Missed this yesterday - Google TIG published what they've been seeing on React2Shell.

Dovetails with @hrbrmstr 's tireless work lately.

#threatintel

https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182

VulnCheck analyzed several hundred #React2Shell CVE-2025-55182 exploits so you don't have to!

Amid all the slop (and there's so, so much slop) were some interesting finds that understandably escaped attention, including an early in-memory webshell variant, a PoC with logic that loads the Godzilla webshell, and a repo that deploys a lightweight WAF to block React2Shell payloads entirely (!)

@albinolobster wrote about exploit characteristics in aggregate and broke out the cooler examples here:

https://www.vulncheck.com/blog/react2shell-github

Critical React2Shell Vulnerability (CVE-2025-55182) Analysis: Surge in Attacks Targeting RSC-Enabled Services Worldwide

Torrance, United States / California, 12th December 2025, CyberNewsWire

https://securityledger.com/2025/12/critical-react2shell-vulnerability-cve-2025-55182-analysis-surge-in-attacks-targeting-rsc-enabled-services-worldwide/

React2Shell exploitation now enables persistent access via EtherRAT’s blockchain-based C2.

https://www.technadu.com/react2shell-exploitation-evolves-into-persistent-access-threat/615626/

• Unauthenticated RCE via CVE-2025-55182
• EtherRAT instructions hidden inside Ethereum smart contracts
• Gov + cloud + critical-infrastructure orgs selectively targeted
• Unique per-host payloads hinder signature detection
• Monitor Node.js anomalies + Ethereum RPC activity

#React2Shell #CVE202555182 #EtherRAT #CyberSecurity #ThreatIntel #NextJS #AppSec

I see that Brendan Eich from Brave is out lying about @Vivaldi again. He claims that Brave was pretty much the first out with a fix for CVE-2025-14174 and that Vivaldi still has not released a fix.

AFAIK we were actually first because we released 7.7.3862.88 (Android) based on 142.0.7444.237 from the Extended Support Release branch at 13:00 UTC (and for Desktop [7.7.3851.61] one hour later) on the 10th of December (the day before Brave and even before Chrome), which includes a fix for CVE-2025-14174. However since that CVE was not being publicly discussed yet, it was not initially listed in the changelog.

I have updated the Desktop announcement to mention the CVE now. Here it is:

https://vivaldi.com/blog/desktop/minor-update-five-7-7/

Also FWIW my Masto bot which tracks various desktop browser updates announced us here:

https://social.vivaldi.net/@browserversiontracker/115695393613130159

That bot has a sibling that looks at Vivaldi only releases (all platforms), which caught the Android release:

https://social.vivaldi.net/@vivaldiversiontracker/115695161453809439

And here is when it detected the Brave annoucement, more than a day later:

https://social.vivaldi.net/@browserversiontracker/115702471419843978

📣 EMERGENCY UPDATES 📣

Apple pushed additional updates for 2 zero-days that may have been actively exploited.

🐛 CVE-2025-14174 (WebKit) additional patches,
🐛 CVE-2025-43529 (WebKit) additional patches:
- Safari 26.2

#apple #cybersecurity #infosec #security #ios

Two EITW 0days patched in iOS Webkit. The advisory says the exploits were against pre-iOS 26 but they have patches for 26 as well. And some other ones to go with those.

https://support.apple.com/en-us/125884

Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.

[VULN] "Sécurité : Apple comble deux failles « zero-day » avec iOS 26.2 et macOS 26.2"

"La première (CVE-2025-43529) concerne WebKit, le moteur de rendu de Safari. Il s'agit d'une faille de type use-after-free qui permet l'exécution de code arbitraire simplement en traitant un contenu web malveillant. La seconde (CVE-2025-14174) est une corruption de mémoire identifiée non seulement par les équipes d'Apple, mais aussi par le Threat Analysis Group de Google.

Fait intéressant, Google a également dû corriger Chrome en urgence mercredi dernier pour une faille similaire..."
👇
https://www.macg.co/ios/2025/12/securite-apple-comble-deux-failles-zero-day-avec-ios-262-et-macos-262-305619
⬇️
https://cve.circl.lu/vuln/CVE-2025-14174

💬
⬇️
https://infosec.pub/post/38999452

#Cyberveille #vuln #webkit #apple

🚨 Two more vulnerabilities have been added to the CISA KEV Catalog

CVE-2018-4063: Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type

CVSS: 8.8

CVE-2025-14174: Google Chromium Out of Bounds Memory Access

CVSS: 8.8

https://darkwebinformer.com/cisa-kev-catalog/

Apple aggiorna due bug 0day critici in iOS, presumibilmente abusati dagli spyware

In seguito alla scoperta di due vulnerabilità zero-day estremamente critiche nel motore del browser WebKit, Apple ha pubblicato urgentemente degli aggiornamenti di sicurezza per gli utenti di iPhone e iPad.

