F5 Threat Report - December 31st, 2025

Fortinet Warns of 5-Year-Old FortiOS 2FA Bypass Still Exploited in Attacks

Fortinet has issued a warning regarding the continued active exploitation of CVE-2020-12812, a critical FortiOS vulnerability dating back five years. This improper authentication flaw, found in FortiGate SSL VPN, enables threat actors to bypass two-factor authentication (2FA) by manipulating the case of a username. The vulnerability arises from inconsistent case-sensitive matching between local and remote authentication when 2FA is enabled for local users linked to a remote authentication method like LDAP. Fortinet released patches in July 2020 with FortiOS versions 6.4.1, 6.2.4, and 6.0.10, and advised disabling username-case-sensitivity as a workaround. Despite these measures, the flaw is still being exploited, particularly against firewalls with LDAP enabled, under specific conditions where local user entries requiring 2FA are linked to LDAP and belong to an LDAP group configured on the FortiGate. Both the FBI and CISA have previously highlighted the exploitation of CVE-2020-12812 by state-backed hackers and ransomware groups, with CISA adding it to its catalog of known exploited vulnerabilities in November 2021, mandating federal agencies to secure their systems.

Severity: Critical

Sources

• https://cyberpress.org/hackers-abuse-3-year-old-fortigate-flaw/
• https://gbhackers.com/unpatched-fortigate-security-flaw/
• https://meterpreter.org/how-a-capital-letter-bypasses-fortinet-2fa/
• https://securityonline.info/hackers-revive-2020-fortigate-flaw-to-bypass-2fa/
• https://thehackernews.com/2025/12/fortinet-warns-of-active-exploitation.html
• https://www.bleepingcomputer.com/news/security/fortinet-warns-of-5-year-old-fortios-2fa-bypass-still-exploited-in-attacks/
• https://www.securityweek.com/fortinet-warns-of-new-attacks-exploiting-old-vulnerability/
• https://www.techzine.eu/news/security/137548/attackers-exploit-five-year-old-fortinet-vulnerability/

Threat Details and IOCs

Mitigation Advice

• Patch all vulnerable FortiGate firewalls to FortiOS version 6.4.1, 6.2.4, 6.0.10, or a more recent version to remediate CVE-2020-12812.
• If immediate patching is not feasible, disable username case sensitivity on vulnerable FortiGate firewalls as a temporary workaround to prevent exploitation.
• Review FortiGate authentication configurations and immediately remove any secondary LDAP groups that are not explicitly required for business operations.

Compliance Best Practices

• Establish a comprehensive vulnerability management program that includes asset inventory, regular scanning, risk-based prioritization, and defined Service Level Agreements (SLAs) for patching internet-facing systems.
• Develop and enforce security configuration baselines for all network devices, including FortiGate firewalls. Implement a regular, automated audit process to detect and remediate deviations from these approved baselines.
• Conduct a strategic review of the remote access authentication architecture to identify and simplify complex integrations, such as those between FortiGate local users and remote LDAP directories, in favor of more robust and less error-prone solutions.

---

“Headphone Jacking”: Critical Flaws in Airoha Bluetooth SoCs Hijack Phones via Earbuds

A new report from ERNW Enno Rey Netzwerke GmbH details "Headphone Jacking," a series of critical vulnerabilities (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702) found in Airoha Bluetooth Systems on a Chip (SoCs) widely used in popular True Wireless Stereo (TWS) earbuds and headphones from brands like Sony (e.g., WH-1000XM5, WF-1000XM5), JBL (e.g., Live Buds 3), Marshall (e.g., Major V), and Beyerdynamic (e.g., Amiron 300). These flaws stem from an unauthenticated, exposed proprietary diagnostic protocol called RACE, accessible over Bluetooth Classic and BLE, which allows attackers within range to connect to headphones, read/write memory, eavesdrop via the microphone, and spy on media. By chaining these vulnerabilities, attackers can perform "Headphone Jacking," stealing the Bluetooth Link Key from the headphone's flash memory to impersonate the trusted device and hijack the connected smartphone, enabling actions such as triggering voice assistants, sending text messages, or silently accepting calls and receiving audio streams. While some manufacturers are releasing patches, the fragmented Bluetooth market leaves many devices vulnerable, prompting recommendations for immediate firmware updates or, for high-risk individuals, the use of wired headphones.

