24h | 7d | 30d

Overview

  • Meta
  • react-server-dom-webpack

03 Dec 2025
Published
06 Dec 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
27.81%

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 19 Posts
  • 7 Interactions

Last activity: 1 hour ago

Fediverse

Profile picture

⚠️ CRITICAL React2Shell RCE (CVSS 10.0, CVE-2025-55182) is being actively exploited! Affects React Server Components & frameworks (Next.js, Vite, etc). Patch to React 19.0.1+ ASAP. Monitor for AWS credential theft & miner activity. radar.offseq.com/threat/critic

  • 0
  • 1
  • 0
  • 23h ago
Profile picture

L’interruzione di Cloudflare del 5 dicembre 2025 dovuta alle patch su React Server. L’analisi tecnica

Cloudflare ha registrato un’interruzione significativa nella mattina del 5 dicembre 2025, quando alle 08:47 UTC una parte della propria infrastruttura ha iniziato a generare errori interni. L’incidente, che ha avuto una durata complessiva di circa 25 minuti, si è concluso alle 09:12 con il ripristino completo dei servizi.

Secondo l’azienda, circa il 28% del traffico HTTP gestito globalmente è stato coinvolto. L’impatto ha riguardato solo clienti che utilizzavano una combinazione specifica di configurazioni, come spiegato dai tecnici.

Cloudflare ha chiarito che il disservizio non è stato collegato ad alcuna attività ostile: nessun attacco informatico, tentativo di intrusione o comportamento malevolo ha contribuito all’evento. A causare il problema è stato invece un aggiornamento introdotto per mitigare una vulnerabilità recentemente resa pubblica e legata ai componenti React Server, identificata come CVE-2025-55182.

Come si è arrivati all’incidente


Il disservizio è nato da una modifica al sistema di analisi dei body delle richieste HTTP, parte delle misure adottate per proteggere gli utenti di applicazioni basate su React. La modifica prevedeva l’aumento del buffer di memoria interno del Web Application Firewall (WAF) da 128 KB a 1 MB, valore che si allinea al limite predefinito nei framework Next.js.

Questa prima variazione è stata diffusa con un rollout progressivo. Durante l’implementazione, i tecnici hanno rilevato che uno strumento di test WAF interno non era compatibile con il nuovo limite. Ritenendo quel componente non necessario per il traffico reale, Cloudflare ha proceduto con una seconda modifica destinata a disabilitarlo.

È stata questa seconda modifica, distribuita con il sistema di configurazione globale – che non prevede rollout graduali – a generare la catena di eventi che ha portato agli errori HTTP 500. Il sistema ha raggiunto rapidamente ogni server della rete in pochi secondi.

A quel punto, una particolare versione del proxy FL1 si è trovata a eseguire una porzione di codice Lua contenente un bug latente. Il risultato è stato il blocco dell’elaborazione di alcune richieste e la restituzione di errori 500 da parte dei server coinvolti.

Chi è stato colpito


A essere interessati, riportano gli ingegneri di Cloudflare, sono stati i clienti che utilizzavano il proxy FL1 insieme al Cloudflare Managed Ruleset. Le richieste verso i siti configurati in questo modo hanno iniziato a rispondere con errori 500, con pochissime eccezioni (come alcuni endpoint di test, ad esempio /cdn-cgi/trace).

Non sono stati invece colpiti i clienti che utilizzavano configurazioni differenti o quelli serviti dalla rete Cloudflare operante in Cina.

La causa tecnica


Il problema è stato ricondotto al funzionamento del sistema di regole utilizzato dal WAF. Alcune regole, tramite l’azione “execute”, attivano la valutazione di set di regole aggiuntivi. Il sistema killswitch, utilizzato per disattivare rapidamente regole problematiche, non era mai stato applicato fino a quel momento a una regola con azione “execute“.

Quando la modifica ha disabilitato il set di test, il sistema ha saltato correttamente l’esecuzione della regola, ma non ha gestito l’assenza dell’oggetto “execute” nella fase successiva di elaborazione dei risultati. Da qui l’errore Lua che ha generato gli HTTP 500.

Cloudflare ha precisato che questo bug non esiste nel proxy FL2, scritto in Rust, grazie al diverso sistema di gestione dei tipi che evita questi scenari.

Collegamento con l’incidente del 18 novembre


La società ha ricordato come una dinamica simile si fosse verificata il 18 novembre 2025, quando un’altra modifica non correlata causò un malfunzionamento diffuso. In seguito a quell’episodio erano stati annunciati diversi progetti per rendere più sicuri gli aggiornamenti di configurazione e ridurre l’impatto di singoli errori.

Tra le iniziative ancora in corso figurano:

  • un sistema più rigido di versioning e rollback,
  • procedure “break glass” per mantenere operative funzioni critiche anche in condizioni eccezionali,
  • una gestione fail-open nei casi di errore di configurazione.

Cloudflare ha ammesso che, se queste misure fossero già state pienamente operative, l’impatto dell’incidente del 5 dicembre sarebbe potuto essere più contenuto. Per il momento, l’azienda ha sospeso ogni modifica alla rete finché i nuovi sistemi di mitigazione non saranno completi.

Cronologia essenziale dell’evento (UTC)


  • 08:47 – Inizio dell’incidente dopo la propagazione della modifica di configurazione
  • 08:48 – Impatto esteso a tutta la parte di rete coinvolta
  • 08:50 – Il sistema di alerting interno segnala il problema
  • 09:11 – Revoca della modifica di configurazione
  • 09:12 – Ripristino completo del traffico

Cloudflare ha ribadito le proprie scuse ai clienti e ha confermato la pubblicazione, entro la settimana successiva, di un’analisi completa sui progetti in corso per migliorare la resilienza dell’intera infrastruttura.

L'articolo L’interruzione di Cloudflare del 5 dicembre 2025 dovuta alle patch su React Server. L’analisi tecnica proviene da Red Hot Cyber.

  • 0
  • 0
  • 0
  • 17h ago
Profile picture

Bonus Drop #104 (2025-12-06): Places, Pages, And Packets

Digging Coordinates; Gitmal; A Different Kind Of Packets For IPv6

This has been a week. My entire Thursday and Friday were consumed with React2Shell. If you have no idea what that is, don’t click the link. You are better off being in blissful ignorance of this most recent tech debacle. If, however, you like chaos, this is being updated a couple of times a day.

So, I’m chillin’ as much as possible this weekend, which leave plenty of time to make up for two missed Drops with what is hopefully a solid Bonus Drop.

Subscribe

TL;DR

(This is an LLM/GPT-generated summary of today’s Drop. This week, I have been — for lack of a better word — forced into using Gemini, so today’s summary was provided by that model. Sigh.)

  • The LOC DNS record, defined in RFC 1876 in 1996, allows for publishing the geographical coordinates (latitude, longitude, and altitude) of hosts, networks, and subnets, although its adoption is limited as most systems prefer IP geolocation databases for scale and privacy concerns (https://www.rfc-editor.org/rfc/rfc1876.html).
  • Gitmal is a fast, theme-supported tool for self-hosting Git repositories that generates browseable file trees, nicely rendered markdown, and commit history pages, providing a much prettier alternative to the default rendered git pages (https://github.com/antonmedv/gitmal).
  • A new IETF draft proposes allocating the IPv6 address block 44::/16 to the amateur radio (ham) community to replace their historical 44.0.0.0/8 IPv4 allocation, preserving their globally coordinated and routable address space for non-commercial and emergency communications (https://datatracker.ietf.org/doc/draft-ursini-44net-ipv6-allocation/).

Digging Coordinates

[🖼 hrbrmstrsdailydrop.wordpress.c…]

We Drop denizens loves us some RFCs, and way back in the before-times (in this case, January 1996), some smart, adorable technologists thought it would be a great idea to lay the foundations for our modern surveillance state by introducing a means of telling the world exactly where your “thing” was with a DNS record. Said record is LOC, and is intended to “describe a mechanism to allow the DNS to carry location information about hosts, networks, and subnets. Such information for a small subset of hosts is currently contained in the flat-file UUCP maps. However, just as the DNS replaced the use of HOSTS.TXT to carry host and network address information, it is possible to replace the UUCP maps as carriers of location information.”

Thankfully, nobody really adopted use of LOC, since most systems that care about geography rely on IP geolocation databases (like MaxMind) instead of asking DNS for coordinates. It’s just easier to manage that data at scale and fits how routing and targeting are typically done. There’s also a real hesitation to publish precise latitude, longitude, and altitude in public DNS, since that can create privacy or security headaches. And for most services, exact physical coordinates just aren’t that useful anyway: CDNs and other geo-aware systems usually make decisions based on IP-derived signals, not “this server is at these coordinates.” One more practical detail is that the LOC record’s defining document, RFC 1876, was published as experimental rather than as an full internet standard, which tends to limit adoption. That said, LOC records do show up occasionally in niche situations, like internal network documentation and mapping, novelty “Easter egg” uses, or specialized cases where someone has a specific reason to publish precise location data in DNS.

There are a handful of them out there, and bo0tzz decided to map them all. One of them is even setup by my state (O_o):

[🖼 hrbrmstrsdailydrop.wordpress.c…]

Full source is available, and the folks working on it have even bothered to credit Claude (so, if “AI”-assisted coding and resultant apps are anathema to you, you can avoid tapping any of the links).

Gitmal

[🖼 hrbrmstrsdailydrop.wordpress.c…]

I’m seeing a very positive trend in the increasing number of clever folks abandoning GitHub. Many of them are going to Codeberg, with a smattering of others picking different new homes. However, we’ve noted on many an occasion that you can just use SSH to keep a remote Git repo up-to-date and rely solely on self-hosting. This puts more of a burden on you for things like CI/CD, but at least Git-proper comes with some tooling to generate websites so you and others can use a browser to introspect the source and other artifacts.

However, the default rendered git pages are not exactly easy on the eyes.

While there are many “git pages” generators to pick from if you want prettier output, Gitmal is a relatively recent one that is fast, has support for scads of themes, and focuses on the core problem to solve:

$ gitmal -hUsage: gitmal [options] [path ...]  -branches string        Regex for branches to include  -default-branch string        Default branch to use (autodetect master or main)  -gzip        Compress all generated HTML files  -minify        Minify all generated HTML files  -name string        Project name  -output string        Output directory for generated HTML files (default "output")  -owner string        Project owner  -preview-themes        Preview available themes  -theme string        Style theme (default "github")

When you run the main command, it scans your local repository and automatically generates pages for everything: a browseable file tree, nicely rendered markdown for your READMEs, and syntax-highlighted code for all your source files. It even creates pages to walk through the commit history of the repository, making the whole timeline super easy to explore.

While it’s designed to work out of the box, you have plenty of ways to tailor the output to your specific needs (as evidenced by the help block, above). Say you want to make sure your site loads as fast as possible. You can use the -minify option to shrink the HTML files and the -gzip option to create compressed versions. For aesthetics, gitmal defaults to a familiar “github” style theme, but you can easily pick a different one using the -theme option, or even use the -preview-themes flag to see all the available looks before you decide (it’ll give you a localhost URL to hit to preview them).

Did I mention it’s fast?

$ time gitmal \  --default-branch=batman \  --output /tmp/ja4-mcp \  -minify \  -name "JA4 MCP Server" \  -owner "hrbrmstr" \  -theme=evergarden> JA4 MCP Server: 1 branches, 0 tags, 2 commits> [1/1] JA4 MCP Server@batman[########################]   16/16   (100%) blobs for batman[########################]    1/1    (100%) lists for batman[########################]    1/1    (100%) commits for batman> generating commits...[########################]    2/2    (100%) commits> post-processing HTML...[########################]   23/23   (100%) minifyreal    0.26suser    0.53ssys     0.27s

You can preview that at https://rud.is/gitmal/ja4-mcp/.

