React2Shell Exploited Worldwide, Cloudflare Outage During WAF Mitigation; Check For BRICKSTORM, Warn CISA and Canada's Cyber Centre; $2.1B Paid to Ransomware Between 2022 and 2024

A CVSS 10.0 vulnerability (CVE-2025-55182, dubbed "React2Shell") allowing unauthenticated remote code execution due to unsafe deserialization in React Server Components was reported on November 29, 2025, and has since been confirmed as actively exploited worldwide. The flaw was publicly disclosed and patched on Wednesday, December 3, but reports from AWS honeypots and analysis from GreyNoise and Shadowserver, among others, confirm "opportunistic" exploitation by multiple threat actors believed to be Chinese state-sponsored groups. These attacks use "both automated scanning tools and individual PoC exploits," some of which leverage "public PoCs that don’t actually work in real-world scenarios ... demonstrat[ing] fundamental misunderstandings of the vulnerability,” according to AWS, who posit that the threat actors are prioritizing speed over accuracy, relying on a high volume of scans, abusing the availability of even ineffective public exploits, and potentially benefitting from masking by noise generated in failed attempts. The default configuration of React and downstream Next.js are vulnerable; Shadowserver reported 77,664 vulnerable IPs observed on December 6, and Censys has observed "just over 2.15 million instances of internet facing services that may be affected by this vulnerability," emphasizing that "any internet‑accessible server running affected React Server Components code should be assumed vulnerable until updated as a precaution." Users are urged to update immediately, and federal agencies must do so by December 26, as the flaw has been added to the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog. Meanwhile, Cloudflare CTO Dane Knecht reports that a global Cloudflare outage on Friday, December 5, affecting about 28 percent of HTTP traffic served by Cloudflare, was "triggered by changes being made to [Cloudflare's] body parsing logic" while the provider was implementing detections and mitigations for the React flaw in its Web Application Firewall (WAF).

The US Cybersecurity and Infrastructure Security Agency (CISA), working alongside the Canadian Centre for Cyber Security (Cyber Centre), have released a report urging organizations to investigate for the presence of BRICKSTORM malware. The two North American cybersecurity authorities warn that "PRC state-sponsored cyber actors [have] gained long-term persistent access," for months or years in some cases, and may still be doing so. The report analyzes eight different samples of Executable and Linkable Format (ELF) malware written in Go, which targets primarily VMware vSphere and Windows environments and creates a stealthy backdoor with "capabilities for initiation, persistence, and secure command and control (C2)." To aid detection, the report offers YARA rules, a Sigma rule, and other resources including tactics, techniques, and procedures (TTPs), and instructions for running scanning scripts by Mandiant and Crowdstrike. US organizations should report any related activity by email or phone to CISA’s 24/7 Operations Center or through the Incident Reporting System, and submit malicious files through the Malware Analysis Submission Form; Canadian organizations should report using Cyber Centre's online reporting tool or by email. CISA, NSA, and Cyber Centre recommend mitigations that align with Cross-Sector Cybersecurity Performance Goals (CPGs): Keep VMware vSphere servers up to date and harden their environments; inventory and monitor all network edge devices; disable RDP and SMB from the DMZ to the internal network and ensure traffic between the two is restricted with proper segmentation; monitor service accounts and restrict their permissions, applying the principle of least privilege; and block unauthorized DoH providers and external DoH network traffic.

A report from the US Treasury's Financial Crimes Enforcement Network (FinCEN) says more than $2 billion in ransomware payments were reported under the Bank Secrecy Act (BSA) between 2022 and 2024. The total amount of ransomware payments reported to FinCEN under BSA during the preceding nine years was $2.4 billion. According to the report, reported ransomware payments peaked in 2023: 1,512 incidents involving a total of $1.1 billion in ransomware payments. The numbers decreased somewhat in 2024, with 1,476 reported incidents and $734 million in reported ransomware payments. The report identifies Financial Services, Manufacturing, and Healthcare as the most frequently targeted sectors and notes "267 unique ransomware variants reported in BSA data during the review period." Approximately 432 percent of the BSA reports included information about how the ransomware operators communicated with their victims; of those 67 percent used The Onion Router (TOR) and 28 percent used email. Bitcoin was identified as the method of payment in 97 percent of reported incidents. Established in 1970, "the Bank Secrecy Act authorizes the Department of the Treasury to impose reporting and other requirements on financial institutions and other businesses to help detect and prevent money laundering."

The Holiday Hack Challenge is built by the same experts behind SANS Cyber Ranges, offering high-quality. Real-world learning in a fun, festive environment.

New in Holiday Hack Challenge: Skip the storyline and jump straight into the challenges. CTF mode lets you focus on solving technical puzzles, testing your skills, and competing your way to the top.

Apache has released a security advisory disclosing a maximum-severity flaw affecting Apache Tika tika-core before version 3.2.2, tika-pdf-module before version 3.2.2, and tika-parsers before version 2.0.0. Apache Tika is a content analysis toolkit that "detects and extracts metadata and text from over a thousand different file types ... all parsed through a single interface." CVE-2025-66516, CVSS score 10.0, allows an attacker to conduct XML External Entity (XXE) injection using a crafted XFA file inside a PDF file for Tika to parse. Apache notes that this flaw is the same as CVE-2025-54988, which was initially fixed in just the tika-parser-pdf-module in August 2025; the new CVE expands the scope to include tika-core, which is also vulnerable and must be updated to 3.2.2 or newer, also noting that "the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

The Open Web Application Security Project (OWASP) GenAI Security Project has published The Practical Guide for Securely Using Third-Party MCP Servers. The document "outlines the unique security risks introduced by connecting AI models to third-party tools and data sources, including tool poisoning, prompt injection, memory poisoning, and tool interference, ... [and] offers actionable mitigations covering authentication, authorization, client sandboxing, secure server discovery, and governance workflows, emphasizing least-privilege access and human-in-the-loop oversight." The Model Context Protocol (MCP) is an open-source standard developed to help AI interact safely with external systems. SC Media writes that OWASP's Cheat Sheet addresses the importance of "understanding server privileges, restricting and validating behavior, and continuously monitoring runtime activity."