Entrambe le vulnerabilità risiedono in WebKit, il motore che alimenta Safari e visualizza i contenuti web nell’ecosistema iOS.

Catalogate come CVE-2025-43529 e CVE-2025-14174, permettono agli attaccanti di attivare codice malevolo attraverso l’inganno della vittima che viene portata a visitare una specifica pagina web.

Per attivare l’exploit, non è necessario che un aggressore abbia un accesso fisico al dispositivo; è sufficiente che venga elaborato un contenuto web creato in modo dannoso, ad esempio un sito web compromesso o una pubblicità dannosa.

L’avviso di Apple riporta quanto segue: “Apple è a conoscenza di una segnalazione secondo cui questo problema potrebbe essere stato sfruttato in un attacco estremamente sofisticato contro individui specifici nelle versioni di iOS precedenti a iOS 26″.

Questa formulazione è solitamente riservata alle campagne di spyware mercenarie sponsorizzate dallo Stato, in cui vengono presi di mira obiettivi di alto valore come giornalisti, diplomatici e dissidenti.

Le due falle sfruttano debolezze diverse nel modo in cui il browser gestisce la memoria:

CVE-2025-43529 (Use-After-Free): scoperta dal Google Threat Analysis Group (TAG), questa vulnerabilità comporta un errore “use-after-free”. In parole povere, il programma tenta di utilizzare la memoria dopo che è stata liberata, consentendo agli hacker di manipolarla per eseguire codice arbitrario. Apple ha risolto questo problema migliorando la gestione della memoria (WebKit Bugzilla: 302502).

CVE-2025-14174 (Corruzione della memoria): attribuito sia ad Apple che a Google TAG, questo problema consente la corruzione della memoria, una condizione che può causare il crash di un sistema o aprire una backdoor per gli aggressori. È stato corretto con una convalida dell’input migliorata (WebKit Bugzilla: 303614).

L'articolo Apple aggiorna due bug 0day critici in iOS, presumibilmente abusati dagli spyware proviene da Red Hot Cyber.

Happy patch your React Server Components again Friday to all who celebrate. The patch for CVE-2025-55184 was incomplete and still leaves systems vulnerable to DoS.

https://www.facebook.com/security/advisories/cve-2025-67779

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Cloudforce One sees active exploitation of React2Shell, with actors targeting critical infrastructure—including nuclear fuel and uranium operations. Probing is concentrated in Taiwan, Xinjiang, Vietnam, Japan, and New Zealand.

React also disclosed two new vulnerabilities (CVE-2025-55183 and CVE-2025-55184). Cloudflare customers are protected against all three flaws.

Read the full threat brief: https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/

📣 EMERGENCY UPDATES 📣

Apple pushed additional updates for 2 zero-days that may have been actively exploited.

🐛 CVE-2025-14174 (WebKit) additional patches,
🐛 CVE-2025-43529 (WebKit) additional patches:
- Safari 26.2

#apple #cybersecurity #infosec #security #ios

Two EITW 0days patched in iOS Webkit. The advisory says the exploits were against pre-iOS 26 but they have patches for 26 as well. And some other ones to go with those.

https://support.apple.com/en-us/125884

Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.

[VULN] "Sécurité : Apple comble deux failles « zero-day » avec iOS 26.2 et macOS 26.2"

"La première (CVE-2025-43529) concerne WebKit, le moteur de rendu de Safari. Il s'agit d'une faille de type use-after-free qui permet l'exécution de code arbitraire simplement en traitant un contenu web malveillant. La seconde (CVE-2025-14174) est une corruption de mémoire identifiée non seulement par les équipes d'Apple, mais aussi par le Threat Analysis Group de Google.

Fait intéressant, Google a également dû corriger Chrome en urgence mercredi dernier pour une faille similaire..."
👇
https://www.macg.co/ios/2025/12/securite-apple-comble-deux-failles-zero-day-avec-ios-262-et-macos-262-305619
⬇️
https://cve.circl.lu/vuln/CVE-2025-14174

💬
⬇️
https://infosec.pub/post/38999452

#Cyberveille #vuln #webkit #apple

Apple aggiorna due bug 0day critici in iOS, presumibilmente abusati dagli spyware

In seguito alla scoperta di due vulnerabilità zero-day estremamente critiche nel motore del browser WebKit, Apple ha pubblicato urgentemente degli aggiornamenti di sicurezza per gli utenti di iPhone e iPad.

Entrambe le vulnerabilità risiedono in WebKit, il motore che alimenta Safari e visualizza i contenuti web nell’ecosistema iOS.

Catalogate come CVE-2025-43529 e CVE-2025-14174, permettono agli attaccanti di attivare codice malevolo attraverso l’inganno della vittima che viene portata a visitare una specifica pagina web.

Per attivare l’exploit, non è necessario che un aggressore abbia un accesso fisico al dispositivo; è sufficiente che venga elaborato un contenuto web creato in modo dannoso, ad esempio un sito web compromesso o una pubblicità dannosa.

L’avviso di Apple riporta quanto segue: “Apple è a conoscenza di una segnalazione secondo cui questo problema potrebbe essere stato sfruttato in un attacco estremamente sofisticato contro individui specifici nelle versioni di iOS precedenti a iOS 26″.

Questa formulazione è solitamente riservata alle campagne di spyware mercenarie sponsorizzate dallo Stato, in cui vengono presi di mira obiettivi di alto valore come giornalisti, diplomatici e dissidenti.

Le due falle sfruttano debolezze diverse nel modo in cui il browser gestisce la memoria:

CVE-2025-43529 (Use-After-Free): scoperta dal Google Threat Analysis Group (TAG), questa vulnerabilità comporta un errore “use-after-free”. In parole povere, il programma tenta di utilizzare la memoria dopo che è stata liberata, consentendo agli hacker di manipolarla per eseguire codice arbitrario. Apple ha risolto questo problema migliorando la gestione della memoria (WebKit Bugzilla: 302502).

CVE-2025-14174 (Corruzione della memoria): attribuito sia ad Apple che a Google TAG, questo problema consente la corruzione della memoria, una condizione che può causare il crash di un sistema o aprire una backdoor per gli aggressori. È stato corretto con una convalida dell’input migliorata (WebKit Bugzilla: 303614).

L'articolo Apple aggiorna due bug 0day critici in iOS, presumibilmente abusati dagli spyware proviene da Red Hot Cyber.

🚨 Two more vulnerabilities have been added to the CISA KEV Catalog

CVE-2018-4063: Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type

CVSS: 8.8

CVE-2025-14174: Google Chromium Out of Bounds Memory Access

CVSS: 8.8

https://darkwebinformer.com/cisa-kev-catalog/

Cloudforce One sees active exploitation of React2Shell, with actors targeting critical infrastructure—including nuclear fuel and uranium operations. Probing is concentrated in Taiwan, Xinjiang, Vietnam, Japan, and New Zealand.

React also disclosed two new vulnerabilities (CVE-2025-55183 and CVE-2025-55184). Cloudflare customers are protected against all three flaws.

Read the full threat brief: https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/

PowerShell 5.1 now shows warnings when scripts use Invoke-WebRequest to fetch web content, aiming to limit silent script execution risks tied to CVE-2025-54100. ⚠️

Admins are urged to switch to -UseBasicParsing to avoid unintended code parsing and prevent automation hang-ups. 🛡️

🔗 https://www.bleepingcomputer.com/news/security/microsoft-windows-powershell-now-warns-when-running-invoke-webrequest-scripts/

#TechNews #Cybersecurity #Windows #PowerShell #Security #Privacy #InfoSec #Patch #Update #Automation #IT #DevOps #Risk #Technology #Development #Shell #Script #CVE #Vulnerability

I think I already posted this one but the CVE was just published so go hack more Plesk shit anyway.

https://support.plesk.com/hc/en-us/articles/36261922405015--CVE-2025-66430-Security-vulnerability-in-Password-Protected-Directories-allows-Plesk-users-to-gain-root-level-access-to-a-Plesk-server

🔔 CRITICAL: Plesk 18.0 (CVE-2025-66430) suffers from incorrect access control, risking unauthorized admin actions. No exploit yet, but review roles, restrict access, and monitor logs ASAP. Patch pending. https://radar.offseq.com/threat/cve-2025-66430-na-91279388 #OffSeq #Plesk #Vuln #AccessControl

There's now a CVE for the EITW Gladinet / Triofox hardcoded key vuln from a few days ago.

https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability

https://www.cve.org/CVERecord?id=CVE-2025-14611

🔎 HIGH severity: CVE-2025-14611 in Gladinet CentreStack & TrioFox (<16.12.10420.56791) — hardcoded AES weakens crypto & enables unauth LFI. Restrict public access, monitor for LFI attempts, prep for patch. https://radar.offseq.com/threat/cve-2025-14611-vulnerability-in-gladinet-centresta-e4cb3dcd #OffSeq #Vulnerability #InfoSec

Happy patch your React Server Components again Friday to all who celebrate. The patch for CVE-2025-55184 was incomplete and still leaves systems vulnerable to DoS.

https://www.facebook.com/security/advisories/cve-2025-67779

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.