Severity: Critical

Sources

• https://cyberpress.org/new-bluetooth-headphone-vulnerabilities/
• https://securityonline.info/headphone-jacking-critical-flaws-in-popular-earbuds-let-hackers-hijack-your-phone/

Threat Details and IOCs

Mitigation Advice

• Compile an inventory of all Bluetooth headphones used by employees, cross-referencing the list with the models mentioned in the article (e.g., Sony WH-1000XM5, JBL Live Buds 3) to identify potentially vulnerable Airoha-based devices.
• Instruct users with identified vulnerable headphone models to immediately check for and apply the latest firmware updates provided by the manufacturer via their respective mobile applications.
• Issue a security advisory to all employees, with specific guidance for high-risk individuals such as executives and finance personnel, recommending they use wired headphones until their Bluetooth devices are confirmed to be patched.
• Use the 'RACE Toolkit' released by ERNW to actively scan and verify the vulnerability status of corporate-issued or high-risk employee headphones.

Compliance Best Practices

• Develop and implement a corporate policy governing the use of personal and corporate-issued peripheral devices, including Bluetooth headphones, specifying approved models and minimum security requirements.
• Establish a formal process for tracking and managing firmware updates for all approved IoT and peripheral devices, including headphones, to ensure they are patched in a timely manner.
• Update the security awareness training program to include modules on the risks associated with Bluetooth peripherals, teaching users how to update device firmware and recognize signs of compromise.
• Investigate and deploy Mobile Device Management (MDM) policies to restrict or control Bluetooth pairing on corporate smartphones, allowing connections only to approved and managed peripherals.

---

LangChain Serialization Flaw (CVE-2025-68664) Enables Secret Extraction, Code Execution

A critical serialization vulnerability, identified as CVE-2025-68664 (CVSS 9.3) for Python and CVE-2025-68665 (CVSS 8.6) for JavaScript, has been discovered in the LangChain ecosystem, affecting `langchain-core` and LangChain.js packages. Reported by Yarden Porat on December 4, 2025, and internally dubbed "LangGrinch," the flaw stems from improper handling of the internal `lc` key during serialization and deserialization by the `dumps()` and `dumpd()` functions. This allows user-controlled data containing the `lc` key to be misinterpreted as legitimate internal LangChain objects, leading to various impacts including secret extraction from environment variables (when `secrets_from_env` is enabled), arbitrary object creation, instantiation of classes from trusted namespaces, and potential arbitrary code execution via Jinja2 templates. A significant attack vector involves prompt injection through LLM response fields such as `metadata`, ``additional_kwargs`,` or ``response_metadata`.` Patches have been released, with `langchain-core` fixed in versions 1.2.5 and 0.3.81, `@langchain/core` in 1.1.8 and 0.3.80, and `langchain` in 1.2.3 and 0.3.37. These updates introduce an `allowed_objects` parameter for explicit class control during deserialization, disable Jinja2 templates by default, and turn off automatic loading of secrets from the environment. Users are strongly advised to update immediately to mitigate these risks, which underscore how classic deserialization vulnerabilities persist in AI-driven systems where model output must still be treated as untrusted input.

Severity: Critical

Sources

• https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/
• https://gbhackers.com/critical-langchain-vulnerability/
• https://securityonline.info/the-lc-leak-critical-9-3-severity-langchain-flaw-turns-prompt-injections-into-secret-theft/
• https://socradar.io/blog/cve-2025-68664-langchain-flaw-secret-extraction/
• https://sploitus.com/exploit?id=EEF971FE-5365-544C-A6DE-F7C32033DE93
• https://thehackernews.com/2025/12/critical-langchain-core-vulnerability.html
• https://www.securitylab.ru/news/567625.php

Threat Details and IOCs

Mitigation Advice

• Update all Python applications using the `langchain-core` package to version 1.2.5 or newer, or to version 0.3.81 or newer, to mitigate CVE-2025-68664.
• Update all JavaScript/TypeScript applications using the `@langchain/core` package to version 1.1.8 or newer (or 0.3.80 or newer) and the `langchain` package to version 1.2.3 or newer (or 0.3.37 or newer) to mitigate CVE-2025-68665.
• Perform an immediate scan of all code repositories and deployed applications to identify all instances of the vulnerable `langchain-core`, `@langchain/core`, and `langchain` packages and their versions.
• In all applications using LangChain, immediately review configurations and explicitly set the `secrets_from_env` (Python) and `secretsFromEnv` (JavaScript) parameters to `false` to prevent unauthorized access to environment variables.

