Risky Business #818 — React2Shell is a Fun One
Podcast: Risky Business
Host: Patrick Gray
Co-host: Adam Boileau
Date: December 10, 2025
Episode Overview
This week, Risky Business dives deep into the recent “React2Shell” vulnerability shaking up the web app world, discusses ongoing Chinese APT activities, touches on new hardware security features in Linux, and rounds off with insights into board-level cybersecurity engagement (with sponsor Kroll’s Simon Onions). The tone is brisk, technical, and at times wryly humorous—a classic “Risky Biz” blend.
Main Theme: React2Shell and the Fast-Moving Modern Attack Surface
The episode’s heart is an in-depth breakdown of the “React2Shell” bug—a critical, remotely exploitable vulnerability in React server components, impacting modern JavaScript backend/frontend architectures. Adam and Patrick also discuss broader themes: the speed of software development versus security, lessons from recent incidents, and industry trends in risk management, especially at executive and board levels.
Key Discussion Points & Insights
1. React2Shell: What Is It and Why Does It Matter?
What Are React Server Components?
- [02:09] Adam Boileau:
“React is a framework that many people have heard of in the context of web development… Originally for client-side JS, but now kind of both client and server.”
Adam explains the shift from single-page applications to tightly-coupled frontend/backend JavaScript, highlighting the new communication protocols (where the bug is).
Anatomy of the Bug
- [03:01] Adam Boileau:
“It’s a deserialization flaw… in JSON encoding on the wire inside HTTP... The bug is quite clever. It leverages asynchronous execution properties of modern JavaScript to lead to code injection… CVSS 10… unauthed… that’s a good time bug.”
Patrick and Adam note the cleverness—and the risk—of bugs in fast-evolving frameworks.
Reflections on Containers, Microservices, and Mitigations
- [07:20] Patrick Gray:
“Is there any way you could just containerize this part of your web app and lock it down pretty hard…?”
- [08:25] Adam Boileau:
“We over-containerized things… 1000 HTTP requests on the backend to render one page… we need a middle ground.”
Madness of the Modern Software Cycle
- “Distributed programming is very, very hard. And we end up with flaws like this…” (Adam, [05:26])
Timelines & Exploit Hype
- [10:10] Patrick Gray:
“Proof of concepts gradually got smaller and smaller as people whittled down this bug… and then all hell breaks loose… Cloudflare dosing itself… 25 minute outage… APT crews out of China just going nuts with this thing… It’s a free-for-all.”
- “[11:24] Adam Boileau:**
“Shell everything right now while you can and deal with the mess later…”
Notable Quote (on the exploit race):
“When a bug like this drops that you don’t have foreknowledge of, it’s a race—who gets to shell it first and shore up their access…”
(Adam Boileau, [11:24])
Discussion of Impact Scope
- [11:50] Patrick Gray:
“Kevin Beaumont… was sort of downplaying this one… only affects 2% of orgs or something, but… go look at Shopify’s latest thing, which is called Hydrogen…”
- [13:01] Adam Boileau:
“Anyone deploying anything serious out of this is used to rolling it all the time… when it’s time to patch, they’re used to this…”
Will this be another “log4j”?
- [14:15] Patrick Gray:
“This sort of thing is going to make people go back and look at this code, right?... If there’s that bad mistake, maybe there’s other stuff that’s not so obvious… But it looks like we’re getting a happy ending here… not like log4j.”
2. Chinese APT Activity: Trends and Tactics
"Warp Panda" and VMware
- [15:43] Adam Boileau:
“CrowdStrike wrote up this particular actor… They use a tool called BrickStorm… pretty cool… written in Go… compromised ESX hypervisors… drop a SOCKS proxy on the guest VMs and then plumbing for C2… You can pivot through virtual desktops… blend in with all the network traffic…”
Advanced tooling enables Chinese APTs to move laterally in enterprise environments, leveraging old yet unmaintained infrastructures.
3. End-Day Vulnerability Exploitation Patterns
Sharing Bugs Before They’re Closing
- [18:18] Patrick Gray:
(Referring to an article by Alexander Martin in The Record):“Absolute mess of overlapping actors targeting end-day vulnerabilities… especially from China… when a bug’s about to be patched, other groups pile in…”
- Noted the difficulty in separating state actors, contractors, and cybercriminals.
