TLDR Security — Saturday, December 6, 2025

A critical React Server Components vulnerability went from disclosure to mass exploitation in under 24 hours this week, with Chinese APTs and botnets both piling on. Google patched two Android zero-days tied to spyware campaigns, Clop continues naming Oracle E-Business Suite victims, and a supply chain attack poisoned 700+ NPM packages. If you're not subscribed yet, lets fix that ;)

.\ React "React2Shell" zero-day hits CVSS 10.0 — Chinese APTs exploiting within hours of disclosure

CVE-2025-55182 is a remote code execution flaw in React Server Components enabling unauthenticated attackers to execute arbitrary code via crafted HTTP requests. AWS Security detected active exploitation by China-nexus groups Earth Lamia and Jackpot Panda within hours of the December 3 disclosure. CISA added it to the KEV catalog on December 5 with a remediation deadline of December 26. Wiz Research reports 39% of cloud environments contain vulnerable instances. Affected: React 19.0.0–19.2.0 and Next.js 15.x/16.x using App Router.

.\ Source shelf: React Advisory · Rapid7 · GreyNoise

.\ Google patches two Android zero-days under active exploitation — spyware suspected

Google's December 2025 Android Security Update addresses 107 vulnerabilities, including two zero-days confirmed under "limited, targeted exploitation." CVE-2025-48572 is a framework privilege escalation flaw; CVE-2025-48633 enables information disclosure. The exploitation pattern strongly suggests commercial spyware vendors. CISA added both to the KEV catalog on December 2 with a remediation deadline of December 23. Android versions 13–16 are affected. Push the December security patch level (2025-12-01 or 2025-12-05) to managed devices now.

.\ Source shelf: Google Bulletin · BleepingComputer · The Register

.\ CISA and NSA warn of Chinese BRICKSTORM backdoor targeting VMware and Windows

CISA, NSA, and allied agencies issued a joint advisory on BRICKSTORM, a sophisticated backdoor deployed by PRC state-sponsored actors against government and IT sector organizations. The malware targets VMware vSphere and Windows environments, using nested TLS, WebSocket tunneling, and DNS-over-HTTPS for evasion. This follows continued Salt Typhoon activity—the FBI disclosed 200+ companies across 80 countries have been compromised. Review the IOCs in Malware Analysis Report AR25-338A and hunt your environment.

.\ Source shelf: CISA MAR · CISA ICS Advisories

.\ NPM supply chain attack compromises 700+ packages with 132 million monthly downloads

The Shai-Hulud 2.0 attack, discovered December 1–5 by Wiz Research, exploited GitHub Actions via pull_request_target abuse to harvest credentials and publish malicious code. Over 700 NPM packages were compromised, including @postman/tunnel-agent and posthog-node. Affected organizations include Zapier, PostHog, Postman, and ENS Domains. Attackers created 25,000+ malicious GitHub repositories, peaking at 1,000 new compromised repos every 30 minutes. Stolen credentials include NPM tokens, GitHub PATs, and cloud secrets. Audit dependencies and rotate exposed credentials immediately.

.\ Source shelf: Wiz Research · GitHub Advisory

.\ Clop ransomware names 29+ Oracle E-Business Suite breach victims — major institutions hit

The Clop ransomware gang continues extorting victims from its August 2025 zero-day campaign against Oracle E-Business Suite. Named victims include The Washington Post, Harvard University, University of Pennsylvania, Schneider Electric, Logitech, and Barts Health NHS Trust. Attackers exploited CVE-2025-61882 (CVSS 9.8) and CVE-2025-61884 before Oracle's October patches. Organizations running Oracle EBS should verify patches are applied and conduct forensic review for prior compromise indicators.

.\ Source shelf: Oligo Security · Paubox · BlackFog

.\ Europol takes down Rhadamanthys infostealer and Cryptomixer in Operation Endgame

Operation Endgame Phase 3 (November 10–13) dismantled Rhadamanthys infostealer (525,303 infections, 86.2 million stealing events), VenomRAT, and Elysium botnet across 11 countries. Authorities seized 1,025+ servers and 20 domains. Separately, Europol took down Cryptomixer (November 24–28), which laundered €1.3 billion for ransomware groups, seizing €25 million in Bitcoin. These disruptions provide temporary relief—expect infrastructure rebuilds within months.

.\ Source shelf: TechRepublic · Infosecurity Magazine · TechCrunch

.\ Also Notable

• Treasury sanctions Russian bulletproof hosting — US, UK, and Australia jointly sanctioned Media Land LLC for providing infrastructure to LockBit, BlackSuit, and Play ransomware operations.
• Free Akira ransomware decryptor released — Security researcher Yohanes Nugroho published a GPU-powered decryptor exploiting timestamp-based key generation weaknesses.
• Fortinet FortiWeb flaws under active exploitation — CVE-2025-64446 and CVE-2025-58034 chain to enable unauthenticated RCE on FortiWeb 7.0.x–8.0.x appliances.

.\ Ops Bench

ScreenConnect and SimpleHelp remain under active targeting. CVE-2025-3935 (ScreenConnect) was added to CISA KEV earlier this year, and DragonForce ransomware continues abusing SimpleHelp vulnerabilities for MSP supply chain attacks. Verify all RMM tools are patched to current versions and audit for unauthorized access.

.\ Source shelf: Censys · Sophos · BleepingComputer

React2Shell affects client web applications. If you manage Next.js or React applications for clients, prioritize scanning for affected versions (React 19.0.0–19.2.0, Next.js 15.x/16.x with App Router). Exploitation is trivial and requires no authentication.

.\ Source shelf: Rapid7 · CISA KEV

Until next week!