All news with #active exploitation tag

CISA Adds Two Vulnerabilities to Known Exploited Catalog

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2022-37055, a buffer overflow affecting D-Link routers, and CVE-2025-66644, an OS command injection in Array Networks ArrayOS AG. Both were included based on evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV entries by their due dates, and CISA urges all organizations to prioritize timely remediation and risk-reduction measures.

React2Shell RCE Actively Exploited by Multiple Threat Actors

🔴 The newly disclosed React2Shell vulnerability (CVE-2025-55182) is being actively exploited in the wild and carries a CVSS v3.1 score of 10. AWS has attributed exploitation attempts to state-linked groups including Earth Lamia and Jackpot Panda, while multiple proof-of-concept exploits have rapidly appeared. Broad scans from Shadowserver and Censys show tens of thousands to over two million potentially affected instances, and defenders are urged to apply the published React security updates immediately.

Critical Sneeit WordPress RCE Exploited in the Wild

🔴 A critical remote code execution flaw in the Sneeit Framework WordPress plugin (CVE-2025-6389) is being actively exploited, according to Wordfence. The issue, patched in version 8.4 on August 5, 2025, affects all releases up to and including 8.3 and lets unauthenticated attackers invoke arbitrary PHP functions via sneeit_articles_pagination_callback() and call_user_func(). Wordfence reported more than 131,000 blocked attempts since disclosure, including tens of thousands in a single day, and observed uploads of PHP shells and creation of malicious admin accounts on vulnerable sites.

React2Shell RCE Exploited, 77K+ IPs and 30+ Breaches

🔴 React2Shell (CVE-2025-55182) is an unauthenticated remote code execution flaw in React Server Components and frameworks like Next.js, disclosed on December 3, 2025. A public proof-of-concept on December 4 accelerated automated scanning and exploitation; Shadowserver found 77,664 vulnerable IPs (≈23,700 in the US), and Palo Alto reports more than 30 breached organizations. Observed attacks use PowerShell stages, AMSI bypass and Cobalt Strike; mitigation requires updating React, rebuilding and redeploying apps, and reviewing logs for post-exploitation indicators.

CISA Adds Critical React2Shell RCE to KEV Catalog Now

⚠️ CISA has added a critical remote code execution flaw affecting React Server Components (tracked as CVE-2025-55182 / React2Shell) to its Known Exploited Vulnerabilities catalog. The vulnerability, rated CVSS 10.0, stems from insecure deserialization in React’s Flight protocol and enables unauthenticated attackers to run arbitrary commands via crafted HTTP requests. Fixes are available in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (versions 19.0.1, 19.1.2, 19.2.1) and should be applied immediately.

React2Shell RCE Exploits Observed in the Wild at Scale

⚠️ Patches for the React2Shell vulnerability should be prioritized: researchers report active, largely automated exploitation attempts targeting React Server Components and Next.js. Public proof-of-concept code has been reused by attackers, with initial payloads performing lightweight proof-of-execution checks and staged PowerShell download-and-execute stagers. Vendors including JFrog, Wiz and Greynoise warn of fake PoCs on GitHub, cryptojacking, credential theft attempts, and Mirai-style kit integration, while AWS reports state-linked groups targeting exposed apps — making immediate remediation and verification essential.

Chinese Threat Actors Backdoor VMware vSphere Servers

🔒 Chinese state-sponsored actors are implanting a Go-based backdoor called BRICKSTORM on VMware vCenter and ESXi servers to maintain long-term persistence in targeted networks. CISA, NSA and the Canadian Cyber Centre analyzed multiple samples and found the malware often remained undetected for extended periods, enabling lateral movement, credential theft and exfiltration via VSOCK and SOCKS5 proxy functionality. The joint advisory includes IOCs, YARA and Sigma rules and recommends patching, hardening vSphere, restricting service account privileges, segmenting networks and blocking unauthorized DoH.

