CVE-2025-55182

Dec. 10, 2025, 2 a.m.

10.0
Critical

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Product(s) Impacted

Vendor Product Versions
Facebook
  • React
  • 19.0.0, 19.1.0, 19.1.1, 19.2.0
Vercel
  • Next.js
  • *, 14.3.0, 15.6.0, 16.0.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a facebook react 19.0.0 / / / / / / /
a facebook react 19.1.0 / / / / / / /
a facebook react 19.1.1 / / / / / / /
a facebook react 19.2.0 / / / / / / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js 14.3.0 canary77 / / / node.js / /
a vercel next.js 14.3.0 canary78 / / / node.js / /
a vercel next.js 14.3.0 canary79 / / / node.js / /
a vercel next.js 14.3.0 canary80 / / / node.js / /
a vercel next.js 14.3.0 canary81 / / / node.js / /
a vercel next.js 14.3.0 canary82 / / / node.js / /
a vercel next.js 14.3.0 canary83 / / / node.js / /
a vercel next.js 14.3.0 canary84 / / / node.js / /
a vercel next.js 14.3.0 canary85 / / / node.js / /
a vercel next.js 14.3.0 canary86 / / / node.js / /
a vercel next.js 14.3.0 canary87 / / / node.js / /
a vercel next.js 15.6.0 - / / / node.js / /
a vercel next.js 15.6.0 canary0 / / / node.js / /
a vercel next.js 15.6.0 canary1 / / / node.js / /
a vercel next.js 15.6.0 canary10 / / / node.js / /
a vercel next.js 15.6.0 canary11 / / / node.js / /
a vercel next.js 15.6.0 canary12 / / / node.js / /
a vercel next.js 15.6.0 canary13 / / / node.js / /
a vercel next.js 15.6.0 canary14 / / / node.js / /
a vercel next.js 15.6.0 canary15 / / / node.js / /
a vercel next.js 15.6.0 canary16 / / / node.js / /
a vercel next.js 15.6.0 canary17 / / / node.js / /
a vercel next.js 15.6.0 canary18 / / / node.js / /
a vercel next.js 15.6.0 canary19 / / / node.js / /
a vercel next.js 15.6.0 canary2 / / / node.js / /
a vercel next.js 15.6.0 canary20 / / / node.js / /
a vercel next.js 15.6.0 canary21 / / / node.js / /
a vercel next.js 15.6.0 canary22 / / / node.js / /
a vercel next.js 15.6.0 canary23 / / / node.js / /
a vercel next.js 15.6.0 canary24 / / / node.js / /
a vercel next.js 15.6.0 canary25 / / / node.js / /
a vercel next.js 15.6.0 canary26 / / / node.js / /
a vercel next.js 15.6.0 canary27 / / / node.js / /
a vercel next.js 15.6.0 canary28 / / / node.js / /
a vercel next.js 15.6.0 canary29 / / / node.js / /
a vercel next.js 15.6.0 canary3 / / / node.js / /
a vercel next.js 15.6.0 canary30 / / / node.js / /
a vercel next.js 15.6.0 canary31 / / / node.js / /
a vercel next.js 15.6.0 canary32 / / / node.js / /
a vercel next.js 15.6.0 canary33 / / / node.js / /
a vercel next.js 15.6.0 canary34 / / / node.js / /
a vercel next.js 15.6.0 canary35 / / / node.js / /
a vercel next.js 15.6.0 canary36 / / / node.js / /
a vercel next.js 15.6.0 canary37 / / / node.js / /
a vercel next.js 15.6.0 canary38 / / / node.js / /
a vercel next.js 15.6.0 canary39 / / / node.js / /
a vercel next.js 15.6.0 canary4 / / / node.js / /
a vercel next.js 15.6.0 canary40 / / / node.js / /
a vercel next.js 15.6.0 canary41 / / / node.js / /
a vercel next.js 15.6.0 canary42 / / / node.js / /
a vercel next.js 15.6.0 canary43 / / / node.js / /
a vercel next.js 15.6.0 canary44 / / / node.js / /
a vercel next.js 15.6.0 canary45 / / / node.js / /
a vercel next.js 15.6.0 canary46 / / / node.js / /
a vercel next.js 15.6.0 canary47 / / / node.js / /
a vercel next.js 15.6.0 canary48 / / / node.js / /
a vercel next.js 15.6.0 canary49 / / / node.js / /
a vercel next.js 15.6.0 canary5 / / / node.js / /
a vercel next.js 15.6.0 canary50 / / / node.js / /
a vercel next.js 15.6.0 canary51 / / / node.js / /
a vercel next.js 15.6.0 canary52 / / / node.js / /
a vercel next.js 15.6.0 canary53 / / / node.js / /
a vercel next.js 15.6.0 canary54 / / / node.js / /
a vercel next.js 15.6.0 canary55 / / / node.js / /
a vercel next.js 15.6.0 canary56 / / / node.js / /
a vercel next.js 15.6.0 canary57 / / / node.js / /
a vercel next.js 15.6.0 canary6 / / / node.js / /
a vercel next.js 15.6.0 canary7 / / / node.js / /
a vercel next.js 15.6.0 canary8 / / / node.js / /
a vercel next.js 15.6.0 canary9 / / / node.js / /
a vercel next.js 16.0.0 - / / / node.js / /

