React2Shell, Android 0-days, and BRICKSTORM reshape your patch priorities
Modern enterprise risk is increasingly driven by three converging forces: rapidly shifting web and mobile stacks, aggressive weaponization of critical vulnerabilities, and long-term prepositioning by capable state-backed actors in core infrastructure. This week’s issue highlights a trio of developments that sit squarely at that intersection: a critical React Server Components RCE now in CISA’s KEV, actively exploited Android zero-days, and BRICKSTORM malware burrowing into VMware environments at scale. Together, they form a clear prioritization map for where defenders should focus patching and detection effort right now.
Below is your curated rundown of the most important vulnerabilities, campaigns, and guidance to act on this week.
🛡️ React2Shell, Android 0-days, and BRICKSTORM
React2Shell (CVE-2025-55182) lands in KEV and is being exploited at scale
Researchers disclosed a critical unsafe deserialization bug in the Flight protocol used by React Server Components (RSC), tracked as CVE-2025-55182 and dubbed React2Shell / React4Shell. The vulnerability (CVSS 10.0) allows unauthenticated remote code execution on servers using React RSC and Next.js, with a very wide internet-exposed attack surface. CISA added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation and setting remediation deadlines for U.S. federal agencies.
Source — Unit 42 (Palo Alto Networks)
💡 Key Takeaway: If you run React RSC / Next.js apps, treat CVE-2025-55182 as an emergency patch. Identify all internet-facing services using RSC, patch or apply vendor mitigations immediately, and deploy high-fidelity detections for anomalous process launches and unexpected outbound connections from those hosts.
Android December 2025 bulletin patches 107 flaws, including two KEV-listed zero-days
Google’s December 2025 Android security bulletin addresses 107 vulnerabilities, including two zero-day bugs—CVE-2025-48633 (information disclosure) and CVE-2025-48572 (privilege escalation)—that Google confirms have been exploited in limited, targeted attacks. CISA added these Android flaws to the KEV catalog, requiring U.S. federal agencies to remediate due to their significant risk.
💡 Key Takeaway: Corporate and high-risk Android devices should be forced onto the December 2025 patch level as a policy, not “best effort.” Track patch status via MDM, prioritize high-privilege users and devices with broad app permissions, and consider geo- or role-based exceptions only with strong compensating controls.
BRICKSTORM: PRC state-sponsored malware embedded in VMware and IT environments
CISA, NSA, and the Canadian Centre for Cyber Security jointly warned that PRC state-sponsored actors are using BRICKSTORM, a custom Go-based backdoor, to maintain long-term persistence in VMware vSphere and Windows environments across government and IT organizations. The actors have been observed compromising vCenter servers, stealing VM snapshots for credential extraction, creating rogue VMs, and abusing Active Directory Federation Services (ADFS) keys—often remaining undetected for over a year.
Source — CISA / NSA / Canadian Cyber Centre
💡 Key Takeaway: Treat your virtualization stack as a Tier-0 asset. Lock down vCenter access, collect and retain detailed logs, baseline VM inventory to detect rogue VMs, and rapidly test CISA/NSA YARA/Sigma rules against your telemetry to identify BRICKSTORM or similar backdoors.
🚨 Vulnerability Spotlight
New KEV entry: Motex LANSCOPE Endpoint Manager (CVE-2025-61932)
CISA added CVE-2025-61932, a vulnerability in Motex LANSCOPE Endpoint Manager, to the KEV catalog, highlighting evidence of active exploitation. The widely used endpoint management platform is popular in Japanese and APAC enterprises, making it an attractive target for lateral movement and surveillance.
💡 Key Takeaway: If you rely on third-party endpoint management platforms—especially those hosted on-prem—treat them like domain controllers. Patch KEV-listed LANSCOPE instances immediately, restrict network exposure, and monitor for anomalous admin actions originating from those servers.
Wave of new ICS advisories hits OT environments
CISA released nine new Industrial Control Systems (ICS) advisories covering products including Mitsubishi Electric GX Works2, MAXHUB Pivot, Johnson Controls OpenBlue components, Sunbird DCIM, SolisCloud, and Advantech iView. These issues range from cleartext storage of sensitive information to authentication weaknesses and remote compromise risks.
💡 Key Takeaway: OT and data-center teams should fold the latest ICS advisories into their vulnerability intake workflow: map which advisories apply to your environment, prioritize internet-exposed and safety-critical systems, and coordinate carefully tested remediation plans to avoid operational disruption.
KEV expansion underscores patch-or-isolate expectations
Between early and mid-December, CISA added multiple vulnerabilities to the KEV catalog—including the React2Shell RCE, Android zero-days, and other infrastructure-impacting bugs—reiterating that exploited flaws in web, mobile, and endpoint management stacks will now routinely carry explicit remediation deadlines for U.S. federal agencies.
💡 Key Takeaway: Even if you’re not bound by federal directives, treat KEV entries as a must-patch list. Where patching is temporarily impossible (especially in OT), implement isolation, compensating controls, and continuous monitoring instead of accepting open-ended exposure.
📈 Trend to Watch
KEV-driven patch governance becomes de facto industry practice
The pace of updates to CISA’s Known Exploited Vulnerabilities catalog—and associated guidance like BRICKSTORM and AI-in-OT documents—is effectively turning KEV into a priority roadmap not just for federal agencies, but for any serious defender. KEV entries now regularly include tight patch deadlines, paired analysis, and remediation expectations that are influencing enterprise programs well beyond government networks.
💡 Key Takeaway: If you haven’t already, formalize KEV as a first-class input into your vulnerability management governance: track entries, tag affected assets, and report KEV closure status to leadership alongside your usual CVSS-based metrics.
⚖️ Policy & Regulation Watch
Joint global guidance on securely integrating AI into OT systems
CISA, NSA, Australia’s ACSC, and other international partners published joint guidance on “Principles for the Secure Integration of Artificial Intelligence in Operational Technology (OT)”, aimed at critical infrastructure owners and operators. The document lays out high-level principles to ensure AI-driven automation and analytics don’t introduce unacceptable safety or security risks in environments that control physical processes.
Source — CISA Joint AI-in-OT Guidance
💡 Key Takeaway: If your organization is experimenting with AI in OT (predictive maintenance, anomaly detection, robotics, etc.), align design reviews and change management with this guidance now—before pilots become production systems.
🛠️ Tool / Resource of the Week
CISA Malware Analysis Report AR25-338A — BRICKSTORM Backdoor
CISA, NSA, and the Canadian Cyber Centre released AR25-338A, a detailed Malware Analysis Report (MAR) on the BRICKSTORM backdoor, including behavior profiles, indicators of compromise (IOCs), and detection signatures mapped to VMware and Windows environments.
Source — CISA Malware Analysis Report AR25-338A
💡 Key Takeaway: Feed the BRICKSTORM MAR IOCs and Sigma/YARA rules into your SOC, SIEM, and EDR stacks and run historical hunts against vCenter, ESXi, and critical Windows infrastructure logs to uncover existing compromise.
⚡ Quick Hits
Experian forecast: over 8,000 data breaches in H1 2025
Experian’s latest data breach industry forecast notes more than 8,000 global breaches in the first half of 2025, exposing ~345 million records, with attackers leaning heavily on AI to craft convincing identities and scams.
💡 Key Takeaway: Assume large-scale identity data reuse: reinforce identity verification, account recovery flows, and fraud detection with behavioral signals—not just static PII.
Healthcare ransomware continues to climb
Recent ransomware roundup data shows healthcare remains a top-targeted sector, with hundreds of incidents so far this year, often resulting in data theft, downtime, and delayed care.
Source — Comparitech (Ransomware Roundup)
💡 Key Takeaway: Healthcare and healthcare-adjacent orgs should treat business continuity and tested recovery as core patient-safety controls, not just IT hygiene.
BreachSense: live leak-site tracking for vendor exposure
BreachSense’s breach tracker continues to log new victims across sectors, indexing data directly from ransomware leak sites and other threat actor data dumps.
Source — BreachSense Breach Tracker
💡 Key Takeaway: Use leak-site monitoring to cross-check your critical supplier list—vendor compromise is often your earliest warning sign of third-party risk materializing.
AI-in-OT guidance offers a blueprint for safe automation
The joint AI-in-OT guidance emphasizes four principles: governance, secure design, secure operation, and resilient monitoring for AI systems that interact with physical processes in critical infrastructure.
Source — CISA Joint AI-in-OT Guidance
💡 Key Takeaway: Treat AI components in OT like safety systems: require formal threat modeling, rigorous testing, and clearly defined fail-safe modes before deployment.
New ICS advisories underscore ongoing OT risk growth
The latest ICS advisory batch spans engineering tools, data center DCIM platforms, cloud-linked monitoring solutions, and access control systems—each now on CISA’s radar as potential pivot points for OT and facilities compromise.
💡 Key Takeaway: Ensure your IT and OT teams jointly review ICS advisories, not in isolation—many of these products span traditional boundaries.
🧰 Actionable Defense Move of the Week
Run a KEV-focused “hot patch” sprint across web, mobile, and management planes
This week’s developments—React2Shell, Android KEV additions, Motex LANSCOPE, and new ICS advisories—offer a clear short list of high-impact fixes.
Suggested 3–5 day sprint:
1. Inventory exposure
Identify any React RSC / Next.js deployments, Android enterprise/BYOD footprint, LANSCOPE, and ICS components listed in the latest CISA advisories and KEV entries.
2. Prioritize by blast radius
Internet-facing systems, identity providers, endpoint managers, and virtualization stacks first.
3. Patch or isolate
Quickly patch where possible; otherwise, isolate (network segmentation, ACLs, VPN-only access) and add targeted monitoring rules.
4. Instrument detections
Deploy detections for React2Shell exploitation, Android zero-day telemetry anomalies, and BRICKSTORM behaviors; ingest BRICKSTORM IOCs and AI-OT/ICS guidance into playbooks.
5. Report to leadership
Provide a brief KEV-closure status summary, emphasizing reduced exposure for governance and board-level visibility.
💡 Key Takeaway: A focused KEV-driven sprint can meaningfully reduce risk from actively exploited vulnerabilities in just a few days—far more efficiently than spreading effort across a long tail of theoretical CVEs.
🔚 Final Word
This week’s React2Shell RCE, Android zero-days, BRICKSTORM backdoor activity, and KEV/ICS updates all point in the same direction: attackers are investing heavily in prepositioning and persistence, not just smash-and-grab campaigns. Defenders who align patching and detection strategy with KEV, harden virtualization and identity infrastructure, and treat AI- and OT-driven automation as security-critical will be best positioned to weather what comes next.