All news with #rce tag

React2Shell Exploitation Delivers Miners and Backdoors

⚠ Huntress reports widespread exploitation of the maximum-severity React Server Components flaw CVE-2025-55182, with attackers leveraging vulnerable Next.js instances to deploy cryptocurrency miners and multiple novel Linux malware families. Observed payloads include the PeerBlight backdoor, CowTunnel reverse proxy and ZinFoq post-exploitation implant, alongside droppers that fetch XMRig, Sliver C2 and Kaiji variants. Activity since early December 2025 has targeted many sectors — notably construction and entertainment — and shows signs of automated scanning and exploitation tools that sometimes deploy Linux payloads to Windows hosts. Organizations should update react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack immediately and hunt for indicators of compromise.

Critical Ivanti EPM Flaw Patched; Immediate Updates Urged

🔒 Ivanti released EPM 2024 SU4 SR1 to address a critical stored XSS vulnerability (CVE-2025-10573) that lets unauthenticated attackers hijack administrator sessions by submitting malicious device scan data to the incoming API. The update also fixes three high-severity flaws that can enable code execution with user interaction and an issue that permits unauthorized file writes. Ivanti said reports came through its responsible disclosure program and it was not aware of active exploitation at disclosure. Organizations with internet-facing or high-privilege EPM instances should apply the patch immediately and isolate management interfaces until updated.

Microsoft Patches Three Zero-Days Including Kernel EoP

⚠️ Microsoft has released patches for three zero-day vulnerabilities in its December update, including an actively exploited kernel elevation-of-privilege in the Windows Cloud Files Mini Filter Driver (CVE-2025-62221). Two additional zero-days—an RCE in PowerShell (CVE-2025-54100) and an RCE in GitHub Copilot for JetBrains (CVE-2025-64671)—were publicly disclosed but not observed in the wild. Security experts warn attackers could chain the kernel flaw with other exploits to achieve full system or domain compromise.

Microsoft Patches 56 Flaws Including Active Zero-Days

🛡️ Microsoft released December 2025 patches addressing 56 Windows vulnerabilities, three rated Critical and 53 Important. The update fixes 29 privilege-escalation flaws, 18 remote code execution bugs and other defects, and includes two zero-days and one actively exploited use-after-free (CVE-2025-62221) in the Cloud Files Mini Filter Driver. Administrators are urged to prioritize the KEV-listed fix and follow vendor guidance for mitigation and monitoring.

December Patch Tuesday: Active Windows Cloud Files Zero Day

🚨 Microsoft’s December Patch Tuesday delivers 57 fixes, but an actively exploited zero-day in Windows Cloud Files Mini Filter Driver (CVE-2025-62221) requires immediate remediation. The flaw is a low-complexity use-after-free escalation-of-privilege that can enable a local foothold to become full system compromise. Security teams should prioritize this patch, enforce least-privilege controls, and enhance monitoring where rapid patching isn't possible.

Microsoft Patch Tuesday December 2025: 57 Vulnerabilities

🛡️ Microsoft released its December 2025 Patch Tuesday addressing 57 vulnerabilities, two labeled as critical and the remainder as important. Cisco Talos notes Microsoft assessed exploitation of the two critical issues as less likely, while several important flaws are considered more likely to be attacked. Talos published Snort and Snort 3 rules to detect exploitation attempts and recommends updating firewall SRUs and applying vendor patches promptly.

Microsoft Patch Tuesday — December 2025 Security Fixes

🛡️ Microsoft released its final Patch Tuesday of 2025, addressing 56 vulnerabilities including one actively exploited zero-day, CVE-2025-62221, and two publicly disclosed bugs. The zero-day is a privilege escalation in the Windows Cloud Files Mini Filter Driver, a core component used by cloud sync services such as OneDrive. Three flaws received Microsoft’s Critical rating, including two Office bugs exploitable via Outlook’s Preview Pane. Administrators should prioritize updates for the flagged privilege escalation issues and apply patches promptly.

Windows PowerShell Warns When Invoke-WebRequest Runs

⚠ Windows PowerShell 5.1 now displays a security confirmation when using Invoke-WebRequest to fetch web pages, warning that scripts in a downloaded page might run during parsing. The change, delivered with update KB5074204, mitigates a high-severity RCE tracked as CVE-2025-54100 and brings safer parsing behavior from PowerShell 7. Microsoft recommends rerunning commands with the -UseBasicParsing switch or updating automation to include it. Note that the 'curl' alias maps to Invoke-WebRequest and will trigger the same prompt.

North Korea-linked Actors Use React2Shell to Deploy EtherRAT

🛡️ Threat actors tied to North Korea have been observed exploiting the critical React Server Components vulnerability (React2Shell, CVE-2025-55182) to deliver a new remote access trojan named EtherRAT. The implant downloads a Node.js runtime, decrypts and spawns a JavaScript payload, and resolves command-and-control via Ethereum smart contracts using a multi-endpoint consensus method. EtherRAT persists on Linux with five distinct mechanisms and supports self-updating obfuscated payloads, enabling long-term stealthy access and making remediation difficult.

Ivanti warns of critical Endpoint Manager code flaw

⚠️ Ivanti is urging customers to patch a critical vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) that allows unauthenticated remote actors to execute arbitrary JavaScript via low-complexity cross-site scripting that requires user interaction. Reported by Rapid7, the flaw lets attackers join fake managed endpoints to poison administrator dashboards and hijack admin sessions when viewed. Ivanti released EPM 2024 SU4 SR1 and addressed three other high-severity bugs, while Shadowserver reports hundreds of Internet-facing EPM instances.

