To exploit the React vulnerability, all a threat actor would need to do is send a specially crafted HTTP request to the server endpoint. For security reasons, Wiz researchers didn’t detail how this could be done. But, they said, in similar vulnerabilities, attackers leverage remote code execution on servers to download and execute sophisticated trojans on the server, usually a known C2 framework like sliver, but in some cases, a more custom payload. “The main point,” the researchers said, “is that with an RCE like this, an attacker can practically do anything.”
CISOs and developers need to treat these two vulnerabilities as “more than critical,” said Tanya Janca, a Canadian-based secure coding trainer. In fact, she said in an email, they should be treated in the same way that infosec pros treated the Log4j vulnerability, and scour all applications. “There could not be a more serious security flaw in a web application than this,” she said, “even if it is not known to be exploited in the wild yet.”
Advice for CSOs, developers
Janca said developers should:
