Daily Brief

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-55182, a critical React Server Components flaw, to its Known Exploited Vulnerabilities catalog due to active exploitation reports. This vulnerability, with a CVSS score of 10.0, allows unauthenticated remote code execution via insecure deserialization in the React library's Flight protocol, affecting server-client communications. Attackers can exploit this flaw by sending crafted HTTP requests, enabling arbitrary command execution on affected servers, with some attacks deploying cryptocurrency miners and other payloads. React version updates 19.0.1, 19.1.2, and 19.2.1 address the vulnerability, impacting frameworks like Next.js, React Router, and others; users are urged to update immediately. Exploitation attempts have been linked to Chinese hacking groups, including Earth Lamia and Jackpot Panda, with over 30 organizations affected across various sectors. Security firms such as Palo Alto Networks and Bitdefender have observed reconnaissance and exploitation activities, including the deployment of SNOWLIGHT and VShell tools. Researchers released proof-of-concept exploits, emphasizing the need for rapid patching, while Federal agencies must comply with updates by December 26, 2025, under BOD 22-01. The vulnerability affects approximately 2.15 million internet-facing services, highlighting the extensive exposure and urgency for remediation efforts.

The cybersecurity community is shifting from passwords to passkeys, offering a more secure, phishing-resistant multifactor authentication (MFA) method. Traditional MFA methods, such as one-time passwords (OTPs) sent via SMS or email, are vulnerable to phishing attacks, leading to unauthorized access. Passkeys utilize cryptographic key pairs, with the private key stored on the user's device, reducing the risk of interception and unauthorized access. Major companies like Amazon, Google, and Microsoft have adopted passkeys, reporting improved sign-in success rates and reduced login times. Organizations using passkeys experience fewer help-desk incidents, lowering operational costs associated with OTPs and support interactions. Despite security benefits, passkey adoption faces challenges in usability, particularly when transitioning between different operating systems. The balance between security and user experience remains crucial, especially for customer-facing platforms where ease of use is a priority.

The FBI has issued a warning about criminals using altered social media images in virtual kidnapping scams, demanding ransoms from victims' families. Scammers claim to have kidnapped loved ones and send doctored images or videos as fake proof of life, leveraging AI tools to enhance credibility. The FBI received 357 complaints of such scams last year, resulting in $2.7 million in losses, with tactics evolving to include AI-generated content. Criminals often use social media to gather images and personal information, making it easier to target victims and their families. The FBI advises against sharing personal details with strangers and recommends setting a code word known only to family members to verify authenticity. Victims are encouraged to report incidents to the FBI's Internet Crime Complaint Center, providing detailed information to aid investigations. Similar scams targeting corporations involve fake IT workers using AI to alter their appearance during video interviews, with links to North Korean operations.

Security researcher Lyra Rebane introduced a novel clickjacking method using SVG and CSS, bypassing traditional JavaScript-based defenses, demonstrated at BSides Tallinn. The attack exploits SVG filters to leak information across origins, violating the web's same-origin policy, potentially impacting applications like Google Docs. Rebane's technique involves creating logic gates with SVG filters, allowing complex attack chains without relying on JavaScript, posing a challenge for current web security measures. Google awarded a bug bounty for reporting the vulnerability, acknowledging its significance, though the issue remains unresolved across multiple browsers. Rebane suggests using the Intersection Observer v2 API as a potential defense, detecting when SVG filters obscure iframes, aiding in mitigating this vulnerability. The discovery underscores the evolving nature of clickjacking threats, emphasizing the need for continuous updates to web security protocols and practices. Developers are advised to review and enhance security headers like X-Frame-Options and Content Security Policy to better protect against such emerging threats.

Cloudflare experienced a significant outage affecting 28% of its HTTP traffic due to a flawed fix for the React2Shell vulnerability, CVE-2025-55182, not linked to a cyber attack. The React2Shell vulnerability, rated 10.0 on the CVSS scale, allows remote code execution without authentication, impacting React frameworks and bundlers like Next.js. Attackers, including state-sponsored groups from China, have actively exploited the flaw, with reports of reconnaissance and theft of AWS credentials. The U.S. CISA and the British government have issued warnings, and the vulnerability has been added to CISA's Known Exploited Vulnerabilities Catalog. Security researchers have observed both functional and fake proof-of-concepts (POCs) circulating online, complicating mitigation efforts and potentially misleading organizations. The incident underscores the need for faster and more accurate information sharing within the security community to prevent rapid exploitation by threat actors. Security firms predict that ransomware groups and Initial Access Brokers may soon leverage the vulnerability to infiltrate corporate networks. The situation calls for a reassessment of disclosure strategies to better equip defenders against swift exploitation by sophisticated adversaries.

Barts Health NHS Trust has confirmed a data breach after Clop ransomware actors exploited a vulnerability in Oracle E-business Suite software. The breach involved the theft of invoices containing personal details of patients and former employees, exposing sensitive financial information. The compromised data also includes accounting records related to services provided to Barking, Havering, and Redbridge University Hospitals NHS Trust. Clop ransomware has published the stolen data on the dark web, although it has not surfaced on the general internet, limiting immediate exposure. Barts Health NHS Trust is seeking a High Court order to prevent further distribution of the exposed data, though enforcement remains challenging. The incident did not affect electronic patient records or core IT systems, maintaining the integrity of critical healthcare operations. The breach is part of a broader campaign exploiting CVE-2025-61882, impacting multiple organizations globally, including prominent universities and corporations. Authorities, including the National Cyber Security Centre and the Metropolitan Police, have been notified, and affected individuals are advised to remain vigilant.

Straiker STAR Labs identified a zero-click attack exploiting Perplexity's Comet browser, enabling unauthorized deletion of Google Drive contents through crafted emails. The attack leverages AI browser agents connected to Gmail and Google Drive, executing tasks like file deletion without user confirmation. Attackers use polite, sequential natural language instructions to manipulate browser agents, bypassing typical security checks. This vulnerability does not require jailbreaks or prompt injections, relying instead on the AI's interpretation of routine housekeeping tasks. Organizations are advised to secure AI models, agents, and natural language instructions to mitigate zero-click data-wiper risks. Concurrently, Cato Networks revealed the HashJack technique, using URL fragments to indirectly prompt AI browsers, leading to potential exploitation. While Google classified HashJack as low severity and won't fix it, Perplexity and Microsoft have issued patches for their browsers. The findings prompt a reevaluation of security protocols surrounding AI-driven browser functions, emphasizing the need for robust safeguards against indirect manipulations.

The FBI issued a warning about virtual kidnapping scams where criminals use altered social media images as fake proof of life to extort ransoms. Scammers contact victims via text, claiming to have kidnapped a family member, and demand immediate ransom payments under threats of violence. No actual abductions occur; criminals rely on manipulated images and publicly available information to create convincing scenarios. The FBI advises caution and recommends verifying claims by assessing photo inaccuracies and using a family code word for emergencies. Protective measures include avoiding sharing personal details with strangers and being vigilant when posting about missing persons online. Victims are encouraged to take screenshots of suspicious communications for analysis, as scammers often limit viewing time of fake proof-of-life photos. The FBI has not disclosed the number of related complaints but acknowledges multiple instances of similar scams spoofing phone numbers.

A severe XXE injection vulnerability, CVE-2025-66516, has been identified in Apache Tika, affecting multiple modules and rated 10.0 on the CVSS scale. The flaw allows attackers to exploit XML data processing, potentially accessing server files or executing remote code via crafted XFA files in PDFs. Affected modules include tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1), and tika-parsers (1.13-1.28.5), impacting all platforms. The vulnerability expands on a previous issue, CVE-2025-54988, by affecting additional components, highlighting the need for comprehensive updates. Users are urged to upgrade to tika-core version 3.2.2 or higher to ensure protection against this critical threat. Failure to update could leave systems vulnerable, with potential operational disruptions and security breaches. Organizations should prioritize patch management and review their security posture to mitigate similar threats in the future.

Traditional passive internet-scan data often fails to provide a complete picture of an organization's attack surface, leading to outdated and incomplete security insights. Modern infrastructures are dynamic, with cloud services and development deployments changing daily, necessitating continuous, automated reconnaissance for accurate visibility. Passive datasets frequently miss ephemeral assets such as temporary testing services and auto-scaled cloud nodes, which attackers can exploit. Continuous reconnaissance involves automated, environment-aware checks that adapt to infrastructure changes, ensuring up-to-date exposure verification. Sprocket Security advocates for daily automated checks to discover and validate exposures, enhancing decision-making and reducing alert fatigue. Implementing continuous visibility helps prioritize risks accurately, reducing time spent on irrelevant or outdated findings and improving overall security posture. Organizations are encouraged to adopt continuous reconnaissance as a foundational element of their attack surface management strategy to prevent avoidable incidents.