References

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://www.facebook.com/security/advisories/cve-2025-55182
http://www.openwall.com/lists/oss-security/2025/12/03/4
https://news.ycombinator.com/item?id=46136026
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182

Tags

CWE-502
[email protected]
2025-12-03
CVE-2025-55182

CVSS Score

10.0 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: Dec. 3, 2025, 4:15 p.m.
Last Modified: Dec. 10, 2025, 2 a.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

[email protected]

Relations

Here is the list of observables linked to the vulnerability CVE-2025-55182 using threat intelligence.

  • Lazarus Group, Kimsuky
  • Earth Lamia, Jackpot Panda
  • China-nexus
  • WebBrowserPassView
  • RondoDox
  • Kaiji
  • ANGRYREBEL.LINUX
  • Sliver
  • HISONIC
  • Mirai
  • BADCALL - S0245
  • EtherRAT
  • PeerBlight
  • HttpTroy
  • BLINDINGCAN - S0520
  • ZinFoq
  • ShadowPad - S0596
  • Gafgyt
  • CowTunnel
  • Quasar RAT
  • SNOWLIGHT
  • VShell
  • GobRAT
  • XMRig
  • MailPassView
  • MINOCAT
  • ShadowPad
  • Supershell
  • COMPOOD
  • React Server Components
  • React Server Components

Linked Attack Reports

China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)

Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. This critical vulnerability in React Server Compone…
exploit
china-nexus
CVE-2025-1338
next.js
earth lamia
CVE-2025-55182
2025-12-05
jackpot panda
state sponsored
react2shell
react server
app router
Published: December 5, 2025
Linked vulnerabilities : CVE-2025-1338 (CVSS 7.3), CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 4

Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3)

A critical vulnerability in Microsoft's Windows Server Update Services (WSUS) allows unauthenticated remote code execution with system privileges. Initially patched on October 14, 2025, the flaw required an emergency update on October 23 due to incomplete mitigation. Active exploitation was observe…
cisa
rce
patch management
CVE-2025-59287
2025-12-07
active exploitation
kev catalog
windows server
wsus
Published: December 7, 2025
Linked vulnerabilities : CVE-2024-36401, CVE-2025-32433 (CVSS 10.0), CVE-2025-52905 (CVSS 7.0), CVE-2025-52906 (CVSS 9.3), CVE-2025-52907 (CVSS 7.3), CVE-2025-59287 (CVSS 9.8), CVE-2025-53868 (CVSS 8.5), CVE-2025-61955 (CVSS 8.5), CVE-2025-57780 (CVSS 8.5), CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-21042
Downloadable IOCs: 1

Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors

A critical vulnerability dubbed 'React2Shell' (CVE-2025-55182) in React Server Components is being actively exploited by Chinese threat actors. The flaw affects multiple versions and packages, allowing arbitrary code execution through crafted HTTP requests. Approximately 39% of scanned cloud enviro…
gobrat
chinese threat actors
arbitrary code execution
CVE-2025-55182
react2shell
2025-12-08
active exploitation
react server components
Published: December 8, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 2

React2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics

The critical Remote Code Execution vulnerability CVE-2025-55182, dubbed 'React2Shell', affects React Server Components (RSC) and extends beyond Next.js. Attackers are exploiting it for cloud-native initial access, credential harvesting, cryptomining, and deploying sophisticated backdoors. The vulne…
exploit
rce
next.js
deserialization
CVE-2025-55182
react2shell
2025-12-09
react
rsc
Published: December 9, 2025
Linked vulnerabilities : CVE-2021-4034, CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 38

PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182

A critical vulnerability in React Server Components (CVE-2025-55182) is being exploited across various organizations. Attackers are deploying cryptominer malware, a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq. Peer…
post-exploitation
linux backdoor
CVE-2025-55182
react2shell
2025-12-10
bittorrent dht
cowtunnel
kaiji
peerblight
zinfoq
Published: December 10, 2025
Linked vulnerabilities : CVE-2025-30406, CVE-2025-55182 (CVSS 10.0), CVE-2025-66478
Downloadable IOCs: 36

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited

A zero-day vulnerability in Gogs, a popular self-hosted Git service, has been discovered and is being actively exploited. The flaw, identified as CVE-2025-8110, is a symlink bypass of a previously patched RCE vulnerability. It allows authenticated users to overwrite files outside the repository, le…
vulnerability
zero-day
cloud security
supershell
rce
CVE-2024-55947
2025-12-10
CVE-2025-8110
git service
gogs
symlink bypass
Published: December 10, 2025
Linked vulnerabilities : CVE-2024-54148 (CVSS 9.8), CVE-2024-55947, CVE-2023-46747, CVE-2024-56731 (CVSS 10.0), CVE-2025-55182 (CVSS 10.0), CVE-2025-8110 (CVSS 8.7)
Downloadable IOCs: 0

It didn’t take long: CVE-2025-55182 is now under active exploitation

A critical vulnerability (CVE-2025-55182) affecting React Server Components has been actively exploited since its disclosure on December 4, 2025. The flaw, dubbed React4Shell, allows attackers to execute commands and manipulate files on vulnerable web applications. Kaspersky honeypots detected a su…
xmrig
vulnerability
botnet
mirai
exploitation
gafgyt
honeypot
rondodox
CVE-2025-55182
2025-12-11
react server components
crypto miner
react4shell
Published: December 11, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 46

React2Shell flaw (CVE-2025-55182) exploited for remote code execution

A critical vulnerability called 'React2Shell' (CVE-2025-55182) affecting React Server Components has been widely exploited. The flaw allows remote code execution through unsafe handling of incoming data during deserialization. Over 165,000 vulnerable IP addresses have been identified. Post-exploita…
persistence
remote code execution
obfuscated javascript
vshell
snowlight
deserialization
CVE-2025-55182
react2shell
2025-12-12
etherrat
linux loaders
state-sponsored attacks
Published: December 12, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 3

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)

A critical remote code execution vulnerability in React Server Components, CVE-2025-55182, has been widely exploited by various threat actors. China-nexus espionage groups and financially motivated actors have been observed leveraging this vulnerability to deploy malware such as MINOCAT tunneler, S…
remote code execution
CVE-2025-55182
react2shell
2025-12-13
Published: December 13, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-55184 (CVSS 7.5), CVE-2025-55183 (CVSS 5.3), CVE-2025-67779 (CVSS 7.5)
Downloadable IOCs: 7

Malicious SSO Logins Observed Following Disclosure of CVE-2025-59718 and CVE-2025-59719

On December 12, 2025, intrusions involving malicious SSO logins on FortiGate appliances were observed. These attacks followed Fortinet's disclosure of two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9. The vulnerabilities allow unauthenticated bypa…
fortigate
authentication bypass
firewall
CVE-2025-59718
CVE-2025-59719
2025-12-15
forticloud
Published: December 15, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0), CVE-2025-59718 (CVSS 9.8), CVE-2025-59719 (CVSS 9.8)
Downloadable IOCs: 4

Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components

CVE-2025-55182, also known as React2Shell, is a critical pre-authentication remote code execution vulnerability affecting React Server Components and related frameworks. With a CVSS score of 10.0, it allows attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP re…
vulnerability
remote code execution
vshell
snowlight
CVE-2025-55182
react2shell
2025-12-15
etherrat
Published: December 15, 2025
Linked vulnerabilities : CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065, CVE-2025-55182 (CVSS 10.0), CVE-2025-66478
Downloadable IOCs: 50

Inside DPRK Operations: New Infrastructure Uncovered Across Global Campaigns

North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to conduct widespread hacking operations for intelligence gathering, financial gain, and access. The investigation uncovered previously unconnected operational assets, revealing active tool-staging servers, credenti…
quasar rat
dprk
vps
blindingcan
2025-12-18
badcall
mailpassview
Published: December 18, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 20

Analyzing React2Shell Threat Actors

This report analyzes the exploitation of CVE-2025-55182, known as React2Shell, a critical vulnerability in React Server Components. It examines various attack payloads, including credential harvesters, reverse shells, and botnet loaders. The analysis reveals rapid weaponization of the vulnerability…
vulnerability
botnet
exploitation
CVE-2024-4577
CVE-2017-9841
payloads
CVE-2023-1389
rce
rondodox
CVE-2025-55182
react2shell
react server components
2026-01-17
CVE-2019-9082
reactonmynuts
Published: January 17, 2026
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2022-42475, CVE-2017-9841, CVE-2019-9082, CVE-2023-1389, CVE-2025-31324 (CVSS 10.0), CVE-2022-24847, CVE-2022-22947, CVE-2025-55182 (CVSS 10.0), CVE-2022-47945
Downloadable IOCs: 9

Weekly Threat Bulletin – January 28th, 2026

This weekly threat bulletin highlights several critical vulnerabilities and emerging threats. A severe RCE vulnerability in React Server Components and Next.js (CVE-2025-55182) is being actively exploited. CISA added four critical flaws to its 'Must-Patch' list, including vulnerabilities in Versa C…
ransomware
xmrig
cobalt strike
macos
mirai
sliver
gafgyt
qilin
cisa
interlock
rce
lizkebab
bashlite
aisuru
clop
vshell
next.js
CVE-2025-31125
CVE-2025-34026
pulsepack
rondodox
CVE-2025-54313
beacon
morte
CVE-2025-61882
oracle e-business suite
nezha
agenda
CVE-2025-55182
react
peerblight
etherrat
CVE-2025-68645
rondo
monetastealer
gitlab
2026-01-28
agendacrypt
angryrebel
bash0day
bpfdoor
compood
kswapdoor
lzrd
masuta
miori
noodle rat
okiru
puremasuta
resgod
rondobot
satori
scavenger
splinter
torlus
wicked
Published: January 28, 2026
Linked vulnerabilities : CVE-2025-24893 (CVSS 9.8), CVE-2023-1389, CVE-2025-31125 (CVSS 5.3), CVE-2025-34026 (CVSS 9.2), CVE-2025-54313 (CVSS 7.5), CVE-2025-61882 (CVSS 9.8), CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-55184 (CVSS 7.5), CVE-2025-55183 (CVSS 5.3), CVE-2025-68645 (CVSS 8.8), CVE-2025-13335 (CVSS 6.5), CVE-2025-13927 (CVSS 7.5), CVE-2025-13928 (CVSS 7.5), CVE-2026-0723 (CVSS 7.4), CVE-2026-1102 (CVSS 5.3)
Downloadable IOCs: 37

Disrupting the World's Largest Residential Proxy Network

Google and partners took action to disrupt the IPIDEA proxy network, believed to be one of the largest residential proxy networks globally. The operation involved legal action to take down control domains, sharing technical intelligence on IPIDEA software development kits, and implementing protecti…
botnets
threat actors
aisuru
residential proxy
ip addresses
2026-01-29
android protection
badbox2.0
kimwolf
legal action
network disruption
sdks
Published: January 29, 2026
Linked vulnerabilities : CVE-2025-8088, CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 6

Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088

CVE-2025-8088 is a high-severity path traversal vulnerability in WinRAR that attackers exploit by leveraging Alternate Data Streams (ADS). Adversaries can craft malicious RAR archives which, when opened by a vulnerable version of WinRAR, can write files to arbitrary locations on the system. Exploit…
phishing
russia
winrar
2026-01-29
nestpacker
stockstay
unc4895
windows startup
Published: January 29, 2026
Linked vulnerabilities : CVE-2023-38831, CVE-2025-8088, CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 44

Attacks in Russia and Uzbekistan: NetSupport RAT and potential IoT interest

Stan Ghouls, a cybercriminal group also known as Bloody Wolf, has been conducting targeted attacks against organizations in Russia, Uzbekistan, and other Central Asian countries since 2023. Their latest campaign primarily focused on Uzbekistan, with about 50 victims identified, along with 10 in Rus…
russia
iot
mirai
netsupport rat
spear-phishing
financial sector
manufacturing
2026-02-05
java loader
uzbekistan
Published: February 5, 2026
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 32

AI/LLM-Generated Malware Used to Exploit React2Shell

Darktrace identified an AI-generated malware sample exploiting the React2Shell vulnerability in its honeypot environment. The incident demonstrates how LLM-assisted development enables low-skill attackers to rapidly create effective exploitation tools. The attack chain involved spawning a container…
xmrig
llm
crypto mining
CVE-2025-55182
react2shell
2026-02-10
ai-generated malware
Published: February 10, 2026
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 3

Multiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise

A critical vulnerability in React Server Components, dubbed React2Shell, was disclosed on December 3, 2025. Within days, multiple threat actors exploited this flaw, leading to simultaneous compromises of affected systems. The case study reveals a rapid progression from initial coin miner installati…
website defacement
crossc2
CVE-2025-55182
react2shell
2026-02-13
coin miners
Published: February 13, 2026
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 13

MuddyWater Exposed: Inside an Iranian APT operation

Researchers identified and analyzed exposed infrastructure of MuddyWater, an Iranian cyber espionage group linked to the Ministry of Intelligence and Security. The investigation revealed their reconnaissance methods, exploitation of vulnerabilities, custom command and control frameworks, and exfilt…
exfiltration
cyber espionage
reconnaissance
CVE-2022-42475
vulnerability exploitation
command and control
CVE-2024-55591
CVE-2025-5777
CVE-2025-54068
iranian apt
CVE-2025-9316
CVE-2025-55182
CVE-2025-34291
CVE-2025-68613
CVE-2025-52691
tsundere botnet
CVE-2026-1281
CVE-2026-1731
geopolitical conflict
2026-03-05
arenac2
CVE-2024-23113
keyc2
mois
persianc2
Published: March 5, 2026
Linked vulnerabilities : CVE-2024-5559 (CVSS 6.1), CVE-2024-55591 (CVSS 9.8), CVE-2022-42475, CVE-2025-5777 (CVSS 9.3), CVE-2025-54068 (CVSS 9.2), CVE-2025-9316 (CVSS 6.9), CVE-2025-55182 (CVSS 10.0), CVE-2025-34291 (CVSS 9.4), CVE-2025-68613 (CVSS 9.9), CVE-2025-52691 (CVSS 10.0), CVE-2026-1281 (CVSS 9.8), CVE-2026-1731 (CVSS 9.9), CVE-2024-23113
Downloadable IOCs: 14

RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities

The RondoDox botnet has emerged as a significant threat, exploiting 174 different vulnerabilities since May 2025. It primarily targets IoT devices and internet-exposed services for DoS attacks. The botnet's infrastructure includes exploiting and hosting components, with evidence suggesting the use …
xmrig
ddos
iot
botnet
vulnerability exploitation
rondodox
2026-03-11
Published: March 11, 2026
Linked vulnerabilities : CVE-2025-24016 (CVSS 9.9), CVE-2025-24893 (CVSS 9.8), CVE-2023-46604, CVE-2025-32756, CVE-2025-48827 (CVSS 10.0), CVE-2025-20281 (CVSS 9.8), CVE-2025-57296 (CVSS 6.5), CVE-2025-62593 (CVSS 9.4), CVE-2025-55182 (CVSS 10.0), CVE-2025-37164 (CVSS 10.0), CVE-2025-47812, CVE-2025-52089
Downloadable IOCs: 29

Weaponizing the Protectors: TeamPCPs Multi-Stage Supply Chain Attack on Security Infrastructure

Between late February and March 2026, threat group TeamPCP conducted a highly calculated, escalating sequence of supply chain threats. It systematically compromised widely trusted open-source security tools, including the vulnerability scanners Trivy and KICS and the popular AI gateway LiteLLM. The…
wiper
supply chain attack
CVE-2025-55182
canisterworm
2026-04-01
teampcp
Published: April 1, 2026
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 36

Unit42: Understanding Current Threats to Kubernetes Environments

Palo Alto Networks Unit 42 explains that Kubernetes has become a prime target for attackers as its adoption accelerates in enterprise environments. Their research shows a sharp rise in Kubernetes-related malicious activity, driven less by classic container escape techniques and more by identity abu…
kubernetes
react2shell
2026-04-07
Published: April 7, 2026
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0), CVE-2026-1731 (CVSS 9.9)
Downloadable IOCs: 7

Hack-for-Hire Campaign Targets Journalists Across MENA Region

A hack-for-hire operation with suspected links to the Bitter threat actor targeted journalists, activists, and government officials across the Middle East and North Africa between 2023 and 2025. The campaign employed sophisticated spear-phishing attacks via LinkedIn, Apple Messages, WhatsApp, and e…
spear-phishing
oauth
hack-for-hire
journalists
mena
2026-04-09
civil-society-targeting
dracarys
prospy
regional-surveillance
tospy
Published: April 9, 2026
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0), CVE-2026-34040 (CVSS 8.8), CVE-2026-5281 (CVSS 8.8), CVE-2026-35616 (CVSS 9.8)
Downloadable IOCs: 0

Tracking MiniDionis: CozyCar's New Ride Is Related to Seaduke

A new campaign attributed to CozyDuke threat actors has been identified, utilizing malware called MiniDionis that appears related to Seaduke. The campaign began on July 7, 2015, targeting government organizations and think-tanks in democratic countries through spear phishing emails containing malic…
spear-phishing
2026-04-13
cloudduke
cloudlook
cozer
cozybear
cozycar
cozyduke
euroapt
forkmeimfamous
government-targeting
https-c2
json-configuration
minidionis
multi-stage-dropper
seadaddy
seadesk
seaduke
Published: April 13, 2026
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 6

A Deep Dive Into Attempted Exploitation of CVE-2023-33538

Active exploitation attempts targeting CVE-2023-33538 in end-of-life TP-Link Wi-Fi routers were identified after CISA added it to the KEV catalog in June 2025. The vulnerability affects several router models including TL-WR940N, TL-WR740N, and TL-WR841N. Observed attacks attempted to deploy Mirai-l…
command injection
mirai
condi
2026-04-17
condi botnet
CVE-2023-33538
firmware analysis
iot exploitation
mirai botnet
tp-link routers
wifi routers
Published: April 17, 2026
Linked vulnerabilities : CVE-2024-3400, CVE-2023-33538, CVE-2025-23304 (CVSS 7.8), CVE-2025-59287 (CVSS 9.8), CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-21042, CVE-2025-14847 (CVSS 8.7), CVE-2026-22584, CVE-2026-1281 (CVSS 9.8), CVE-2026-1340 (CVSS 9.8), CVE-2026-1731 (CVSS 9.9), CVE-2025-0921
Downloadable IOCs: 9

Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches P…
powershell
agent tesla
information stealer
ftp exfiltration
javascript obfuscation
chm files
anti-analysis techniques
2026-04-23
compiled html help
Published: April 23, 2026
Linked vulnerabilities : CVE-2022-1388, CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 6