- Discussion of China-based SharePoint teams and policy implications.
Nuance & Policy
- [20:17] Adam Boileau:
“Most of the SharePoint maintenance or dev teams are also in China… kinda requirements for software developers to cooperate with their government…”
4. Hardware—Linux Adds PCIe Encryption
Confidential Computing in the Cloud
- [22:38] Adam Boileau:
“The idea is, between CPU and PCIe peripherals—GPUs, mainly—you want to prevent a bus snooper from seeing traffic… Hardware vendors cooperated to enable a VM to trust it has a clear path out to the GPU…”
- [25:02] Patrick Gray:
“I feel like the reason this is happening is, as you say, for GPUs, probably a compliance thing… so people can tick the box…”
5. U.S. Policy and SISA Leadership Delays
Political Gridlock Over Shipbuilding
- [25:49] Patrick Gray:
“Sean Planky’s nomination to lead SISA… not happening because of shipbuilding in Florida.”
Insight into how cyber leadership can be derailed by seemingly unrelated political issues.
SISA: Staffing and Future
- [27:54] Patrick Gray:
“SISA’s been pretty much gutted at this point… people are gone… taken a machine gun to the place and it ain’t what it used to be…”
6. Fun & Surreal: Graphene OS and the Murder Suspect
Is It a Troll?
- [28:49] Patrick Gray:
“There’s a guy all over X complaining about GrapheneOS… the duress pin didn’t work… being investigated for murder… I think it’s hilarious… could be a troll…”
Adam’s Take
- [29:99] Adam Boileau:
“It’s such comedy reading… he comes back and defends himself, says, straight up stock GrapheneOS… and then people in the thread are like, so you’re telling us the evidence of the murders you did are on the phone? And he’s like, yes, yes, they are…”
Laugh-out-loud moment for the hosts as meta-commentary on infosec subcultures.
7. Predator Spyware & Amnesty Report
- [31:01] Patrick Gray:
“Amnesty got ahold of internal training material… demoing remote access in what may be a live customer portal… Some experts say it looks more like a demo setup.”
- [34:57] Adam Boileau:
“Apparently, in the training, someone asks, ‘Is this a test system or live?’ The guy says, ‘No, this is the live thing.’ Honestly, the idea they would just TeamViewer into this—rings true to me.”
Sophistication Spectrum Among Customers
- [35:45] Adam Boileau:
“Pro shops don’t do operations… but for less sophisticated clients, they want the vendor to provide the whole package… There is a market.”
8. Ransomware: Downward Trend?
- [36:47] Patrick Gray:
“US Treasury data: ransomware payments fell by a third to $734 million last year, but the number of victims may remain the same.”
Wait on the Numbers
- [37:29] Adam Boileau:
“Graphs not honestly super compelling… ransomware’s had dips before… 2025 is the year when we find out if disruptions made a difference…”
9. Large Language Models & Inescapable Prompt Injection
- [37:57] Patrick Gray:
“NCSC says LLMs will always be vulnerable to prompt injection… Nice to see a prestigious agency say the same thing.”
- [38:30] Adam Boileau (on LLMs):
“The very nature of an LLM—context, predict next token. There is no instruction/data separation… Fundamentally, it cannot be solved.”
- [40:02] Patrick Gray:
“Whatever you think, this is your job now… Get on board. We’re going to this party.”
10. Cybercrime Comedy: The Actor Brothers
(Tweedledum & Tweedledummer)
- [40:40] Patrick Gray:
“Two guys, arrested for the second time, doing cybercrime stuff to the US government… using AI to cover their tracks.”
- [41:28] Adam Boileau:
“Apparently, they were asking [AI] how to delete logs from Windows Server 2012… What year is it? Which government agency is still running that?”
Sponsor Interview: Simon Onions, Managing Director, Cyber & Data Resilience, Kroll
[46:13–57:45] — Key Timestamps Across This Sponsor Segment
Where Are Boards at With Cyber?