North Korean Hackers Exploit React2Shell to Deploy EtherRAT

🔒 Researchers at Sysdig uncovered a new malware implant, EtherRAT, delivered via exploitation of the React2Shell deserialization flaw in Next.js just days after the vulnerability disclosure. The implant bundles a full Node.js runtime, uses an encrypted loader, and employs Ethereum smart contracts for resilient C2 while supporting five Linux persistence mechanisms. Operators can self-update the payload and execute arbitrary JavaScript, complicating detection and response.

U-Boot Bootloader: Improper Access to Volatile Boot Code

⚠️ U-Boot contains an improper access control vulnerability in volatile memory holding boot code (CVE-2025-24857) affecting all U-Boot versions prior to 2017.11 and several Qualcomm SoCs. Successful exploitation could allow arbitrary code execution; CISA reports a CVSS v4 base score of 8.6 with low attack complexity. Vendors advise upgrading to v2025.4, ensuring physical device security, and contacting Qualcomm support where appropriate.

December 2025 Patch Tuesday: One Zero-Day, 57 CVEs Addressed

🔔 Microsoft’s December 2025 Patch Tuesday addresses 57 CVEs, including one actively exploited Important zero‑day in the Windows Cloud Files Mini Filter Driver and two publicly disclosed Important zero‑days impacting GitHub Copilot for JetBrains and PowerShell. Two Critical RCE flaws in Microsoft Office increase urgency for enterprise patching and remediation. Organizations should prioritize applying Microsoft fixes, adopt layered mitigations where patches are delayed, and use CrowdStrike Falcon dashboards to track affected assets and remediation progress.

React2Shell RCE Actively Exploited by Multiple Threat Actors

🔴 The newly disclosed React2Shell vulnerability (CVE-2025-55182) is being actively exploited in the wild and carries a CVSS v3.1 score of 10. AWS has attributed exploitation attempts to state-linked groups including Earth Lamia and Jackpot Panda, while multiple proof-of-concept exploits have rapidly appeared. Broad scans from Shadowserver and Censys show tens of thousands to over two million potentially affected instances, and defenders are urged to apply the published React security updates immediately.

Researchers Find 30+ Flaws in AI IDEs, Enabling Data Theft

⚠️Researchers disclosed more than 30 vulnerabilities in AI-integrated IDEs in a report dubbed IDEsaster by Ari Marzouk (MaccariTA). The issues chain prompt-injection with auto-approved agent tooling and legitimate IDE features to achieve data exfiltration and remote code execution across products like Cursor, GitHub Copilot, Zed.dev, and others. Of the findings, 24 received CVE identifiers; exploit examples include workspace writes that cause outbound requests, settings hijacks that point executable paths to attacker binaries, and multi-root overrides that trigger execution. Researchers advise using AI agents only with trusted projects, applying least privilege to tool access, hardening prompts, and sandboxing risky operations.

CISA Adds Critical React2Shell RCE to KEV Catalog Now

⚠️ CISA has added a critical remote code execution flaw affecting React Server Components (tracked as CVE-2025-55182 / React2Shell) to its Known Exploited Vulnerabilities catalog. The vulnerability, rated CVSS 10.0, stems from insecure deserialization in React’s Flight protocol and enables unauthenticated attackers to run arbitrary commands via crafted HTTP requests. Fixes are available in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (versions 19.0.1, 19.1.2, 19.2.1) and should be applied immediately.

React2Shell RCE Exploits Observed in the Wild at Scale

⚠️ Patches for the React2Shell vulnerability should be prioritized: researchers report active, largely automated exploitation attempts targeting React Server Components and Next.js. Public proof-of-concept code has been reused by attackers, with initial payloads performing lightweight proof-of-execution checks and staged PowerShell download-and-execute stagers. Vendors including JFrog, Wiz and Greynoise warn of fake PoCs on GitHub, cryptojacking, credential theft attempts, and Mirai-style kit integration, while AWS reports state-linked groups targeting exposed apps — making immediate remediation and verification essential.

React2Shell (CVE-2025-55182): Critical Server RCE Threat

🛡️ In early December 2025 the React project disclosed a critical server-side vulnerability dubbed React2Shell (CVE-2025-55182) rated CVSS 10.0. The bug allows unauthenticated attackers to execute arbitrary code by sending a specially crafted request to a vulnerable server feature. Check Point notes that CloudGuard WAF customers were proactively protected and not affected. Organizations should patch promptly and review traffic controls.

Critical XML External Entity (XXE) Flaw in Apache Tika

🔒 A critical XML External Entity (XXE) vulnerability, tracked as CVE-2025-66516, has been disclosed in Apache Tika and carries a CVSS score of 10.0. The flaw allows XXE via a crafted XFA file inside PDFs and affects tika-core, tika-parser-pdf-module, and tika-parsers across multiple versions. Users are strongly advised to upgrade to the patched releases immediately to mitigate file disclosure and potential remote code execution.

Critical React2Shell RCE in React.js and Next.js Servers

⚠️React.js and Next.js servers are vulnerable to a critical remote code execution flaw dubbed React2Shell (CVE-2025-55182), disclosed to Meta on 29 November 2025. The bug targets server-side React Server Function endpoints and default Next.js App Router setups, enabling unauthenticated attackers to execute arbitrary code with a single HTTP request. Researchers report near‑100% exploitability in default configurations and published proof‑of‑concepts; security teams should upgrade affected packages to the fixed versions immediately and verify PoC sources before testing.