EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Cisco Secure Firewall - React Server Components RCE Attempt

This analytic detects exploitation activity of CVE-2025-55182 using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65554 (React Server Components remote code execution attempt) is triggered If confirmed malicious, this behavior could be indicative of a potential exploitation of CVE-2025-55182.

MITRE ATT&CK

T1190
initial-access

Detection Query

`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id = 65554
| fillnull
| stats min(_time) as firstTime
        max(_time) as lastTime
        values(signature_id) as signature_id
        values(signature) as signature
        values(class_desc) as class_desc
        values(MitreAttackGroups) as MitreAttackGroups
        values(InlineResult) as InlineResult
        values(InlineResultReason) as InlineResultReason
        values(src) as src
        values(dest_port) as dest_port
        values(rule) as rule
        values(transport) as transport
        values(app) as app
        by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___react_server_components_rce_attempt_filter`

Author

Nasreddine Bencherchali, Splunk, Talos NTDR

Created

2026-03-10

Data Sources

Cisco Secure Firewall Threat Defense Intrusion Event

References

Tags

React2Shell
Raw Content
name: Cisco Secure Firewall - React Server Components RCE Attempt
id: d36459b1-7901-401a-a67e-44426c15b168
version: 5
date: '2026-03-10'
author: Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: TTP
description: |
    This analytic detects exploitation activity of CVE-2025-55182 using Cisco Secure Firewall Intrusion Events.
    It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65554 (React Server Components remote code execution attempt) is triggered
    If confirmed malicious, this behavior could be indicative of a potential exploitation of CVE-2025-55182.
data_source:
    - Cisco Secure Firewall Threat Defense Intrusion Event
search: |
    `cisco_secure_firewall`
    EventType=IntrusionEvent
    signature_id = 65554
    | fillnull
    | stats min(_time) as firstTime
            max(_time) as lastTime
            values(signature_id) as signature_id
            values(signature) as signature
            values(class_desc) as class_desc
            values(MitreAttackGroups) as MitreAttackGroups
            values(InlineResult) as InlineResult
            values(InlineResultReason) as InlineResultReason
            values(src) as src
            values(dest_port) as dest_port
            values(rule) as rule
            values(transport) as transport
            values(app) as app
            by dest
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `cisco_secure_firewall___react_server_components_rce_attempt_filter`
how_to_implement: |
    This search requires Cisco Secure Firewall Threat Defense Logs, which
    includes the FileEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
    We strongly recommend that you specify your environment-specific configurations
    (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
    with configurations for your Splunk environment. The search also uses a post-filter
    macro designed to filter out known false positives.
    The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
    The malware & file access policy must also enable logging.
known_false_positives: |
    Security testing or vulnerability scanners might trigger this. Investigate any potential
    matches to determine if they're legitimate.
references:
    - https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
    - https://nextjs.org/blog/CVE-2025-66478
    - https://nvd.nist.gov/vuln/detail/CVE-2025-55182
    - https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3
    - https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
drilldown_searches:
    - name: View the detection results for - "$src$" and "$dest$"
      search: '%original_detection_search% | search src="$src$" dest="$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Potential exploitation of CVE-2025-65554 from $src$
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: src
          type: system
tags:
    analytic_story:
        - React2Shell
    asset_type: Endpoint
    mitre_attack_id:
        - T1190
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/react2shell/react2shell.log
          source: not_applicable
          sourcetype: cisco:sfw:estreamer