- [46:13] Simon Onions:
“We’re typically not dealing with a generation of digital natives here. This is witchcraft to them, a dark magic they don’t understand… They’re just trusting someone else is fixing the problem. From a business governance perspective, you can’t do that anymore. This is an existential risk.”
Bridging the Understanding Gap
- [48:15] Simon Onions:
“I think some of that is a problem of our own making… Let me fix this for you. You don’t need to worry about the detail… We can’t do that anymore. We need to speak business language... impact to the business in terms of revenue, reputation, broader harm…”
Recent Incidents Raising the Temperature
- [49:29] Patrick Gray:
“Has [the JLR incident] really lit a fire under them?”
- [50:02] Simon Onions:
“History is littered with victims… peaks and troughs… but JLR not critical national infrastructure by law, though real economic impact…”
Tactical Advice for Engaging Boards
- [53:25] Simon Onions:
“Explain it in a way they understand—‘Why are we spending this much money? Why do you say it’s not enough?’... Beautiful thing: that lack of knowledge is real power, if you exercise it in the right way… If you as a CISO can’t explain it so others get it, you don’t understand it yourself.”
Risk Quantification & Adaptive Approaches
- [55:50] Simon Onions:
“Risk management in cyber is typically, ‘What controls do we have to mitigate this threat?’ What it should be is, ‘If those controls fail, where’s the impact on the business?’… How much money will I lose if this manifests, how likely is it to manifest?”
Memorable Quotes
- On Modern Coding:
“We thought React was a client-side technology—how can it have a CVSS 10 remote code exec in it?”
(A. Boileau, [06:29]) - On Chinese APTs’ Approach:
“Shell everything right now while you can and deal with the mess later…”
(A. Boileau, [11:24]) - On Board Engagement:
“We can’t be selling this as black magic anymore… We have to migrate this into something that is a proper business consideration.”
(Simon Onions, [48:27]) - On LLM Security:
“There is no concept of separation between those things. It’s just give next token...”
(A. Boileau, [38:30]) - On Changing Security Job Roles:
“Whatever you think of this stuff, as a security professional, this is your job now.”
(P. Gray, [40:02]) - On Tweedledum & Tweedledummer:
“Nice to do things with your siblings—that’s always good.”
(A. Boileau, [43:06])
Timestamped Highlights
| Timestamp | Segment | Summary | |------------|----------------------------------------------|--------------------------------------------| | 01:35 | React2Shell overview | Recap and technical setup | | 10:10 | PoC release/Incident timeline | How exploit progressed, Cloudflare impact | | 15:43 | Chinese APT "Warp Panda" & VMware | New tools, old targets | | 18:18 | Chinese end-day bug exploitation | Analysis of overlapping threat actors | | 22:38 | Linux PCIe encryption | Hardware confidentiality, cloud trust | | 25:49 | SISA leadership drama | Political interference and consequences | | 28:49 | Graphene OS murder-suspect troll | InfoSec meets internet theater | | 31:01 | Amnesty vs Predator spyware | Live access demo, TeamViewer, implications | | 36:47 | Ransomware payments trending down | Treasuries’ data; uncertain causality | | 37:57 | LLMs & prompt injection | Unfixable class of bug, NCSC agrees | | 40:40 | “Tweedledum & Tweedledummer” | Recidivist cybercrime meets dumb luck | | 46:13–57:45| Kroll: Boards & Cyber Risk (Simon Onions) | Deep-dive: board engagement, risk language |
Tone and Takeaways
- Language: Candid, irreverent, technical, with humor and healthy skepticism.
- Takeaway:
- React2Shell: Yet another flashpoint in the modern “fast, break, patch” web app world, but the ecosystem may respond quickly due to its youth and pace.
- Threat Landscape: Chinese APTs remain fast, aggressive, and highly capable—especially with neglected infrastructure.
- Policy & Boards: Boardrooms are waking up, but progress is patchy—risk quantification and plain language are the next frontiers.
- LLMs: Inherent flaws are now your problem as a security professional—get used to it.
- Hilarity: Sometimes InfoSec’s weirdest stories are the most telling.
For more: Listen to the full sponsor segment for all of Simon Onions' practical recommendations for board-level cyber engagement—crucial for practitioners trying to move the needle at the executive level.