This is also a well-organized and well-crafted Golang project, so I also recommend poking at the source if you’re even just a tad Go-curious.

A Different Kind Of Packets For IPv6

[🖼 hrbrmstrsdailydrop.wordpress.c…]Photo by Manuel Moutinho on Pexels.com

There’s a quiet corner of the Internet that’s built entirely on goodwill, volunteer effort, and radio waves. It’s the world of amateur radio, or ham radio, and its operators have been networking long before most folks ever heard the term. Back in the early 1980s, when the modern internet was just being stitched together, these pioneers were given a huge gift: the entire IPv4 address block of 44.0.0.0/8. That’s sixteen million addresses, known as 44Net, dedicated solely to non-commercial experimentation, education, and public service communications carried over radio links. It was a globally unified digital playground that helped the Internet grow up.

Fast forward four decades, and things quite different. We’ve run out of those original IPv4 addresses, and the internet has largely (I’m being generous) shifted to the much, much larger address space of IPv6. This shift has created a problem for the ham community. Their special, globally coordinated address space has no equivalent in the IPv6 world.

That’s where a new IETF draft proposal steps in. It asks for a specific allocation from the IPv6 global pool: the block known as 44::/16. Choosing the number 44 is a clear nod to their legacy, and provides a way of preserving the community’s identity as they transition into the future.

The idea is super straightforward: just as they had a single, recognizable address space for IPv4, they need one for IPv6. This is crucial because, unlike your home network, amateur radio networks often need to be globally routable and publicly reachable so they can interconnect, facilitate research, and provide crucial communications during emergencies or disasters. Isolating them onto non-routable, private addresses would defeat the whole purpose of their long-standing work.

But making this request today is complicated. The process for handing out addresses has changed drastically since the 1980s. Now, most allocations go through the Regional Internet Registries, or RIRs, which manage addresses in different parts of the world. The proposal doesn’t want to bypass the RIRs entirely; instead, it asks IANA, the global coordinator, to reserve the 44::/16 block and then distribute it through the RIRs under a common policy framework. This is their way of trying to maintain that global cohesion and consistency—a single block that means “amateur radio” everywhere—without undermining the current governance structure.

The request has definitely sparked some interesting conversations within the technical community. It brings up questions about whether an organization can ask for a block with such specific historical and social context when the modern system is designed for broad, regional distribution. However, the proposal’s heart is in the right place. Ensuring that a dedicated, non-commercial community of tinkerers, educators, and first-responders can continue their important work in the IPv6 era is, IMO, a worthy goal/mission.

If you’re interested in this effort or want to tap into it, just start following the working group comms and, perhaps, offer up some of your own opines.

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on:

  • 🐘 Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev
  • 🦋 Bluesky via https://bsky.app/profile/dailydrop.hrbrmstr.dev.web.brid.gy

☮️

  • 0
  • 0
  • 0
  • 13h ago
Profile picture

CVE-2025-55182
CVSS score of 10 (maximum possible)

  • 0
  • 0
  • 0
  • 12h ago
Profile picture

Coreruleset patch to block (some?) CVE-2025-55182 exploit attempts:

github.com/coreruleset/corerul

#CVE_2025_55182 #modsecurity #coreruleset #react2shell

  • 0
  • 0
  • 0
  • 8h ago

Bluesky

Profile picture
La faille critique React2Shell a été ajoutée au catalogue KEV de la #CISA après une exploitation active confirmée. Cette vulnérabilité (CVE-2025-55182, score CVSS 10.0) permet une exécution de code à distance. 🔐⚠️ #CyberSecurity #IAÉthique #IA2025 https://kntn.ly/499299c6
  • 0
  • 3
  • 0
  • 9h ago
Profile picture
NextJS Under Siege: How CVE-2025-55182 Exploits Are Flooding Honeypots and How to Secure Your Stack Introduction: A critical zero-day vulnerability in NextJS, identified as CVE-2025-55182, is being actively exploited in the wild, with cybersecurity firms reporting attack waves originating from…
  • 0
  • 1
  • 0
  • 22h ago
Profile picture
CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far www.greynoise.io/blog/cve-202...
  • 0
  • 1
  • 0
  • 20h ago
Profile picture
📌 Critical RCE Vulnerability in React and Next.js: CVE-2025-55182 Poses Major Threat https://www.cyberhub.blog/article/16478-critical-rce-vulnerability-in-react-and-nextjs-cve-2025-55182-poses-major-threat
  • 0
  • 1
  • 0
  • 2h ago
Profile picture
https://zenn.dev/storehero/articles/15636985eb876c React Server Components (RSC) の脆弱性に関する記事です。 CVE-2025-55182として報告され、CVSSスコアは10.0(Critical)と評価されています。 RSCを使用している場合にリモートコード実行の可能性があるため、早急な対応が推奨されています。
  • 0
  • 0
  • 0
  • 17h ago
Profile picture
The React RCE Nightmare: Why CVE-2025-55182 Is Your Wake-Up Call and How to Scan Your 55 Million Potential Targets Introduction: A critical Remote Code Execution (RCE) vulnerability, CVE-2025-55182, has been disclosed in React Server Components, threatening over 55 million live React sites. This…
  • 0
  • 0
  • 0
  • 16h ago
Profile picture
Max-severity vulnerability in React, Node.js patched, update ASAP (CVE-2025-55182) - Help Net Security www.helpnetsecurity.com/2025/12/04/r...
  • 0
  • 0
  • 0
  • 15h ago
Profile picture
📌 Critical React2Shell Vulnerability (CVE-2025-55182) Actively Exploited by China-Linked Threat Actors https://www.cyberhub.blog/article/16461-critical-react2shell-vulnerability-cve-2025-55182-actively-exploited-by-china-linked-threat-actors
  • 0
  • 0
  • 0
  • 12h ago
Profile picture
React2Shell: How a Single Deserialization Flaw in React 19 Can Hand Over Your Server Shell to Hackers Introduction: The discovery of CVE-2025-55182, dubbed "React2Shell," has sent shockwaves through the web application security community. This critical vulnerability, residing in the React Server…
  • 0
  • 0
  • 0
  • 8h ago
Profile picture
React2Shell Unleashed: How a Single HTTP Request Can Give You Full Remote Code Execution (And How to Stop It) Introduction: In December 2025, the cybersecurity landscape was shaken by the disclosure of CVE-2025-55182, dubbed "React2Shell." With a maximum CVSS score of 10.0, this critical…
  • 0
  • 0
  • 0
  • 6h ago
Profile picture
CISAが既知の脆弱性1件をカタログに追加 CISA Adds One Known Exploited Vulnerability to Catalog #CISA (Dec 5) CVE-2025-55182 Meta React サーバーコンポーネントのリモートコード実行の脆弱性 www.cisa.gov/news-events/...
  • 0
  • 0
  • 0
  • 4h ago
Profile picture
中国系ハッカー グループがReact Server Componentsの脆弱性 React2Shell(CVE-2025-55182)を即日悪用-AWSが警告 rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #サイバー攻撃
  • 0
  • 0
  • 0
  • 1h ago
Profile picture
BREAKING: React2Shell Exploit Unleashes Hell on Nextjs Apps – Here’s How to Hack and Harden Your Systems Introduction: CVE-2025-55182, dubbed "React2Shell," is a critical deserialization vulnerability in certain Next.js deployments that allows remote code execution (RCE) via server-side React…
  • 0
  • 0
  • 0
  • 1h ago
Profile picture
📌 High Fidelity Detection Mechanism for RSC/Next.js RCE Vulnerabilities: Analysis of CVE-2025-55182 and CVE-2025-66478 https://www.cyberhub.blog/article/16450-high-fidelity-detection-mechanism-for-rscnextjs-rce-vulnerabilities-analysis-of-cve-2025-55182-and-cve-2025-66478
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Apache Software Foundation
  • Apache Tika core
  • org.apache.tika:tika-core