Cloudflare's Quarterly DDoS Threat Report for Q3 of 2025, released on December 3, highlights the prevalence of attacks from the Aisuru botnet, including an unprecedented hypervolumetric attack peaking at 29.7 terabits per second (Tbps) and 14.1 billion packets per second (Bpps). Cloudflare detected and mitigated the attack, emphasizing that Aisuru, which can be partially employed as a "botnet-for-hire," is capable of "disrupting parts of the U.S. Internet infrastructure when said ISPs were not even the target of the attack." DDoS attacks against AI companies rose by 347 percent month-over-month, also increasing for the mining, minerals, and metals and automotive industries. Year-over-year, the total number of DDoS attacks grew by 40 percent; quarter-over-quarter, the number grew by 15 percent and the number of hyper-volumetric attacks grew by 54 percent, "averaging 14 hyper-volumetric attacks daily." By Q3, "Cloudflare has already mitigated 36.2 million DDoS attacks. That corresponds to 170% of the DDoS attacks Cloudflare mitigated throughout 2024." The report offers statistics on attack sources, targeted industries and locations, and vectors.

Japan's JPCERT/CC has published an advisory describing a command injection vulnerability in DesktopDirect function of Array Networks' Array AG series secure access gateways. While Array Networks released an update in May 2025 that includes a fix for the vulnerability, "JPCERT/CC has confirmed that attacks exploiting this vulnerability have occurred in Japan since August 2025, resulting in damage such as the installation of webshells on affected products." The flaw affects ArrayOS AG versions 9.4.5.8 and earlier. JPCERT/CC recommends updating to a newer, fixed version, noting that "rebooting the product after applying the fixed version may result in the loss of logs." Array Networks has also provided a workaround: "If you are not using the DesktopDirect feature, disable all DesktopDirect services. Use a URL filter to deny access to URLs that contain ';'." The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog with a mitigation deadline of December 29, 2025 for Federal Civilian Executive Branch agencies.

Last week, NATO held its annual cyberdefense exercise. The Cyber Coalition exercise brought together representatives of 29 allied nations and seven partner nations to respond to seven storylines, including scenarios involving military networks, fuel depots, power plants, and commercial satellites. Exercise director US Navy Commander Brian Caplan noted that "the storylines are designed so no nation can ‘win the war’ unless they communicate with others. Only by sharing information and working together can they understand the attack and respond effectively." Roughly 200 of the exercise's participants were on-site for the drill; the rest participated remotely. Caplan offered this reminder: "In cyberspace, there are no boundaries. Something that happens in one nation can have a second- or third-order effect in another. That’s why information-sharing, trust and collaboration are essential."

Portugal's legislature has updated the country's cybercrime law to include a "good faith" exemption for cybersecurity research. The new provision, Article 8-A, comes with a set of guidelines, including that the research must focus solely on "identifying the existence of vulnerabilities in information systems, products and services of information and communication technologies, which were not created by itself or by a third party on which it depends, and with the purpose of contributing to the security of cyberspace through their disclosure;” that the researcher cannot seek to obtain payment beyond payment for professional services; the research cannot violate General Data Protection Regulation (GDPR) standards; the researcher may not use illegal activities, such as DoS and DDoS attacks, social engineering, phishing, data theft, alteration or deletion of computer data, willful damage to information systems, or installation or distribution of malware; and data obtained in the research process be deleted within 10 days of the vulnerability being fixed. The new provision was first noted by security researcher Daniel Cuthbertson. Other countries have made similar changes to their laws regarding security researchers: In November 2024, Germany's Federal Ministry of Justice introduced draft legislation with similar protections, and in May 2022, the US Department of Justice (DoJ) added a "good faith" research exemption to the Computer Fraud and Abuse Act (CFAA) violations policy.

On December 3, 2025, US authorities arrested two Virginia men "for their roles in a conspiracy to destroy government databases hosted by a federal government contractor." According to court documents, brothers Muneeb Akhter and Sohaib Akhter were fired from their jobs at an unnamed company on February 18, 2025 and allegedly sought revenge. The US Department of Justice (DoJ) writes, "Following the termination of their employment, the brothers allegedly sought to harm the company and its U.S. government customers by accessing computers without authorization, issuing commands to prevent others from modifying the databases before deletion, deleting databases, stealing information, and destroying evidence of their unlawful activities." Muneeb allegedly deleted an estimated 96 databases in February 2025; many of those databases contained information and documents related to Freedom of Information Act matters and sensitive government investigation files. "Muneeb Akhter is charged with conspiracy to commit computer fraud and to destroy records, two counts of computer fraud, theft of U.S. government records, and two counts of aggravated identity theft. Sohaib Akhter is charged with conspiracy to commit computer fraud and to destroy records and computer fraud (password trafficking)." Muneeb faces up to 45 years in prison; Sohaib faces up to six years in prison. In 2015, the brothers pleaded guilty to wire fraud, conspiring to break into US State Department systems; both served time in prison for those offenses.