Summary3 min read

SANS Stormcast Summary – December 8, 2025

Host: Johannes B. Ullrich
Episode Theme:
A concise overview of emerging cybersecurity threats and vulnerabilities, including malware using AutoIT3 FileInstall, an update on the React2Shell vulnerability, and a newly disclosed issue in Apache Tika’s PDF parsing.

Main Points & Insights

1. Malicious Use of AutoIT3 FileInstall ([00:04]–[02:30])

Topic Overview:
Johannes highlights recent findings by Xavier regarding a wave of malicious files employing the AutoIT3 scripting system’s “FileInstall” function for code obfuscation.
What is AutoIT3?
- An automation system for Windows, dating to the early 2000s but still actively maintained and widely used.
- Allows easy creation of binary executables to automate tasks on Windows without requiring end-users to install the entire AutoIT environment.
FileInstall Function:
- Comparable to an “include” statement during script parsing.
- When scripts are compiled, additional files can be embedded directly into the binary.
- At runtime, the embedded file is extracted as a temporary file, which can facilitate subsequent code analysis or malware delivery.
Malware Implications:
- Attackers are using obfuscation techniques hidden inside these temporary files, making them harder to detect at a glance.
- “Xavier is going a little bit over the different obfuscation techniques being used in this particular example.” (Johannes, 01:40)

2. React2Shell Vulnerability Update ([02:30]–[04:05])

Vulnerability Details:
The episode provides a status update on the React2Shell security issue affecting some installations of React and Next.js.
Exploitation Observations:
- Not all systems running React/Next.js are vulnerable, but real-world compromise has been observed.
- Palo Alto Networks reported that at least 30 organizations have been compromised so far.
- “There is a wide range of numbers that’s being quoted out there for as many systems are vulnerable... (but) Palo Alto... observed 30 organizations being actually compromised.” (Johannes, 02:35)
- Numerous automated exploit attempts are being observed in honeypots.
- “If you are vulnerable, you probably have been exploited.” (Johannes, 03:10)
Cloudflare Incident:
- On Friday morning, a 20-minute Cloudflare outage occurred due to emergency configuration changes meant to counteract React2Shell.
- The rapid response race led to this temporary disruption:
  “Cloudflare made changes to their systems that then in the end led to this outage, which I believe lasted about 20 minutes.” (Johannes, 03:30)
Defense Advice:
- Web application firewalls (WAFs) can buy time but are not sufficient as sole protection.
- Patch systems promptly and assume compromise is possible.
- “Web application firewalls will help, but like I said, there are active efforts to find exploit versions that will bypass web application firewalls.” (Johannes, 03:53)

3. Apache Tika Vulnerability (PDF Parsing) ([04:05]–[05:08])

What is Apache Tika?
- A popular open-source library used to extract metadata from a wide variety of file types, including PDFs.
- Commonly used in content scanning, malware analysis, and file upload inspection.
New PDF Module Vulnerability:
- The vulnerability affects the PDF parsing component, leading to an XML External Entity (XXE) attack if a malicious PDF is submitted.
- Special risk for platforms using Tika to scan PDFs for malware, as the attack could be triggered during analysis.
- “The vulnerability address(ed) now in the Apache Tika core and Apache Tika parsers, in particular the PDF module, would allow an attacker to submit a malicious PDF that will then lead to an XML external entity attack.” (Johannes, 04:25)
Recommended Action:
Immediately patch affected Tika installations, especially if handling untrusted PDFs.

Notable Quotes & Memorable Moments

“If you are vulnerable, you probably have been exploited.”
— Johannes B. Ullrich [03:10]

“Web application firewalls will help, but like I said, there are active efforts to find exploit versions that will bypass web application firewalls.”
— Johannes B. Ullrich [03:53]

“The vulnerability address(ed) now in the Apache Tika core and Apache Tika parsers, in particular the PDF module, would allow an attacker to submit a malicious PDF that will then lead to an XML external entity attack.”
— Johannes B. Ullrich [04:25]

Section Timestamps

AutoIT3 FileInstall & Malware Techniques: [00:04]–[02:30]
React2Shell Exploitation & Cloudflare Outage: [02:30]–[04:05]
Apache Tika PDF Vulnerability: [04:05]–[05:08]

In this brisk and information-rich episode, Johannes B. Ullrich delivers actionable intelligence on emerging malware and vulnerabilities, emphasizing proactive patching and layered defenses. His tone is clear, urgent, and focused on equipping listeners for real-world threats happening right now.

Loading summary

Transcript4 lines

[00:05]
A
Hello and welcome to the Monday, December 8, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida, and this episode is brought to you by the Sans Edu undercredited Certificate program. In Cybersecurity Fundamentals, Xavier lately found a wave of different malicious files that all took a similar route in order to obfuscate some of the code in auto it3. Auto it3 is an automation system. It's quite old, going back to the early 2000s, but it's still being maintained, it's still being updated, and it's still frequently being used to manage Windows systems and essentially create small scripts to automate some tasks on Windows systems. Now, AutoIT 3 has an interesting function called File Install. File Install sounds a little bit like an include function. If the script is parsed, then it's just read from the file system. Now where it gets interesting is once you're running a compiled Auto IT script. And that's kind of one of the advantages of Auto it. It's very easy to create binary executables. So you don't as a malware author, have to first install all of Auto IT on the but you just run the executable or have the victim run the executable. So when it's compiled, then the file is included in the binary at compile time. But what Xavier also saw is that then a temporary file is being created at runtime of the script, which of course then makes it easy to extract that file and analyze it. And Exavier is going a little bit over the different obfuscation techniques being used in this particular example. Let me have a quick update here on the React vulnerability or React to Shell as it has been known under now for the last couple of days. There's a wide range of numbers that's being quoted out there for as many systems are vulnerable. Of course not every system running React or every system running Next JS is vulnerable to this particular issue.
[02:30]
There was a quote there from Palo Alto that they observed 30 organizations being actually compromised. Of course we do see in honeypots another have seen honeypots also many, many exploit attempts and as a result if you are vulnerable, you probably have been exploited. As I mentioned already on Friday, there was also a little sort of side effect of this particular REACT vulnerability and that was a brief Cloudflare outage Friday morning. What apparently happened here is that cloudflare tried to push out a configuration change in order to better detect this vulnerability. There is also a little bit of race going on there trying to find versions of the exploit that bypass web application firewall signatures and part in response to that, cloudflare made changes to their systems that then in the end led to this outage, which I believe lasted about 20 minutes. So keep patching and keep assuming a compromise. Web application firewalls will help, but like I said, there are active efforts to find exploit versions that will bypass web application firewalls. So definitely don't solely rely on your web application firewall. It may buy you time, but it will ultimately probably not prevent exploitation.
[04:06]
I'm not sure how many are familiar with the Apache Tika project, but it is an important project in that it's often used to parse, possibly test file uploads and essentially look at files, whether or not they're potentially malicious. Now the main reason for the Apache Tika library is to extract metadata, and it can do so for an extremely large set of file types, including PDFs. But the vulnerability address now in the Apache Tika core and Apache Tika parsers in particular the PDF module would allow an attacker to submit a malicious PDF that will then lead to an XML external entity attack. So something that you probably want to address in particular if you are using this library to look at malicious PDFs or use them to screen PDFs to possibly detect any malicious content.
[05:09]
Well, and this is it for today. So thanks for listening, thanks for liking, thanks for subscribing, and as always, special thanks for anybody leaving a comment in your favorite podcast platform. That's it, and talk to you again tomorrow. Bye.