6 Feb 2026
Week in review
Greetings,
Cyber security researchers have identified an active and sophisticated web traffic hijacking campaign that exploits the critical React2Shell vulnerability to silently intercept and redirect legitimate user traffic. Reported by Datadog Security Labs, the campaign demonstrates how a flaw in modern web application frameworks can be leveraged to compromise underlying infrastructure, transforming trusted websites into covert traffic relays for attackers.
The activity centres on React2Shell, tracked as CVE-2025-55182 and assigned a maximum CVSS score of 10.0. The vulnerability allows unauthenticated remote code execution in React Server Components, enabling attackers to gain initial access with a single crafted request. Once inside, threat actors move beyond the application layer and target NGINX web servers, injecting malicious configuration directives that intercept inbound requests and proxy them through attacker-controlled systems before forwarding them to their original destinations.
This approach makes detection particularly challenging, as websites often continue to function normally while user traffic is quietly exposed to monitoring or manipulation. Observed targets include sites using regional Asia-based top-level domains such as .in, .id, .bd, and .th, as well as government and education domains. The campaign is closely associated with hosting environments that rely on the Baota (BT) management panel and Chinese hosting infrastructure.
Researchers also uncovered a modular, multi-stage toolkit designed to ensure persistence, enumerate common NGINX configurations, and generate reports on active traffic redirection rules. Intelligence from GreyNoise indicates that a small number of IP addresses account for a significant proportion of exploitation attempts, delivering payloads ranging from cryptominers to interactive reverse shells.
Ivanti’s EPMM is under active attack, thanks to two critical zero-days
Date: 2026-02-03
Author: CyberScoop
[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Attackers are again focusing on a familiar target in the network edge space, actively exploiting two critical zero-day vulnerabilities in Ivanti software that allows administrators to set mobile device and application controls.
Critical n8n flaws disclosed along with public exploits
Date: 2026-02-04
Author: Bleeping Computer
Multiple critical vulnerabilities in the popular n8n open-source workflow automation platform allow escaping the confines of the environment and taking complete control of the host server.
Collectively tracked as CVE-2026-25049, the issues can be exploited by any authenticated user who can create or edit workflows on the platform to perform unrestricted remote code execution on the n8n server.
Exposed MongoDB instances still targeted in data extortion attacks
Date: 2026-02-01
Author: Bleeping Computer
A threat actor is targeting exposed MongoDB instances in automated data extortion attacks demanding low ransoms from owners to restore the data.
The attacker focuses on the low-hanging fruit, databases that are insecure due to misconfiguration that permits access without restriction. Around 1,400 exposed servers have been compromised, and the ransom note demanded a ransom of about $500 in Bitcoin.
Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package
Date: 2026-02-03
Author: The Hacker News
Threat actors have been observed exploiting a critical security flaw impacting the Metro Development Server in the popular "@react-native-community/cli" npm package.
Cybersecurity company VulnCheck said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host. Details of the flaw were first documented by JFrog in November 2025.
Popular text editor Notepad++ was hacked to drop malware
Date: 2026-02-03
Author: iTnews
Notepad++, a free open source text and code editor for the Windows operating system, suffered an "infrastructure-level compromise" last year by threat actors seeking to deliver malware to selected users.
A post-mortem of the incident which started in June 2025, and which was reported to Notepad++ by security researchers, suggested the shared hosting server for the text editor was compromised until December 2 last year.
ESB-2026.1090 – Splunk SOAR: CVSS (Max): 9.1
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk SOAR version 7.1.0.
ESB-2026.1084 – Cisco Meeting Management: CVSS (Max): 8.8
A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system.
ESB-2026.1074 – IBM Db2 Data Management Console: CVSS (Max): 7.5
Golang Go is vulnerable to a denial of service, caused by a flaw when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
ESB-2026.1072 – Tenable Identity Exposure: CVSS (Max): 7.5
Tenable Identity Exposure leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the providers.
ESB-2026.1067 – Google Chrome: CVSS (Max): 8.8
This update includes 2 security fixes: High CVE-2026-1861: Heap buffer overflow in libvpx and High CVE-2026-1862: Type Confusion in V8.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
