Welcome to InfoSec.Watch Issue #116 — your concise weekly briefing on the most significant cybersecurity developments. This week brings large-scale exploitation of the React2Shell RCE, urgent zero-day patches from Apple and Microsoft, and a stealthy backdoor campaign against virtualization control planes.

🧨 Top Stories

React2Shell exploitation widens and malware deployed across sectors

Attackers are actively exploiting CVE-2025-55182 (“React2Shell”), a critical RCE in React Server Components, to deploy everything from backdoors to cryptominers in both opportunistic and targeted campaigns. Google Cloud’s threat intelligence team details this in: Google Cloud Threat Intelligence .

💡 Key Takeaway: Treat React2Shell as an emergency patch — prioritize upgrading affected React/Next.js apps and hunting for post-exploit persistence.

Apple patches actively exploited WebKit zero-days in iOS and macOS

Apple shipped fixes for two actively exploited WebKit flaws (CVE-2025-14174 and CVE-2025-43529). These allow arbitrary code execution via malicious web content. Full coverage via: Help Net Security.

💡 Key Takeaway: Use MDM/EMM to require Apple OS updates — compromised BYOD devices are effectively compromised endpoints.

Microsoft’s December Patch Tuesday fixes 57 flaws, including a zero-day

Microsoft fixed 57 vulnerabilities, including the actively exploited privilege-escalation bug CVE-2025-62221. Detailed analysis available via: CrowdStrike Patch Tuesday.

💡 Key Takeaway: Prioritize these patches across Windows fleets — zero-day privilege escalation is prime ransomware fuel.

🛡️ Vulnerability Spotlight

CVE-2025-55182 — React2Shell RCE in React Server Components

A deep dive from Wiz explains the insecure deserialization flaw in React Server Components that enables unauthenticated RCE. Wiz Research

💡 Key Takeaway: Patch all RSC/Next.js apps and enforce SCA checks in CI/CD.

Windows zero-days: CVE-2025-62221 and CVE-2025-54100

SocPrime details exploitation paths for the Cloud Files Mini Filter zero-day and a PowerShell Invoke-WebRequest RCE. SocPrime

💡 Key Takeaway: Patch quickly and tighten PowerShell controls/logging.

Apple WebKit zero-days across iOS and macOS

SecurityWeek links these WebKit bugs to a broader cross-vendor exploit chain involving Chrome. SecurityWeek

💡 Key Takeaway: Treat WebKit/browser updates as urgent — they’re common spyware entry points.

📈 Trend to Watch

BRICKSTORM: Stealthy backdoors in virtualization control planes

A joint CISA/NSA/CCC advisory warns that BRICKSTORM targets VMware vSphere and Windows systems to gain durable hypervisor-level persistence. CISA Joint Advisory

💡 Key Takeaway: Add visibility and monitoring to vCenter/ESXi — endpoint tools won’t see hypervisor compromise.

🧰 Tool / Resource of the Week

GreyNoise Threat Explorer

GreyNoise Threat Explorer helps teams separate background internet scanning from actual targeted threat traffic. Their analysis of React2Shell exploitation illustrates how rapidly mass-scanning forms. GreyNoise React2Shell Blog

💡 Key Takeaway: Integrate GreyNoise to reduce alert fatigue and highlight meaningful threats.

⚡ Quick Hits

  • React2Shell added to CISA KEV. CISA KEV Catalog
    💡 Key Takeaway: Patch or compensate immediately if it’s in KEV.
  • China-nexus exploitation of React2Shell continues. AWS Security Blog
    💡 Key Takeaway: Assume rapid weaponization of high-impact bugs.
  • Chrome zero-day exploited in the wild. Malwarebytes Labs
    💡 Key Takeaway: Browser patching is as critical as OS patching.
  • Cl0p ransomware hits Barts Health NHS via Oracle EBS. TechRadar Pro
    💡 Key Takeaway: Treat ERP systems as crown-jewel assets.
  • Google + Apple push emergency updates after cross-vendor attacks. TechCrunch
    💡 Key Takeaway: Coordinate patch response when multiple vendors ship emergency fixes at once.

⚔️ Actionable Defense Move of the Week

Run a React2Shell-focused dependency and exposure review.
Inventory all React/Next.js apps, patch vulnerable versions, add SCA enforcement, and review logs for suspicious RSC-related activity.

🧠 Final Word

React2Shell, Apple and Microsoft zero-days, Chrome exploitation, and BRICKSTORM-style backdoors show how large the modern attack surface has become. Defense in depth across browsers, frameworks, mobile, and virtualization layers is essential.

Follow InfoSec.Watch on social and subscribe for more weekly insights.

Keep Reading

No posts found

© 2026 InfoSec.Watch.

Report abuse

Privacy policy

Terms of use

Powered by beehiiv