Compliance Best Practices

• Implement a secure development policy that mandates treating all output from Large Language Models (LLMs) as untrusted external input, requiring strict validation and sanitization before it is processed by sensitive functions like deserializers.
• Refactor all applications that use LangChain's deserialization functions (`load()`, `loads()`) to use the `allowed_objects` parameter, creating a strict allowlist of only the specific classes required for the application to function.
• Review and re-architect applications using AI/ML frameworks to operate under the Principle of Least Privilege, ensuring their execution environments are isolated and have access to the minimum set of secrets and permissions necessary for their function.
• Establish a secure baseline configuration standard for all AI/ML frameworks that disables high-risk features, such as remote code execution via templating engines, by default. Require a formal security review and exception process to enable them.

---

Trust Wallet Confirms Extension Hack Led to $7 Million Crypto Theft

On December 24, a compromised update to the Trust Wallet Chrome extension, specifically version 2.68.0, resulted in the theft of $7 million in cryptocurrency, with users reporting their wallets drained shortly after interacting with the extension. Security researchers identified malicious code within the 2.68.0 update, which exfiltrated sensitive wallet data, including seed phrases, to an external server hosted at `api.metrics-trustwallet[.]com`, a domain registered just days prior to the incident. Trust Wallet confirmed the security breach, advising affected users to immediately disable version 2.68.0 and update to the secure version 2.69; mobile-only users and other browser extension versions were not impacted. Binance founder Changpeng "CZ" Zhao stated that Trust Wallet would cover the losses. Simultaneously, a phishing campaign emerged, utilizing domains such as `fix-trustwallet[.]com` to impersonate Trust Wallet and solicit users' recovery seed phrases under the pretense of a "vulnerability fix." Users whose wallets may have been compromised are urged to transfer any remaining funds to a new wallet secured with a fresh seed phrase.

Severity: Critical

Sources

• https://buaq.net/go-383910.html
• https://coinedition.com/trust-wallet-confirms-extension-v2-68-security-issue-after-wallet-drains/
• https://cyberinsider.com/trust-wallet-suffers-supply-chain-compromise-millions-in-crypto-stolen/
• https://cyberpress.org/trust-wallet-chrome-plugin-under-attack/
• https://financefeeds.com/trust-wallet-opens-claims-process-after-7m-chrome-extension-hack/
• https://financefeeds.com/trust-wallet-reimburse-users-20m-hack-cz-confirms/
• https://gbhackers.com/hackers-compromise-trust-wallet-chrome-extension/
• https://malwaretips.com/threads/trustwallet-chrome-extension-hacked-%E2%80%93-users-reporting-millions-in-losses.138907/
• https://securityonline.info/the-christmas-drain-how-a-backdoor-in-trust-wallet-v2-68-stole-7m/
• https://slowmist.medium.com/christmas-heist-analysis-of-trust-wallet-browser-extension-hack-bdb35c3cc6dd?source=rss-4ceeedda40e8------2
• https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html
• https://www.bleepingcomputer.com/news/security/trust-wallet-chrome-extension-hack-tied-to-millions-in-losses/
• https://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/
• https://www.cryptoninjas.net/news/7m-lost-in-trust-wallet-browser-hack-cz-confirms-full-compensation-as-extension-flaw-exposed/
• https://www.tronweekly.com/trust-wallet-pledges-to-cover-7m-lost-in/
• https://www.tronweekly.com/trust-wallet-to-cover-7m-lost-on-hack/

Threat Details and IOCs

Mitigation Advice

• Add the domains `api.metrics-trustwallet[.]com` and `fix-trustwallet[.]com` to the network firewall's blocklist.
• Configure the corporate DNS filtering service to block resolution of the domains `api.metrics-trustwallet[.]com` and `fix-trustwallet[.]com`.
• Use the endpoint management tool to scan all corporate devices for the presence of the Trust Wallet Chrome extension, specifically version 2.68.0, and report any findings to the security team for remediation.
• Send a company-wide security bulletin warning employees about the Trust Wallet supply chain attack and its associated phishing campaign. Instruct users to never enter credentials or recovery phrases in response to unsolicited prompts and to report suspicious browser behavior.

Compliance Best Practices

• Develop and implement a corporate policy to only allow approved browser extensions on company devices, enforcing this policy via browser management tools like Group Policy or an MDM solution.
• Establish a formal supply chain risk management process to vet the security posture of all third-party software vendors and applications, including browser extensions, before they are approved for use in our environment.
• Incorporate modules on the risks of browser extensions and supply chain attacks into the recurring security awareness training program, reinforcing lessons with periodic phishing simulations.
• Design and implement a network egress filtering policy on the perimeter firewall to deny outbound traffic by default, only allowing connections to known-good, categorized, and business-required destinations.

---

React2Shell Explained (CVE-2025-55182): From Vulnerability Discovery to Exploitation

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code on vulnerable servers via a single crafted HTTP request. This flaw exploits weaknesses in the React Flight protocol's deserialization process, specifically by manipulating prototype chains and injecting malicious code during server-side rendering. The exploit chain leverages JavaScript's prototype traversal `(`__proto__:constructor`),` the thenable behavior, the `@` syntax for raw chunk objects, forced execution of `initializeModelChunk()`, context confusion through the `_response` object, and blob resolution to trigger the `Function()` constructor with attacker-controlled code. Affected software includes React versions 19.0.0 through 19.2.0, Next.js applications utilizing the App Router (versions 16.0.0-16.0.6, 15.x, and early 16.x releases), and associated serialization libraries like `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` prior to vendor patches. Due to the widespread adoption of React and Next.js, this vulnerability presents a significant risk, bypassing traditional security defenses. Immediate mitigation requires upgrading to React 19.2.1+ and Next.js 16.0.7+, regenerating all secrets and credentials, implementing WAF/API Gateway rules to detect suspicious React Flight chunk structures or references to `__proto__` or `prototype`, hardening RSC/Next.js deployments with minimal privileges and isolation, and actively hunting for indicators of compromise such as unexpected `.then()` behavior or shell command execution from Node.js processes.