Asus confirmed a third-party supplier was compromised by the Everest ransomware group, affecting some camera source code for Asus phones. The hardware giant stated there was no impact on its own systems, products, or customer privacy, focusing the breach on the supplier. Everest claims to have exfiltrated 1 TB of data from Asus, ArcSoft, and Qualcomm, including source code, AI models, and internal tools. Asus is enhancing its supply chain security to align with cybersecurity standards, though it did not disclose the vendor or specific stolen content. The breach coincides with recent reports of a separate attack on Asus routers, heightening scrutiny on the company's overall security measures. This incident raises concerns about the robustness of supply chain security and the potential exposure of proprietary or sensitive data. The situation underscores the need for robust vendor management and proactive security practices to mitigate third-party risks.

The European Commission has fined X, formerly known as Twitter, €120 million ($140 million) for violating the Digital Services Act (DSA) transparency obligations. This marks the first non-compliance ruling under the DSA, which mandates platforms to remove harmful content and protect users across the EU. A two-year investigation found X's 'blue checkmark' system misleading, allowing badge purchases without meaningful identity verification, increasing fraud and manipulation risks. X's advertising database failed transparency requirements, with accessibility issues and delays hindering scam and false advertising detection. Researchers faced barriers accessing public data, limiting their ability to study systemic risks affecting European users. X must address blue checkmark violations within 60 days and submit plans to fix research access and advertising issues within 90 days. The commission warned that failure to comply could result in additional periodic penalties, emphasizing accountability under the DSA.

Amazon reports that Chinese state-backed hackers quickly targeted the critical React "React2Shell" vulnerability, exploiting it within hours of its disclosure. AWS's threat intelligence observed active exploitation attempts by groups such as Earth Lamia and Jackpot Panda, using the MadPot honeypot network. The vulnerability, CVE-2025-55182, allows remote code execution through unsafe deserialization in React's server-side packages, impacting 39% of cloud environments. AWS has implemented mitigations across its services but emphasizes that these are not substitutes for patching; immediate updates are advised for affected systems. Some industry experts caution against overreaction, noting potential self-inflicted outages from emergency responses, as seen with a recent Cloudflare incident. The rapid exploitation by state actors highlights the urgency for organizations to patch vulnerabilities promptly to prevent potential breaches. The widespread use of React increases the potential impact, making swift action critical to safeguard affected infrastructures.

Two Chinese-linked hacking groups, Earth Lamia and Jackpot Panda, have been exploiting the React2Shell vulnerability (CVE-2025-55182) within hours of its disclosure, targeting various global sectors. The React2Shell vulnerability, with a CVSS score of 10.0, allows unauthenticated remote code execution and has been patched in React versions 19.0.1, 19.1.2, and 19.2.1. Amazon Web Services identified exploitation attempts through its MadPot honeypot infrastructure, tracing activity back to IP addresses linked to known Chinese state-sponsored actors. Earth Lamia has previously targeted critical sectors such as financial services and government organizations across Latin America, the Middle East, and Southeast Asia. Jackpot Panda, active since at least 2020, has focused on online gambling operations in East and Southeast Asia, using trusted third-party relationships to deploy malicious implants. Recent attacks by Jackpot Panda have targeted Chinese-speaking victims, suggesting possible domestic surveillance efforts, using a trojanized installer for the CloudChat application. AWS reported that the threat actors are also exploiting other vulnerabilities, indicating a systematic approach to scanning for unpatched systems and maximizing attack opportunities.

Cloudflare experienced a global outage due to an emergency patch for a critical remote code execution flaw in React Server Components, affecting numerous websites with "500 Internal Server Error" messages. The incident was not a cyberattack but a result of a change in Cloudflare's Web Application Firewall to address the newly disclosed React2Shell vulnerability, tracked as CVE-2025-55182. React2Shell impacts the React JavaScript library and dependent frameworks, allowing unauthenticated remote code execution via malicious HTTP requests. Vulnerable React versions include 19.0 to 19.2.0, with exploitation already reported by China-linked hacking groups such as Earth Lamia and Jackpot Panda. The NHS England National CSOC warns of the high likelihood of continued successful exploitation, with multiple proof-of-concept exploits available. This incident follows previous Cloudflare outages, highlighting ongoing challenges in maintaining stable network operations amidst urgent security updates. Organizations using React and its frameworks should promptly apply patches and monitor for unusual activity to mitigate potential exploitation risks.