04 Dec 2025
Published
05 Dec 2025
Updated

CVSS
Pending
EPSS
0.05%

KEV

Description

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Statistics

  • 3 Posts

Last activity: 4 hours ago

Bluesky

Profile picture
📌 Critical XXE Vulnerability (CVE-2025-66516) in Apache Tika with CVSS 10.0 Score Affects Multiple Modules https://www.cyberhub.blog/article/16449-critical-xxe-vulnerability-cve-2025-66516-in-apache-tika-with-cvss-100-score-affects-multiple-modules
  • 0
  • 0
  • 0
  • 19h ago
Profile picture
Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch thehackernews.com/2025/12/crit...
  • 0
  • 0
  • 0
  • 16h ago
Profile picture
重大なXXEバグCVE-2025-66516(CVSS 10.0)がApache Tikaに影響、緊急パッチが必要 Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch #HackerNews (Dec 5) thehackernews.com/2025/12/crit...
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • PgBouncer

03 Dec 2025
Published
03 Dec 2025
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.06%

KEV

Description

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 15 hours ago

Bluesky

Profile picture
CVE-2025-12819 Untrusted search path in auth_query connection in PgBouncer scq.ms/4pS7hkQ #MicrosoftSecurity #cybersecurity
  • 0
  • 1
  • 0
  • 15h ago

Overview

  • Linux
  • Linux

04 Dec 2025
Published
06 Dec 2025
Updated

CVSS
Pending
EPSS
0.02%

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: pidfs: validate extensible ioctls Validate extensible ioctls stricter than we do now.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 19 hours ago

Bluesky

Profile picture
CVE-2025-40217 pidfs: validate extensible ioctls scq.ms/4pYzKpj #MicrosoftSecurity #cybersecurity
  • 0
  • 1
  • 0
  • 19h ago

Overview

  • Palo Alto Networks
  • PAN-OS

12 Apr 2024
Published
21 Oct 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
94.30%

Description

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Statistics

  • 1 Post

Last activity: 18 hours ago

Fediverse

Profile picture

GlobalProtect di Palo Alto Networks è sotto scansioni Attive. Abilitate la MFA!

Una campagna sempre più aggressiva, che punta direttamente alle infrastrutture di accesso remoto, ha spinto gli autori delle minacce a tentare di sfruttare attivamente le vulnerabilità dei portali VPN GlobalProtect di Palo Alto Networks.

Il 5 dicembre Palo Alto Networks ha emesso un avviso urgente, esortando i clienti ad adottare l’autenticazione a più fattori (MFA), a limitare l’esposizione del portale tramite firewall e ad applicare le patch più recenti.

In base alle risultanze del report sulle attività di monitoraggio condotto da GrayNoise, che ha rilevato scansioni e sforzi di sfruttamento condotti da oltre 7.000 indirizzi IP unici a livello globale, le organizzazioni che utilizzano la popolare soluzione VPN per garantire la sicurezza del lavoro remoto sono state messe in allarme.

Targeting osservato da Ip (Fonte: GreyNoise)

A partire dalla fine di novembre 2025, sono stati rilevati attacchi che sfruttano le vulnerabilità dei gateway GlobalProtect, soprattutto quelle accessibili pubblicamente attraverso la porta UDP 4501.

GlobalProtect di Palo Alto Networks è da tempo un obiettivo primario a causa della sua onnipresenza negli ambienti aziendali. Difetti storici, come CVE-2024-3400 (una vulnerabilità critica di command injection, risolta nell’aprile 2024 con punteggio CVSS 9,8), continuano a perseguitare i sistemi non ancora patchati.