Untangling a Linux Incident With an OpenAI Twist (Part 2)

A Linux endpoint was simultaneously compromised by at least two distinct threat actors while the developer user relied on OpenAI's Codex AI agent for security remediation. Actor A deployed a cryptominer mining Monero to a private pool. Actor B installed a multi-revenue botnet including XMRig mining…
xmrig
botnet
cryptominer
credential harvesting
data exfiltration
CVE-2025-55182
react2shell
linux compromise
2026-04-22
ai-assisted remediation
dnser
earnfm
fh8a7d7m
fkkkf
multiple threat actors
repocket
systemd-logind
Published: April 22, 2026
Linked vulnerabilities : CVE-2025-30406, CVE-2025-55182 (CVSS 10.0), CVE-2025-31151
Downloadable IOCs: 3

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpa…
shadowpad
godzilla
ringq
vshell
2026-04-30
exchange server compromise
godzilla webshell
noodlerat
proxylogon exploitation
Published: April 30, 2026
Linked vulnerabilities : CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065, CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 44

That AI Extension Helping You Write Emails? It's Reading Them First

Researchers discovered 18 malicious AI browser extensions masquerading as productivity tools that deliver remote access trojans, meddler-in-the-middle attacks, and infostealers. These extensions exploit the rise of generative AI to target prompts, user behavior, and browser sessions through API int…
genai
remote access trojan
browser extension
2026-04-30
huiyi
search hijacker
Published: April 30, 2026
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 10

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors

An ongoing campaign has been discovered delivering Linux and macOS backdoors through poisoned Python packages uploaded to PyPI repository. The activity is attributed with medium confidence to Gleaming Pisces, a North Korean financially motivated threat actor affiliated with the Reconnaissance Gener…
pypi
citrine sleet
poolrat
pondrat
applejeus
supply chain attack
badcall
2026-05-04
Published: May 4, 2026
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 13

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

A buffer overflow vulnerability in the User-ID Authentication Portal of PAN-OS software allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Limited exploitation has been observed starting April 9, 2026, by a likely state-sponsored th…
zero-day
earthworm
buffer overflow
pan-os
reversesocks5
2026-05-07
tunneling tools
Published: May 7, 2026
Linked vulnerabilities : CVE-2023-33538, CVE-2025-23304 (CVSS 7.8), CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-14847 (CVSS 8.7), CVE-2026-22584, CVE-2026-1281 (CVSS 9.8), CVE-2026-1340 (CVSS 9.8), CVE-2026-1731 (CVSS 9.9), CVE-2025-0921, CVE-2026-31431, CVE-2026-0300 (CVSS 9.3)
Downloadable IOCs: 4

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, develo…
sliver
teampcp
2026-05-07
container worm
docker compromise
kubernetes exploitation
pcpjack
Published: May 7, 2026
Linked vulnerabilities : CVE-2025-29927 (CVSS 9.1), CVE-2025-48703 (CVSS 9.0), CVE-2025-9501 (CVSS 9.0), CVE-2025-55182 (CVSS 10.0), CVE-2026-1357 (CVSS 9.8)
Downloadable IOCs: 2

Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware

An intrusion was observed in April 2026 where threat actors deployed EtherRAT malware through a malicious MSI installer disguised as a Sysinternals tool. The malware utilized Ethereum blockchain via EtherHiding for dynamic C2 configuration updates. Following reconnaissance activities, actors deploy…
rclone
dll sideloading
mimikatz
ethereum
kerberoasting
the gentlemen ransomware
the gentlemen
CVE-2025-55182
etherrat
saas abuse
netexec
blockchain c2
2026-05-11
tuktuk
Published: May 11, 2026
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 17

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and P…
valleyrat
netsupport rat
vbcloud
powershower
2026-05-22
cloud atlas
phantomheart
powercloud
reversesocks
Published: May 22, 2026
Linked vulnerabilities : CVE-2018-0802, CVE-2025-55182 (CVSS 10.0), CVE-2025-68670 (CVSS 9.1)
Downloadable IOCs: 17

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.