Severity: Critical

Sources

• https://arcticwolf.com/resources/blog/cve-2025-55182/
• https://arcticwolf.com/resources/blog-uk/cve-2025-55182-critical-remote-code-execution-vulnerability-found-in-react-server-components/
• https://arstechnica.com/security/2025/12/admins-and-defenders-gird-themselves-against-maximum-severity-server-vulnerability/
• https://blog.checkpoint.com/securing-the-cloud/what-is-react2shell-cve-2025-55182-in-plain-english-and-why-check-point-cloudguard-waf-customers-carried-on-with-their-day/
• https://blog.cloudflare.com/5-december-2025-outage/
• https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/
• https://blog.jakesaunders.dev/my-server-started-mining-monero-this-morning/
• https://blog.qualys.com/product-tech/2025/12/10/react2shell-decoding-cve-2025-55182-the-silent-threat-in-react-server-components
• https://blog.securelayer7.net/cve-2025-55182/
• https://bluefire-redteam.com/critical-react-next-js-vulnerability/
• https://buaq.net/go-379373.html
• https://buaq.net/go-379393.html
• https://buaq.net/go-379471.html
• https://buaq.net/go-379472.html
• https://buaq.net/go-379487.html
• https://buaq.net/go-379621.html
• https://buaq.net/go-379669.html
• https://buaq.net/go-379678.html
• https://buaq.net/go-379693.html
• https://buaq.net/go-379725.html
• https://buaq.net/go-379832.html
• https://buaq.net/go-379834.html
• https://buaq.net/go-379997.html
• https://buaq.net/go-380062.html
• https://buaq.net/go-380063.html
• https://buaq.net/go-380074.html
• https://buaq.net/go-380124.html
• https://buaq.net/go-380126.html
• https://buaq.net/go-380241.html
• https://buaq.net/go-380275.html
• https://buaq.net/go-380329.html
• https://buaq.net/go-381014.html
• https://buaq.net/go-381261.html
• https://buaq.net/go-381582.html
• https://buaq.net/go-382312.html
• https://buaq.net/go-382608.html
• https://buaq.net/go-382617.html
• https://cloud.google.com/blog/products/identity-security/responding-to-cve-2025-55182/
• https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/
• https://coinedition.com/cloudflare-outage-exposes-centralized-internet-risks-for-crypto-platforms/
• https://csirt.divd.nl/cases/DIVD-2025-00042/
• https://cxsecurity.com/issue/WLB-2025120005
• https://cxsecurity.com/issue/WLB-2025120006
• https://cxsecurity.com/issue/WLB-2025120023
• https://cyberinsider.com/chinese-hackers-rapidly-exploit-critical-react2shell-flaw/
• https://cyberinsider.com/react2shell-exploitation-explodes-as-botnets-now-join-the-fray/
• https://cyberinsider.com/react2shell-flaw-threatens-rce-in-39-of-all-cloud-environments/
• https://cyberpress.org/2-15m-next-js-sites-found-vulnerable/
• https://cyberpress.org/burp-suite-act2shell-vulnerabilities/
• https://cyberpress.org/fake-mparivahan-e-challan-apps/
• https://cyberpress.org/new-scanner-tool-for-detecting/
• https://cyberpress.org/openai-gpt-5-2-codex-vulnerability-detection/
• https://cyberpress.org/react2shell-etherrat-deployment/
• https://cyberpress.org/react2shell-exploitation-campaign/
• https://cyberpress.org/react2shell-vulnerability/
• https://cyberpress.org/react2shell-vulnerability-2/
• https://cyberpress.org/react2shell-vulnerability-3/
• https://cyberpress.org/react2shell-vulnerability-4/
• https://cyberpress.org/react4shell-flaw/
• https://cyberpress.org/react-and-next-js-vulnerabilities/
• https://cyberpress.org/react-server-components-flaw/
• https://cyberscoop.com/attackers-exploit-react-server-vulnerability/
• https://cyberscoop.com/react2shell-vulnerability-fallout-spreads/
• https://cyberscoop.com/react-server-vulnerability-critical-severity-security-update/
• https://cybersrcc.com/2025/12/10/critical-security-advisory-on-cve-2025-66478-and-its-active-exploitation-risks/
• https://cyberveille.esante.gouv.fr/alertes/react-cve-2025-55182-2025-12-04
• https://doublepulsar.com/cybersecurity-industry-overreacts-to-react-vulnerability-starts-panic-burns-own-house-down-again-e85c10ad1607?source=rss----8343faddf0ec---4
• https://financefeeds.com/hackers-exploit-javascript-library-to-deploy/
• https://gbhackers.com/2-15m-next-js-web-services-exposed-online-active-attacks-reported/
• https://gbhackers.com/644k-websites-at-risk-due-to-critical-react-server-components-flaw/
• https://gbhackers.com/burp-suite-upgrades-scanner-for-critical-react2shell-flaws/
• https://gbhackers.com/cisa-adds-critical-react2shell-vulnerability-to-kev-catalog/
• https://gbhackers.com/critical-react2shell-rce-flaw/
• https://gbhackers.com/new-scanner-released-to-detect-exposed-reactjs-and-next-js-rsc-endpoints/
• https://gbhackers.com/next-js-releases-scanner-react2shell-vulnerability/
• https://gbhackers.com/openais-gpt-5-2-codex-boosts-agentic-coding/
• https://gbhackers.com/react2shell-rce-vulnerability/
• https://gbhackers.com/react2shell-vulnerability/
• https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
• https://gridinsoft.com/blogs/react2shell-cve-2025-55182-rce/
• https://gridinsoft.com/blogs/react2shell-exploitation-china-apt/
• https://hackread.com/north-korean-hackers-etherrat-malware-react2shell/
• https://horizon3.ai/attack-research/vulnerabilities/cve-2025-55182/
• https://industrialcyber.co/threats-attacks/amazon-warns-of-ongoing-exploitation-attempts-by-chinese-hackers-on-react2shell-vulnerability/
• https://infosecwriteups.com/from-recon-to-rce-hunting-react2shell-cve-2025-55182-for-bug-bounties-4e3a3ed79876?source=rss----7b722bfd1b8d---4
• https://isc.sans.edu/diary/32572
• https://isc.sans.edu/diary/rss/32572
• https://jfrog.com/blog/2025-55182-and-2025-66478-react2shell-all-you-need-to-know/
• https://lab.wallarm.com/update-on-react-server-components-rce-vulnerability-cve-2025-55182-cve-2025-66478/
• https://lab.wallarm.com/wallarm-blocks-exploitation-remote-code-execution-vulnerability-react-server-components/
