namely around detection

We've also released our in-memory webshell.

https://www.vulncheck.com/blog/reacting-to-shells-react2shell-variants-ecosystem

Reacting to Shells: React2Shell Variants & the CVE-2025-55182 Exploit Ecosystem | Blog | VulnCheck

An analysis of React2Shell variants, public exploits, paths to RCE, and implications for detection and response

VulnCheck

Caitlin Condon Dec 8

ChatGPT just called a version of a script I've had it modifying all day "final" and ooh buddy I like your confidence

Caitlin Condon Dec 7

Cat Hicks Dec 6

inside of you there are two wolves, one is screaming "you haven't collected novel empirical data at scale in a while!!" and the other is screaming, "science translation and communication is undervalued and should be done 10x more than just generating new projects!!"