diff --git a/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml b/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml
new file mode 100644
index 0000000000..cb3c1c7c5c
--- /dev/null
+++ b/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml
@@ -0,0 +1,87 @@
+name: Cisco Secure Firewall - React Server Components RCE Attempt
+id: d36459b1-7901-401a-a67e-44426c15b168
+version: 1
+date: '2025-12-08'
+author: Nasreddine Bencherchali, Splunk, Talos NTDR
+status: production
+type: TTP
+description: |
+  This analytic detects exploitation activity of CVE-2025-55182 using Cisco Secure Firewall Intrusion Events.
+  It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65554 (React Server Components remote code execution attempt) is triggered
+  If confirmed malicious, this behavior could be indicative of a potential exploitation of CVE-2025-55182.
+data_source:
+  - Cisco Secure Firewall Threat Defense Intrusion Event
+search: |
+  `cisco_secure_firewall` 
+  EventType=IntrusionEvent 
+  signature_id = 65554
+  | fillnull
+  | stats min(_time) as firstTime
+          max(_time) as lastTime
+          values(signature_id) as signature_id
+          values(signature) as signature
+          values(class_desc) as class_desc
+          values(MitreAttackGroups) as MitreAttackGroups
+          values(InlineResult) as InlineResult
+          values(InlineResultReason) as InlineResultReason
+          values(src_ip) as src_ip
+          values(dest_port) as dest_port
+          values(rule) as rule
+          values(transport) as transport
+          values(app) as app
+          by dest_ip
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `cisco_secure_firewall___react_server_components_rce_attempt_filter`
+how_to_implement: |
+  This search requires Cisco Secure Firewall Threat Defense Logs, which
+  includes the FileEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
+  We strongly recommend that you specify your environment-specific configurations
+  (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
+  with configurations for your Splunk environment. The search also uses a post-filter
+  macro designed to filter out known false positives.
+  The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
+  The malware & file access policy must also enable logging.
+known_false_positives: |
+  Security testing or vulnerability scanners might trigger this. Investigate any potential
+  matches to determine if they're legitimate.
+references:
+  - https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
+  - https://nextjs.org/blog/CVE-2025-66478
+  - https://nvd.nist.gov/vuln/detail/CVE-2025-55182
+  - https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3
+  - https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
+drilldown_searches:
+  - name: View the detection results for - "$src_ip$" and "$dest_ip$"
+    search: '%original_detection_search% | search src_ip="$src_ip$" dest_ip="$dest_ip$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$src_ip$" and "$dest_ip$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+rba:
+  message: Potential exploitation of CVE-2025-65554 from $src_ip$
+  risk_objects:
+    - field: dest_ip
+      type: system
+      score: 85
+  threat_objects:
+    - field: src_ip
+      type: system
+tags:
+  analytic_story:
+    - React2Shell
+  asset_type: Endpoint
+  mitre_attack_id:
+    - T1190
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+  security_domain: endpoint
+tests:
+  - name: True Positive Test
+    attack_data:
+    - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/react2shell/react2shell.log
+      source: not_applicable
+      sourcetype: cisco:sfw:estreamer