Cybersecurity Weekly Update: 1-8 December 2025

1. React2Shell Vulnerability — Widespread Exploitation Across Web Apps

Security researchers report that a critical flaw known as React2Shell (CVE‑2025‑55182) in React Server Components and related frameworks is being actively exploited by multiple threat actors to deliver malware and achieve remote code execution on affected servers. This vulnerability affects widely deployed web application frameworks including React, Next.js and associated tooling. (techradar)

Why it matters: Exploitation of this flaw can lead to takeover of customer‑facing web applications, backend APIs and cloud workloads — enabling credential theft, data exfiltration or persistent access. Organisations with modern web stacks or cloud deployments are especially exposed.

Action: Urgently apply patches or updates to affected React/Next.js packages and rebuild deployments. Monitor web server logs for unusual requests or unexpected process executions tied to template rendering.

2. Record 29.7 Tbps DDoS Attack Demonstrates Botnet Scaling

Cloudflare and other defenders mitigated a record‑setting 29.7 Tbps DDoS attack, attributed to the AISURU botnet leveraging millions of infected devices to overwhelm targets with volumetric traffic. (thehackernews)

Why it matters: Large‑scale DDoS attacks continue to grow in size and frequency, impacting availability for online services, critical infrastructure portals, and cloud applications. Sectors like financial services and education, with public‑facing assets, are frequently targeted.

Action: Implement or review DDoS protection (rate‑limiting, scrubbing services, CDN filtering) and validate incident response plans to mitigate high‑volume traffic events.

3. Apache Tika Critical XML Vulnerability — Broader Impact than Expected

A critical XML External Entity (XXE) vulnerability in Apache Tika was found to be more widespread and impactful than initially believed, enabling attackers to manipulate document parsing to exfiltrate data or crash services that use Tika for file ingestion. (csoonline)

Why it matters: Apache Tika is embedded in many content processing pipelines (e.g., document scanners, search indexes, mail archiving). Exploits here can give attackers a foothold or data exposure in enterprise content services.

Action: Identify and update all Tika integrations in your ecosystem. Apply latest vendor patches and audit file processing flows for untrusted document ingestion.

4. Android Vulnerabilities Under Targeted Exploitation

Google released patches for two Android vulnerabilities (CVE‑2025‑48633 and CVE‑2025‑48572) that are believed to be under active exploitation, including one that enables privilege escalation on affected devices. (helpnetsecurity)

Why it matters: Enterprise mobility is widespread across sectors, and unpatched Android devices can be leveraged for lateral movement, credential capture and data loss — especially with BYOD policies or unsecured MDM configurations.

Action: Ensure mobile update policies are enforced, prioritize Android security patches, and audit devices for compliance.

5. React2Shell Added to CISA’s Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) formally added the React2Shell flaw (CVE‑2025‑55182) to its Known Exploited Vulnerabilities list due to ongoing active exploitation by multiple attackers. (thehackernews)

Why it matters: Inclusion in the KEV catalog underscores urgency — organisations subject to regulatory frameworks or critical infrastructure standards must address KEV-listed vulnerabilities promptly.

Action: Treat React2Shell remediation as a compliance priority. Track internal inventories for affected components and enforce patching deadlines.

6. Chrome Browser Actively Exploited in the Wild

Security researchers have reported active exploitation of a high‑severity Google Chrome vulnerability (internal flaw #466192044) and other confirmed 2025 security issues, prompting emergency updates from Google. (thehackernews)

Why it matters: Browsers are a primary user attack surface. Active exploitation against Chrome can lead to drive‑by downloads, session compromise and privileged execution — affecting both endpoint and web app security.

Action: Deploy updated browser builds across corporate fleets urgently, enforce extension controls, and monitor client telemetry for suspicious activity.

7. Emerging Android Malware Shows Evolved Data Theft Capabilities

New Android malware families such as FvncBot and SeedSnatcher have been identified with enhanced data theft and command harvesting capabilities, signaling a rise in mobile malware sophistication.(thehackernews)

Why it matters: Mobile devices increasingly serve as authentication endpoints and corporate data repositories. Advanced mobile malware can bypass traditional controls and exfiltrate sensitive credentials or session tokens.

Action: Strengthen mobile endpoint protections, verify app sources, and integrate mobile threat detection/response tools where possible.

Key Recommendations

Patch Immediately:

• Apply updates for React2Shell, Android, Chrome, Apache Tika and related components.

Harden Web & Application Stacks:

• Extend patch cycles to developer frameworks like React/Next.js and content processing libraries.

Secure Mobile Platforms:

• Enforce MDM policies and ensure timely OS updates on enterprise mobile fleets.

Monitor Threat Signals:

• Watch for unusual HTTP/S patterns, endpoint telemetry anomalies, and botnet DDoS vectors.

Survey Attack Surface:

• Inventory web app components, browser versions, and middleware services to reduce blind spots.

#CyberSecurity #ThreatIntelligence #ZeroDay #React2Shell #DDoS #MobileMalware #AndroidSecurity #BrowserSecurity #PatchManagement #WebAppSecurity #InfoSec