Active Exploits, Edge-Device Intrusions, and Cloud Platform Moves

Active exploitation of a Next.js/React Server Components flaw, detailed by The Hacker News, is driving Linux backdoors and large-scale credential theft, while a critical RADIUS weakness in Hitachi Energy industrial switches was outlined by CISA. These developments sit alongside state-backed targeting of misconfigured edge devices and fresh cloud abuse for cryptomining, underscoring the need to patch, lock down management planes, and watch for credential replay across environments.

Exploitation waves and urgent fixes

Reports describe broad, coordinated abuse of CVE-2025-55182 in Next.js/React Server Components that is delivering stealthy Linux implants (including KSwapDoor and ZnDoor), establishing proxies and reverse shells, and harvesting cloud and identity tokens at scale. According to the coverage, attackers are scraping keys and credentials across Azure, AWS, GCP, and Tencent Cloud, probing for Kubernetes service accounts and .env files, and abusing Cloudflare Tunnel endpoints for command-and-control. The same reporting attributes portions of the activity to multiple China-nexus clusters and tracks more than 100,000 vulnerable IPs globally. Defenders are urged to inventory exposed instances, rotate secrets, and purge dropped backdoors. (See The Hacker News.)

Authentication-bypass flaws in Fortinet’s FortiCloud SSO are under active attack days after disclosure. The issues (CVE-2025-59718 and CVE-2025-59719) stem from improper signature validation of SAML messages and allow unauthenticated access when FortiCloud SSO is enabled. Observed intrusions targeted admin accounts and exported configuration files—exposing network layouts and hashed passwords that could be cracked—prompting guidance to upgrade immediately, temporarily disable FortiCloud SSO, restrict management interfaces, and rotate credentials where compromise is suspected. (Source: BleepingComputer.)

In operational technology, CISA posted details on CVE-2024-3596 impacting Hitachi Energy AFS/AFR/AFF series devices’ RADIUS implementation. The MD5-based response authenticator can be subverted via a chosen-prefix collision to alter access decisions. While CISA notes high attack complexity and no public exploitation, the advisory carries a critical CVSS (9.0) and urges enabling the RADIUS server message authenticator option and applying product-specific mitigations. The guidance reiterates segmentation of control-system networks, isolation of admin interfaces, and careful impact analysis before changes. (See CISA.)

An aviation software failure investigation highlights the stakes of regression controls in safety‑critical systems. A reported nose‑down event on an Airbus A320 led to vendor guidance to roll ELAC software from L104 to L103 for some aircraft, with discussion of single‑event upsets as a trigger and scrutiny of test engineering, CI/CD controls, and supplier coordination. The analysis argues the episode is a cautionary case for rigorous SDLC assurance and observability across complex supply chains. (Analysis: CSO Online.)

State activity at the edge and abuse of cloud resources

Amazon’s threat team attributed a multi‑year campaign to a GRU‑linked cluster (APT44/Sandworm), with a marked 2025 shift toward misconfigured network edge devices—enterprise routers, VPN concentrators, and remote access gateways—often hosted on cloud instances. The reporting describes persistent, interactive connections from actor-controlled IPs to compromised appliances, use of native packet capture for credential interception, and subsequent credential replay attempts. Guidance includes auditing for unauthorized capture tools, isolating management interfaces, and monitoring for anomalous authentications and long‑lived connections. (Coverage: The Hacker News.)

Separately, an AWS investigation documented a cryptomining campaign beginning November 2 that abused compromised IAM credentials to rapidly spin up EC2 and ECS resources—including GPU and ML instances—within minutes of initial access. The actor validated privileges with DryRun calls, deployed miners via a malicious Docker Hub image, and attempted to hinder remediation by disabling API termination and creating publicly invocable Lambda URLs. Recommended mitigations include enforcing least privilege and MFA, favoring temporary credentials, enabling GuardDuty (with runtime and extended detection), integrating findings for automated response, scanning container images, and blocking public Lambda URLs via Service Control Policies. (Details: AWS Security Blog.)

Privacy risks and exposed data

Research into the widely installed Urban VPN browser extension found persistent scripts capturing entire generative‑AI chats—prompts, responses, and metadata—across major services (ChatGPT, Claude, Gemini, Perplexity, Grok), and exfiltrating them regardless of whether the VPN or the extension’s “AI protection” was active. The analysis links the publisher to a data‑brokering firm and estimates hundreds of millions of AI conversations collected across multiple extensions. The findings argue that unmanaged browser extensions can bypass enterprise controls and create direct data‑exfiltration channels, reinforcing the case for strict extension policies and DLP. (Report: CSO Online.)

In a separate disclosure, fintech 700Credit reported a breach affecting approximately 5.8 million consumers tied to U.S. auto dealerships. Investigators believe a misconfigured API allowed exfiltration of PII—including names, addresses, and Social Security numbers—between May and October, limited to the 700Dealer.com application layer. The company is offering 12 months of credit monitoring via TransUnion and advising vigilance for fraud; the incident underscores persistent risk from application-layer misconfigurations. (Disclosure: Infosecurity.)

Cloud platform moves and incident tooling

AWS expanded its Intel-based compute portfolio’s reach: M8i instances are now available in five additional Regions (Seoul, Tokyo, Sydney, Singapore, Canada Central), and M8i‑flex launched in Sydney. AWS cites up to 15% better price‑performance and 2.5x memory bandwidth over prior Intel generations, with workload‑specific gains up to 60% for NGINX and 40% for deep learning recommendation models. (Announcements: AWS and AWS.)

For managed AI and productivity agents, AWS made Amazon SageMaker AI available in the Asia Pacific (New Zealand) Region—addressing latency and data residency—while Amazon Quick Suite added persistent memory for chat agents so they can retain user preferences with review and deletion controls and a Private Mode. Security teams should assess retention behaviors and compliance implications when enabling agent memory. (Updates: AWS and AWS.)

On incident workflows, AWS released an integration that maps Security Incident Response cases to dedicated Slack channels, synchronizing updates and enabling bidirectional case actions. The open‑source connector uses EventBridge and a modular design so teams can tailor automations and keep existing tooling, with guidance for secure deployment and access controls. (Docs: AWS.)

Google Cloud announced a redesigned Partner Network set to roll out in Q1 2026, shifting to outcome‑based recognition with a three‑tier model and a competency framework that separates capacity from capability. In the public sector, Google showcased how Workspace with Gemini can transform dense disaster declarations into interactive safety‑check tools, underpinned by controls such as FedRAMP High authorization, context‑aware access, DLP, and client‑side encryption. (Announcements: Google Cloud and Google Cloud.)