12 Dec 2025
Week in review
Greetings,
A severe new threat, known as React2Shell, has emerged from exploitation of CVE-2025-55182. This affects the widely used server-side features of React, and by extension many applications built on Next.js and similar frameworks.
This vulnerability allows an attacker to send a specially crafted HTTP request to run arbitrary commands on the server. Within days of its disclosure on December 3, 2025, multiple threat actors abused the public exploit code.
As detailed in a report by researchers at Huntress and Sysdig, attackers have leveraged React2Shell to deploy a variety of malicious payloads across diverse environments. These include a Linux backdoor dubbed PeerBlight, a reverse-proxy tunnel called CowTunnel, and a Go-based post-exploitation implant known as ZinFoq.
In some cases, more advanced threats have been observed. For example, a new remote access trojan called EtherRAT, which uses blockchain-based command-and-control and supports multiple persistence mechanisms on Linux, including system services, cron jobs, shell-profile injection, and more.
Defenders are urged to immediately update all React and Next.js dependencies to the patched versions (e.g. React Server DOM packages to 19.0.1, 19.1.2, or 19.2.1; Next.js to its latest safe release) and audit public-facing services for signs of compromise.
Ivanti warns of critical Endpoint Manager code execution flaw
Date: 2025-12-09
Author: Bleeping Computer
[AUSCERT has identified the impacted members (where possible) and contacted them via email]
American IT software company Ivanti warned customers today to patch a newly disclosed vulnerability in its Endpoint Manager (EPM) solution that could allow attackers to execute code remotely.
Ivanti delivers system and IT asset management solutions to over 40,000 companies via a network of more than 7,000 organizations worldwide. The company's EPM software is an all-in-one endpoint management tool for managing client devices across popular platforms, including Windows, macOS, Linux, Chrome OS, and IoT.
Attacks pinned to critical React2Shell defect surge, surpass 50 confirmed victims
Date: 2025-12-10
Author: Cyberscoop
[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2025.0214.2/]
Security experts have observed a steady increase in malicious activity from a widening pool of attackers seeking to exploit React2Shell, a critical vulnerability disclosed last week in React Server Components.
Authorities are also responding to heightened concern about the defect, with the Cybersecurity and Infrastructure Security Agency shortening the deadline for agencies to patch the vulnerability to Friday. The agency previously set a deadline of Dec. 26 when it added CVE-2025-55182 to its known exploited vulnerabilities catalog last week.
Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch
Date: 2025-12-05
Author: The Hacker News
A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack.
The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity.
"Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF," according to an advisory for the vulnerability.
New wave of VPN login attempts targets Palo Alto GlobalProtect portals
Date: 2025-12-06
Author: Bleeping Computer
A campaign has been observed targeting Palo Alto GlobalProtect portals with login attempts and launching scanning activity against SonicWall SonicOS API endpoints.
The activity started on December 2nd and originated from more than 7,000 IP addresses from infrastructure operated by the German IT company 3xK GmbH, which runs its own BGP network (AS200373) and operates as a hosting provider.
Over 10,000 Docker Hub images found leaking credentials, auth keys
Date: 2025-12-10
Author: Bleeping Computer
More than 10,000 Docker Hub container images expose data that should be protected, including live credentials to production systems, CI/CD databases, or LLM model keys.
The secrets impact a little over 100 organizations, among them are a Fortune 500 company and a major national bank.
Docker Hub is the largest container registry where developers upload, host, share, and distribute ready-to-use Docker images that contain everything necessary to run an application.
ASB-2025.0221 – Microsoft Windows: CVSS (Max): 8.8
Microsoft released a patch for CVE-2025-62456, a high-severity heap-based buffer overflow in Windows ReFS that attackers are exploiting in the wild.
ESB-2025.8916 – Adobe Experience Manager: CVSS (Max): 9.3
Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution.
ESB-2025.8956 – Fortinet Products: CVSS (Max): 9.8
Fortinet has patched two critical flaws that allow attackers to bypass authentication due to improper cryptographic signature verification.
They impact FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
ESB-2025.9052 – Google Chrome: CVSS (Max): None available when published
Google has issued an emergency Chrome patch to fix a mysterious high-severity zero-day vulnerability that is actively being exploited in the wild, urging all users to update immediately.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