• https://malwaretips.com/threads/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks.138645/
• https://malwaretips.com/threads/multiple-threat-actors-exploit-react2shell-cve-2025-55182-according-to-google.138719/
• https://malwaretips.com/threads/react2shell-technical-deep-dive-in-the-wild-exploitation-of-cve-2025-55182.138631/
• https://meterpreter.org/beyond-the-shell-critical-react2shell-exploit-hits-japan-to-deploy-stealthy-zndoor-rat/
• https://meterpreter.org/china-apts-exploiting-react-server-rce-cve-2025-55182-hours-after-disclosure/
• https://meterpreter.org/cloudflare-outage-caused-by-frantic-patching-of-critical-react2shell-cve-2025-55182-flaw/
• https://meterpreter.org/react2shell-exploit-botnets-target-150k-devices-daily-with-node-js-flaw/
• https://news.sophos.com/en-us/2025/12/11/react2shell-flaw-cve-2025-55182-exploited-for-remote-code-execution/
• https://nextjs.org/blog/CVE-2025-66478
• https://nsfocusglobal.com/react-next-js-remote-code-execution-vulnerability-cve-2025-55182-cve-2025-66478-notice/
• https://orca.security/resources/blog/cve-2025-55182-react-nextjs-rce/
• https://osintteam.blog/cve-2025-55182-a-pre-authentication-remote-code-execution-in-next-js-complete-guide-e39a35fa3156?source=rss----2983bc435765---4
• https://osintteam.blog/react2shell-analysis-domain-level-detection-of-rsc-exposure-11db354612df?source=rss----2983bc435765---4
• https://osintteam.blog/react2shell-cve-2025-55182-under-active-attack-analysis-of-global-threat-activity-against-rsc-68eb16c893cc?source=rss----2983bc435765---4
• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• https://rhisac.org/threat-intelligence/react-nextjs-vuln/
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-react-flight-TYw32Ddb?vs_f=Cisco%20Security%20Advisory%26vs_cat=Security%20Intelligence%26vs_type=RSS%26vs_p=Remote%20Code%20Execution%20Vulnerability%20in%20React%20and%20Next.js%20Frameworks:%20December%202025%26vs_k=1
• https://securelist.com/cve-2025-55182-exploitation/118331/
• https://securityboulevard.com/2025/12/attackers-worldwide-are-zeroing-in-on-react2shell-vulnerability/
• https://securityboulevard.com/2025/12/cloudflare-forces-widespread-outage-to-mitigate-exploitation-of-maximum-severity-vulnerability-in-react2shell/
• https://securityboulevard.com/2025/12/dangerous-rce-flaw-in-react-next-js-threatens-cloud-environments-apps/
• https://securityboulevard.com/2025/12/exploitation-efforts-against-critical-react2shell-flaw-accelerate/
• https://securityboulevard.com/2025/12/google-finds-five-china-nexus-groups-exploiting-react2shell-flaw/
• https://securityboulevard.com/2025/12/react-fixes-two-new-rsc-flaws-as-security-teams-deal-with-react2shell/
• https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/
• https://securityonline.info/catastrophic-react-flaw-cve-2025-55182-cvss-10-0-allows-unauthenticated-rce-on-next-js-and-server-components/
• https://securityonline.info/critical-react2shell-vulnerability-cve-2025-55182-analysis-surge-in-attacks-targeting-rsc-enabled-services-worldwide/
• https://securityonline.info/maximum-severity-alert-critical-rce-flaw-hits-next-js-cve-2025-66478-cvss-10-0/
• https://securityonline.info/nexusroute-uncovered-android-rat-impersonates-indian-e-challan-via-github-for-upi-fraud-surveillance/
• https://securityonline.info/operation-pcpcat-60000-next-js-servers-hijacked-in-just-48-hours/
• https://securityonline.info/react2shell-crisis-critical-vulnerability-triggers-global-cyberattacks-by-state-sponsored-groups/
• https://securityonline.info/react2shell-max-score-rce-cvss-10-0-triggers-widespread-exploitation-by-espionage-groups-miners/
• https://securityonline.info/react2shell-storm-china-nexus-groups-weaponize-critical-react-flaw-hours-after-disclosure/
• https://socprime.com/blog/react2shell-vulnerability-exploitation/
• https://socradar.io/blog/react2shell-rce-flaw-react-nextjs/
• https://testbnull.medium.com/and-then-and-then-and-then-give-me-the-react2-shell-3c4b60ebaef9?source=rss-6ac51190917c------2
• https://thecyberexpress.com/pcpcat-react-servers-nextjs-breach/
• https://thecyberexpress.com/react2shell-flaw-exploited-by-chinese-groups/
• https://thehackernews.com/2025/12/chinese-hackers-have-started-exploiting.html
• https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html
• https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html
• https://thehackernews.com/2025/12/react2shell-exploitation-delivers.html
• https://thehackernews.com/2025/12/react2shell-exploitation-escalates-into.html
• https://threatprotect.qualys.com/2025/12/04/react-server-components-rsc-remote-code-execution-vulnerabilities/
• https://www.attackiq.com/2025/12/18/cve-2025-55182/
• https://www.bitdefender.com/en-us/blog/businessinsights/advisory-react2shell-critical-unauthenticated-rce-in-react-cve-2025-55182
• https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-outage-on-emergency-react2shell-patch/
• https://www.bleepingcomputer.com/news/security/critical-react2shell-flaw-exploited-in-ransomware-attacks/
• https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-react2shell-flaw-in-etherrat-malware-attacks/
• https://www.bleepingcomputer.com/news/security/react2shell-critical-flaw-actively-exploited-in-china-linked-attacks/
• https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable/
• https://www.catonetworks.com/blog/cato-ctrl-react2shell-vulnerability-targeting-react-server-components/
• https://www.computerweekly.com/news/366635992/Cloudflare-fixes-second-outage-in-a-month
• https://www.computerweekly.com/news/366636015/Cyber-teams-on-alert-as-React2Shell-exploitation-spreads
• https://www.cybereason.com/blog/cve-2025-55182-rce-vulnerability
• https://www.cyberkendra.com/2025/12/critical-react2shell-vulnerability.html
