Talos Highlights Surge in React2Shell Exploits and Legacy Component Vulnerabilities in 2025
What Happened — Cisco Talos’ 2025 Year‑in‑Review shows a dramatic rise in attacks leveraging the React2Shell exploit chain, which accounted for the highest share of observed attacks in the final three weeks of the year. Simultaneously, old, widely‑deployed components such as Log4j, PHPUnit, and ColdFusion continued to generate high‑impact RCE vulnerabilities, exposing organizations that lag in patching legacy code.
Why It Matters for TPRM —
- Legacy third‑party libraries embedded in SaaS or on‑prem applications create hidden attack surfaces that vendors may not disclose.
- Exploit kits like React2Shell shorten the time‑to‑exploit, reducing the window for vendors to apply patches and increasing supply‑chain risk.
- Identity‑centric components (auth services, MFA brokers) are being targeted, threatening the security guarantees of downstream customers.
Who Is Affected — Technology & SaaS providers, cloud hosting platforms, MSPs, and any organization that integrates open‑source components or legacy middleware.
Recommended Actions —
- Conduct an inventory of all third‑party libraries and firmware versions used by critical vendors.
- Prioritize patching of known high‑risk components (Log4j, PHPUnit, ColdFusion) and enforce strict version control.
- Validate that vendors have rapid vulnerability disclosure and remediation processes, especially for identity‑related services.
Technical Notes — The trend is driven by remote code execution (RCE) flaws in outdated libraries and the React2Shell exploit chain, which automates payload delivery without user interaction. No specific CVE is cited, but the underlying issue is the exploitation of publicly disclosed vulnerabilities before patch cycles complete. Source: Cisco Talos Year‑in‑Review 2025