End-of-Day report
Timeframe: Donnerstag 04-12-2025 18:00 - Freitag 05-12-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
News
React2Shell - Angriffe gegen verwundbare Anwendungen auf von Basis React.JS und weiterer Frameworks
Diese Woche wurden kritische Sicherheitslücken in den React Server Components veröffentlicht. Diese Schwachstellen ermöglichen unauthentifizierte Remote-Code Execution sofern Anwendungen die betroffenen Server Components einsetzen. Mittlerweile wird diese Sicherheitslücke aktiv ausgenutzt um verwundbare Installationen zu kompromittieren. Proof-of-Concept Exploits sind bereits öffentlich zugänglich. CVE-Nummer(n): CVE-2025-55182
https://www.cert.at/de/warnungen/2025/12/react2shell-angriffe-gegen-verwundbare-anwendungen-auf-basis-reactjs-und-weiterer-frameworks
CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far
GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) -Flight- protocol RCE-often referred to publicly as -React2Shell- and tracked as CVE-2025-55182.
https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far
Cloudflare blames todays outage on emergency React2Shell patch
Cloudflare has blamed todays outage on the emergency patching of a critical React remote code execution vulnerability, which is now actively exploited in attacks. [..] "The issue was not caused, directly or indirectly, by a cyber attack on Cloudflare-s systems or malicious activity of any kind. Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components," Cloudflare CTO Dane Knecht noted in a post-mortem.
https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-outage-on-emergency-react2shell-patch/
Cybersecurity industry overreacts to React vulnerability, starts panic, burns own house down again
The disclosure write up is great - it-s full of facts, and explains when you are and aren-t vulnerable. I don-t think anybody knows how to parse it and people have started taking actions before even knowing what they-re doing. [..] Check with your developers and suppliers if they even use React v19 yet. They most probably don-t, in which case you aren-t vulnerable.
https://doublepulsar.com/cybersecurity-industry-overreacts-to-react-vulnerability-starts-panic-burns-own-house-down-again-e85c10ad1607
Hackers are exploiting ArrayOS AG VPN flaw to plant webshells
Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users. Array Networks fixed the vulnerability in a May security update, but has not assigned an identifier, complicating efforts to track the flaw and patch management.
https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/
FBI warns of virtual kidnapping scams using altered social media photos
The FBI warns that criminals are altering images shared on social media and using them as fake proof of life photos in virtual kidnapping ransom scams.
https://www.bleepingcomputer.com/news/security/fbi-warns-of-virtual-kidnapping-ransom-scams-using-altered-social-media-photos/
Asus supplier hit by ransomware attack as gang flaunts alleged 1 TB haul
Laptop maker says a vendor breach exposed some phone camera code, but not its own systems Asus has admitted that a third-party supplier was popped by cybercrims after the Everest ransomware gang claimed it had rifled through the tech titans internal files.
https://go.theregister.com/feed/www.theregister.com/2025/12/05/asus_supplier_hack/
SMS Phishers Pivot to Points, Taxes, Fake Retailers
Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple-s iMessage service or the functionally equivalent RCS messaging service built into Google phones.
https://krebsonsecurity.com/2025/12/sms-phishers-pivot-to-points-taxes-fake-retailers/
Warnung: Neue Phishing-E-Mails im Namen der WKO im Umlauf
Kriminelle imitieren besonders gern bekannte Organisationen. Aktuell ist erneut die WKO betroffen. Bei einer neuen Phishing-Variante werden Empfänger:innen unter dem Vorwand einer -Qualitätssicherung- dazu aufgefordert, ihre Daten zu überprüfen.
https://www.watchlist-internet.at/news/wko-phishing-e-mails-datenerfassung/
A Hidden Pattern Within Months of Credential-Based Attacks Against Palo Alto GlobalProtect
GreyNoise detected a surge of 7,000+ IPs attempting to log into GlobalProtect, sharing fingerprints with a surge in SonicWall API scanning and earlier Palo Alto campaigns, exposing a persistent credential-based attack pattern.
https://www.greynoise.io/blog/hidden-pattern-credential-based-attacks-palo-alto-sonicwall
November CVEs Fell 25% YoY, Driven by Slowdowns at Major CNAs
2025 CVE volume is still running ahead of 2024 overall, even as November cooled off year over year. [..] For security teams, the practical takeaway is to be careful about using -global CVE count- as a proxy for risk. CVE volume can still be useful as a publishing health signal, especially when concentrated among a small number of high-output CNAs and programs.
https://socket.dev/blog/november-cves-fell-25-yoy-driven-by-slowdowns-at-major-cnas
Vulnerabilities
Security updates for Friday
Security updates have been issued by AlmaLinux (buildah, firefox, gimp:2.8, go-toolset:rhel8, ipa, kea, kernel, kernel-rt, pcs, qt6-qtquick3d, qt6-qtsvg, systemd, and valkey), Debian (chromium and unbound), Fedora (alexvsbus, CuraEngine, fcgi, libcoap, python-kdcproxy, texlive-base, timg, and xpdf), Mageia (digikam, darktable, libraw, gnutls, python-django, unbound, webkit2, and xkbcomp), Oracle (bind, firefox, gimp:2.8, haproxy, ipa, java-25-openjdk, kea, kernel, libsoup3, libssh, libtiff, openssl, podman, qt6-qtsvg, squid, systemd, vim, and xorg-x11-server-Xwayland), Slackware (httpd and libpng), SUSE (chromedriver, kernel, and python-mistralclient), and Ubuntu (cups, linux-azure, linux-gcp, linux-gcp, linux-gke, linux-gkeop, linux-ibm-6.8, linux-iot, and mame).
https://lwn.net/Articles/1049417/
VU#441887: Duc contains a stack buffer overflow vulnerability in the buffer_get function, allowing for out-of-bounds memory read
https://kb.cert.org/vuls/id/441887
Drupal: Security advisories for contributed projects
https://www.drupal.org/security/contrib
Socomec DIRIS Digiware M series and Easy Config, PDF XChange Editor vulnerabilities
https://blog.talosintelligence.com/socomec-diris-digiware-m-series-and-easy-config-pdf-xchange-editor-vulnerabilities/