• https://www.cyberkendra.com/2025/12/react2shell-exploited-cisa-issues.html
• https://www.cyberkendra.com/2025/12/react-patches-two-new-flaws-following.html
• https://www.darkreading.com/threat-intelligence/react2shell-exploits-flood-internet-attacks-continue
• https://www.darkreading.com/vulnerabilities-threats/exploitation-activity-ramps-react2shell
• https://www.esecurityplanet.com/threats/over-600k-sites-exposed-to-critical-react-server-components-flaw/
• https://www.esecurityplanet.com/threats/react2shell-rce-flaws-put-react-and-next-js-apps-at-severe-risk/
• https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far
• https://www.greynoise.io/blog/react2shell-payload-analysis
• https://www.hackthebox.com/blog/react2shell-cve-2025-55182-threat-spotlight
• https://www.helpnetsecurity.com/2025/12/04/react-node-js-vulnerability-cve-2025-55182/
• https://www.hendryadrian.com/chinese-hackers-exploiting-react2shell-bug-impacting-countless-websites-amazon-researchers-say/
• https://www.hendryadrian.com/cloudflare-blames-todays-outage-on-emergency-react2shell-patch/
• https://www.hendryadrian.com/cloudflare-outage-caused-by-react2shell-mitigations/
• https://www.hendryadrian.com/critical-react2shell-flaw-actively-exploited-in-china-linked-attacks/
• https://www.hendryadrian.com/critical-react-next-js-flaw-lets-hackers-execute-code-on-servers/
• https://www.hendryadrian.com/critical-vulnerabilities-in-react-server-components-and-next-js/
• https://www.hendryadrian.com/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation/
• https://www.hendryadrian.com/cve-2025-55182-react2shell-remote-code-execution-in-react-server-components-and-next-js-datadog-security-labs/
• https://www.hendryadrian.com/detecting-next-js-cve-2025-66478-rce-vulnerability-with-wazuh/
• https://www.hendryadrian.com/detecting-react2shell-the-maximum-severity-rce-vulnerability-affecting-react-server-components-and-next-js-sysdig/
• https://www.hendryadrian.com/federal-agencies-now-only-have-one-more-day-to-patch-react2shell-bug/
• https://www.hendryadrian.com/peerblight-linux-backdoor-exploits-react2shell-cve-2025-55182/
• https://www.hendryadrian.com/react2shell-technical-deep-dive-in-the-wild-exploitation-of-cve-2025-55182/
• https://www.hendryadrian.com/zero-day-to-zero-hour-react2shell-cve-2025-55182-becomes-one-of-the-most-rapidly-weaponized-rsc-vulnerability/
• https://www.hkcert.org/security-bulletin/react-remote-code-execution-vulnerability_20251204
• https://www.infosecurity-magazine.com/news/react2shell-exploit-campaigns/
• https://www.infosecurity-magazine.com/news/react2shell-under-active/
• https://www.infosecurity-magazine.com/news/reactjs-hit-by-react2shell/
• https://www.kaspersky.com/blog/react4shell-vulnerability-cve-2025-55182/54915/
• https://www.recordedfuture.com/blog/critical-react2shell-vulnerability
• https://www.recordedfuture.com/blog/the-bug-that-wont-die
• https://www.resecurity.com/blog/article/react2shell-explained-cve-2025-55182-from-vulnerability-discovery-to-exploitation
• https://www.resecurity.com/blog/article/synthetic-data-a-new-frontier-for-cyber-deception-and-honeypots
• https://www.securitylab.ru/news/566820.php
• https://www.securitylab.ru/news/566886.php
• https://www.securitylab.ru/news/567053.php
• https://www.securityweek.com/chinese-hackers-exploiting-react2shell-vulnerability/
• https://www.securityweek.com/exploitation-of-react2shell-surges/
• https://www.securityweek.com/google-sees-5-chinese-groups-exploiting-react2shell-for-malware-delivery/
• https://www.securityweek.com/react2shell-attacks-linked-to-north-korean-hackers/
• https://www.securityweek.com/react2shell-in-the-wild-exploitation-expected-for-critical-react-vulnerability/
• https://www.securityweek.com/wide-range-of-malware-delivered-in-react2shell-attacks/
• https://www.sentinelone.com/blog/protecting-against-critical-react2shell-rce-exposure/
• https://www.sysdig.com/blog/detecting-react2shell
• https://www.sysdig.com/blog/etherrat-dissected-how-a-react2shell-implant-delivers-5-payloads-through-blockchain-c2
• https://www.techradar.com/pro/security/maximum-severity-react2shell-flaw-exploited-by-north-korean-hackers-in-malware-attacks
• https://www.techtarget.com/searchsecurity/news/366636017/News-brief-RCE-flaws-persist-as-top-cybersecurity-threat
• https://www.techzine.eu/blogs/security/137062/is-react2shell-the-new-log4shell/
• https://www.techzine.eu/news/security/137010/meta-warns-of-critical-vulnerability-in-react-server-components/
• https://www.techzine.eu/news/security/137035/react2shell-exploited-hours-after-discovery/
• https://www.techzine.eu/news/security/137273/three-new-vulnerabilities-discovered-in-react-server-components/
• https://www.tenable.com/blog/react2shell-cve-2025-55182-react-server-components-rce
• https://www.thehackerwire.com/critical-security-flaw-found-in-react-server-components/
• https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/
• https://www.theregister.com/2025/12/05/aws_beijing_react_bug/
• https://www.theregister.com/2025/12/05/react2shell_pocs_exploitation/
• https://www.theregister.com/2025/12/12/new_react_secretleak_bugs/
• https://www.theregister.com/2025/12/12/vulnerable_react_instances_unpatched/
• https://www.theregister.com/2025/12/18/react2shell_exploitation_spreads_as_microsoft/
• https://www.trendmicro.com/en_us/research/25/l/critical-react-server-components-vulnerability.html
• https://www.upguard.com/blog/understanding-and-mitigating-cve-2025-55182-react2shell
• https://www.uptycs.com/blog/critical-rce-vulnerability-react-server-components-nextjs
• https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
• https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive
• https://www.zscaler.com/blogs/security-research/react2shell-remote-code-execution-vulnerability-cve-2025-55182