Critical React2Shell RCE in React.js and Next.js Servers

⚠️React.js and Next.js servers are vulnerable to a critical remote code execution flaw dubbed React2Shell (CVE-2025-55182), disclosed to Meta on 29 November 2025. The bug targets server-side React Server Function endpoints and default Next.js App Router setups, enabling unauthenticated attackers to execute arbitrary code with a single HTTP request. Researchers report near‑100% exploitability in default configurations and published proof‑of‑concepts; security teams should upgrade affected packages to the fixed versions immediately and verify PoC sources before testing.

China-Linked Warp Panda Espionage Targets North America

🛡️ CrowdStrike has attributed a sophisticated cyber‑espionage campaign to a China-linked group dubbed Warp Panda, which has targeted North American legal, technology and manufacturing firms to support PRC intelligence priorities. The actor employed BRICKSTORM implants and Golang-based tools to persist on VMware vSphere infrastructures, including vCenter and ESXi hosts. CISA’s advisory corroborates long-term access and vCenter exploitation.

Chinese Threat Actors Rapidly Exploit React2Shell Flaw

⚠️ Within hours of public disclosure, two China-linked groups began exploiting the newly disclosed CVE-2025-55182 (React2Shell) remote code execution flaw in React Server Components. AWS telemetry from MadPot honeypots attributes activity to Earth Lamia and Jackpot Panda, showing attempts to run discovery commands such as "whoami", write files like "/tmp/pwned.txt", and read sensitive files such as "/etc/passwd". Vendors addressed the bug in React 19.0.1, 19.1.2, and 19.2.1, but attackers are concurrently scanning for other N-day flaws.

Cloudflare Outage Caused by Emergency React2Shell Patch

🔧 Cloudflare says an emergency patch to mitigate the critical React2Shell vulnerability (CVE-2025-55182) introduced a change to its Web Application Firewall request parsing that briefly rendered the network unavailable and caused global "500 Internal Server Error" responses. The update targeted active remote code execution attempts against React Server Components and dependent frameworks. Cloudflare emphasized the incident was not an attack and that the change was deployed to protect customers while the industry addresses the flaw.

Largest U.S. Telecommunications Hack: What Happened

🔐 On December 4, 2024, U.S. officials confirmed a widespread cyber-espionage campaign that targeted some 80 global telecommunications providers across dozens of countries. The intrusion has been attributed to a sophisticated nation-state actor tracked by Microsoft as Salt Typhoon (aka Ghost Emperor / FamousSparrow), with earlier links to LightBasin. A joint task force—Operation Enduring Security Framework—led by the NSA, Pentagon and CISA was created to contain and investigate the offensive.

React2Shell critical flaw exploited by China-linked groups

⚠️React2Shell is a max-severity insecure deserialization vulnerability in the React Server Components 'Flight' protocol that allows unauthenticated remote execution of JavaScript on affected servers. Within hours of disclosure, AWS telemetry observed exploitation attempts by China-linked groups including Earth Lamia and Jackpot Panda, and multiple proof-of-concept exploits have been published. React and Next.js have released patches; administrators should apply updates, scan for vulnerable deployments, and monitor for known exploitation indicators.

Intellexa's Predator Spyware Continues Despite Sanctions

📣 Leaked documents and coordinated technical reports indicate the Intellexa surveillance consortium continues to develop, sell and operate its Predator spyware despite multiple sanctions. Analyses from Google Threat Intelligence Group, Recorded Future and Amnesty’s Security Lab attribute numerous mobile browser zero-day exploits and new infection methods to the vendor. Amnesty disclosed a novel Aladdin zero-click vector that abuses the mobile advertising ecosystem to deliver malicious ads which infect devices on view, while Recorded Future and Google documented Intellexa’s outsized share of exploited zero-days. The combined findings point to active customers, new nexus entities and ongoing global operations.

