search

CCTR.50.DEC.25

Monday morning cyber coffee read CCTR.50.DEC.25

Last week saw significant disruption following the public disclosure of a critical remote code execution vulnerability in React Server Components, tracked as CVE-2025-55182 (React2Shell). This CVSS 10.0 critical vulnerability allows unauthenticated remote attackers to take full control of affected systems under certain conditions.

Because Next.js embeds the vulnerable React components, the same issue also impacts Next.js and is tracked separately as CVE-2025-66478.

Within hours of the disclosure, active exploitation attempts were observed by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.

Once a CVSS 10 vulnerability is publicly released, exploitation rapidly becomes global, spanning criminal groups, other state-backed attackers and opportunistic actors worldwide.

Amazon https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/arrow-up-right

Detection PortSwigger https://github.com/PortSwigger/bambdas/blob/main/CustomScanChecks/CVE-2025-55182CVE-2025-66478-React2Shell.bambdaarrow-up-right

Data dog https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/arrow-up-right

A high-risk issue was identified in OpenAI Codex CLI that allows a malicious project to silently execute commands on your AI developer’s machine. This occurs without any user approval, validation or warning. As a result, ordinary repository files become an execution vector. An attacker who can commit or merge malicious configuration files into a repository can trigger automatic code execution on every developer system when codex is run. This creates a high-impact software supply-chain risk.

Update Codex CLI to version 0.23.0 or later.

Assume compromise if any untrusted repositories were run with Codex enabled.

Checkpiont https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/arrow-up-right

New Zealand’s NCSC released its Cyber Threat Report 2025 and it contains some interesting insights. Out of 331 cyber incidents recorded during the 2024–25 period, 82 incidents were linked to suspected state-sponsored threat actors. I find this particularly fascinating. The report also reflects the ongoing industrialisation of cybercrime, with ransomware, fraud and data theft now driving most of the real-world cyber impact across the region.

Read on https://www.ncsc.govt.nz/assets/insights/cyber-threat-report/NCSC-CyberReport2025-FINAL.pdfarrow-up-right

PreviousCCTR.51.DEC.25NextCCTR.49.DEC.25

Last updated