Threat Details and IOCs

Mitigation Advice

• Upgrade all applications using React Server Components to React version 19.2.1 or later.
• Upgrade all Next.js applications that use the App Router to version 16.0.7 or later.
• Immediately rotate all API keys used by applications running vulnerable versions of React or Next.js.
• Immediately rotate all database credentials used by applications running vulnerable versions of React or Next.js.
• Immediately rotate all cloud infrastructure access tokens (e.g., AWS IAM roles, GCP service accounts, Azure Managed Identities) associated with environments running vulnerable applications.
• Implement WAF rules to block or alert on HTTP POST requests to React Server Component endpoints that contain `__proto__` or `prototype` keywords in the request body.
• Actively hunt for indicators of compromise by searching application and server logs for suspicious POST requests to RSC endpoints or evidence of shell command execution originating from Node.js processes.

Compliance Best Practices

• Review and reconfigure service accounts for applications using React Server Components to ensure they operate under the principle of least privilege, with minimal necessary OS and cloud permissions.
• Implement network segmentation policies to strictly control traffic between application servers, databases, and internal services, preventing lateral movement from a compromised web server.
• Modify the deployment process for web applications to use read-only file systems or immutable container images, preventing attackers from persisting malware on the server.
• Establish a secure coding program to audit all application components that perform data deserialization, ensuring they strictly validate and sanitize all client-provided input before processing.
• Integrate an automated dependency scanning tool, such as Snyk or Dependabot, into the CI/CD pipeline to continuously monitor for and alert on newly discovered vulnerabilities in third-party libraries.

---