CISA: PRC-linked BRICKSTORM Backdoor Targets vSphere

🔒 CISA on Thursday released details of a Golang backdoor named BRICKSTORM used by PRC-linked actors to maintain long-term stealthy access to VMware vSphere and Windows systems. The implant provides interactive shell access, file management, SOCKS proxying, and multiple C2 channels including HTTPS, WebSockets, nested TLS, and DNS-over-HTTPS to conceal communications and blend with normal traffic. CISA and private-sector researchers tied deployments to clusters tracked as UNC5221 and to CrowdStrike’s Warp Panda, noting self-reinstating persistence, VSOCK support for inter-VM operations, and use in attacks against government, IT, legal, and technology targets.

JPCERT Confirms Active Command-Injection in ArrayOS

⚠️ JPCERT/CC warns that a command injection flaw in Array Networks AG Series secure access gateways' DesktopDirect feature has been actively exploited since August 2025, enabling attackers to execute arbitrary commands. The vendor patched the issue in ArrayOS 9.4.5.9 on May 11, 2025; affected versions include 9.4.5.8 and earlier. JPCERT/CC confirms web shells were dropped on devices in Japan and notes attacks from IP 194.233.100[.]138. Administrators should apply the update or disable DesktopDirect and block URLs containing a semicolon as a temporary mitigation.

China-nexus Rapid Exploitation of React2Shell CVE-2025-55182

🛡️ Amazon observed multiple China state-nexus groups rapidly exploiting CVE-2025-55182 (React2Shell), a critical unsafe deserialization flaw in React Server Components with a CVSS score of 10.0 that affects React 19.x and Next.js 15.x/16.x when using App Router. AWS deployed Sonaris active defense, AWS WAF managed rules (AWSManagedRulesKnownBadInputsRuleSet v1.24+) and MadPot honeypots to detect and block attempts, but these protections are not substitutes for patching. Customers running self-managed React/Next.js applications must update immediately, deploy interim WAF rules, and review logs for indicators such as POST requests with next-action or rsc-action-id headers.

Attackers Exploit ArrayOS AG VPN Bug to Deploy Webshells

🔒 Threat actors are exploiting a command injection vulnerability in Array Networks ArrayOS AG VPN appliances to plant PHP webshells and create rogue user accounts. The flaw affects ArrayOS AG 9.4.5.8 and earlier when the DesktopDirect feature is enabled; Array issued a May update (9.4.5.9) to address the issue. Japan's CERT (JPCERT/CC) reports attacks since at least August originating from IP 194.233.100[.]138. If immediate patching is not possible, disable DesktopDirect or block URLs containing a semicolon as a temporary mitigation.

Predator Spyware Uses Ad-Based Zero-Click Infection

📢 Researchers report that the Predator spyware operator Intellexa developed a zero-click delivery mechanism called Aladdin that can infect targets simply by serving a weaponized advertisement. The technique abuses commercial mobile advertising systems and Demand Side Platforms to force malicious ads to specific IPs and devices, with viewing alone triggering redirections to exploit servers. First deployed in 2024 and routed through shell companies across multiple countries, the campaign is corroborated by leaked Intellexa documents and technical analysis from Amnesty, Google, and Recorded Future. Analysts recommend blocking ads, hiding public IPs, and using platform protections, though leaked materials suggest operators can obtain subscriber IP/location data from local mobile operators.

CISA Alerts on BrickStorm Backdoors in VMware vSphere

🔒 CISA warns that Chinese threat actors have used Brickstorm malware to backdoor VMware vSphere servers, creating hidden rogue virtual machines and exfiltrating cloned VM snapshots to harvest credentials. A joint analysis with the NSA and Canada's Cyber Security Centre examined eight samples and documents layered evasion including nested TLS, WebSockets, SOCKS proxying and DNS-over-HTTPS. CISA provides YARA and Sigma rules, advises blocking unauthorized DoH providers, inventorying edge devices, segmenting DMZ-to-internal traffic, and reporting detections as required.