Le ondate recenti sfruttano configurazioni errate che consentono l’accesso pre-autenticazione, incluse credenziali predefinite o portali di amministrazione esposti. Gli aggressori utilizzano strumenti come script personalizzati che imitano i moduli Metasploit per enumerare i portali, effettuare accessi con forza bruta e rilasciare malware per la persistenza.

Secondo i dati di Shadowserver e di altri feed di intelligence sulle minacce, le fonti IP comprendono proxy residenziali, provider di hosting Bulletproof e istanze VPS compromesse in Asia, Europa e Nord America.

Gli indicatori di compromissione includono picchi anomali di traffico UDP sulla porta 4501, seguiti da richieste HTTP agli endpoint /global-protect/login.urd. Nelle violazioni confermate, gli intrusi hanno esfiltrato token di sessione, consentendo il movimento laterale nelle reti aziendali.

L'articolo GlobalProtect di Palo Alto Networks è sotto scansioni Attive. Abilitate la MFA! proviene da Red Hot Cyber.

  • 0
  • 0
  • 0
  • 18h ago

Overview

  • roselldk
  • WebP Express

04 Dec 2025
Published
04 Dec 2025
Updated

CVSS v3.1
MEDIUM (5.3)
EPSS
0.04%

KEV

Description

The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data.

Statistics

  • 1 Post

Last activity: 9 hours ago

Fediverse

Profile picture

Moved from webp-express to avif-express on my Wordpress site because the former has a security vulnerability (CVE-2025-11379) and looks unmaintained.

#CVE_2025_11379 #webp #avif #wordpress

  • 0
  • 0
  • 0
  • 9h ago

Overview

  • UTT
  • 进取 520W

06 Dec 2025
Published
06 Dec 2025
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.04%

KEV

Description

A flaw has been found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formArpBindConfig. Executing manipulation of the argument pools can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post

Last activity: 20 hours ago

Fediverse

Profile picture

🔎 CVE-2025-14141: HIGH severity buffer overflow in UTT 进取 520W (v1.7.7-180627) via /goform/formArpBindConfig. No patch; public exploit available. Isolate devices, restrict access, monitor traffic. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 20h ago

Overview

  • Cacti
  • cacti

02 Dec 2025
Published
02 Dec 2025
Updated

CVSS v4.0
HIGH (7.4)
EPSS
0.07%

KEV

Description

Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29.

Statistics

  • 1 Post

Last activity: 18 hours ago

Bluesky

Profile picture
High-Severity Cacti Flaw (CVE-2025-66399) Risks Remote Code Execution via SNMP Community String Injection
  • 0
  • 0
  • 0
  • 18h ago

Overview

  • Linux
  • Linux

04 Dec 2025
Published
04 Dec 2025
Updated

CVSS
Pending
EPSS
0.02%

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 But the /weird/ part is that the fuseblk server threads are waiting for responses from itself: # cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 The fuseblk server is fuse2fs so there's nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that: "By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion). Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously. Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren't any threads left to handle the queued fuse commands. Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why.

Statistics

  • 1 Post

Last activity: 23 hours ago

Bluesky

Profile picture
CVE-2025-40220 fuse: fix livelock in synchronous file put from fuseblk workers scq.ms/3Y9co46 #SecQube #MicrosoftSecurity
  • 0
  • 0
  • 0
  • 23h ago

Overview

  • kingaddons
  • King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor

31 Oct 2025
Published
01 Dec 2025
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.13%

KEV

Description

The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.

Statistics

  • 1 Post

Last activity: 9 hours ago

Fediverse

Profile picture

Security researchers reveal critical security vulnerability in King Addons for Elementor WordPress plugin

Vulnerability:
CVE-2025-8489 - Improper validation of user roles during registration

Impact:
- Allows attackers to register themselves with admin role and gain full control of the website

Remediation: Update to a fixed version ASAP

#cybersecurity #WordPress #KingAddons #vulnerabilitymanagement

thehackernews.com/2025/12/word

  • 0
  • 0
  • 0
  • 9h ago
Showing 1 to 10 of 20 CVEs