Ticker feed

A critical vulnerability in React Server Components called React2Shell has triggered a massive wave of cyberattacks, with over 50 organizations confirmed compromised across the US, Asia, South America, and the Middle East. The Cybersecurity and Infrastructure Security Agency moved up the patching deadline to Friday due to escalating threats.

Attackers from nation-states to cybercriminals are exploiting this "one click, game over" flaw that affects popular frameworks like Next.js. Shadowserver found over 165,000 vulnerable IP addresses, with nearly two-thirds in the US. Half remain unpatched despite active exploitation since Tuesday.

Experts compare React2Shell to the devastating Log4Shell vulnerability, warning it's easier to weaponize and harder to detect once compromised.

Source: CyberScoop

CISA added a dangerous zero-day vulnerability in Google Chromium's graphics engine to its priority threat list. The flaw, CVE-2025-14174, lets attackers execute malicious code through crafted web pages by exploiting memory corruption in the ANGLE graphics component.

Discovered and patched within days, this vulnerability affects Chrome, Edge, and other Chromium-based browsers used by over 70% of desktop users. Attackers could use it for drive-by attacks, data theft, or ransomware deployment through malicious websites or ads.

Google released Chrome version 131.0.6778.201 on December 10 with the fix. Federal agencies must patch by January 2, 2026, or stop using affected browsers. Users should update immediately and restart their browsers to stay protected.

Source: Cybersecurity News

Cybersecurity firm Huntress has discovered a new wave of attacks targeting Gladinet CentreStack instances, with hackers exploiting a cryptographic vulnerability to breach nine organizations across healthcare and technology sectors.

The flaw allows attackers to access the 'web.config' file and steal machine keys by exploiting CentreStack's reliance on the same two 100-byte strings for key derivation. Once obtained, these keys never change, enabling hackers to decrypt any server-generated ticket or create their own malicious ones.

Attackers then use these keys to forge ViewState payloads and achieve remote code execution through deserialization attacks. Gladinet released patches in late November and December, urging customers to update immediately.

Source: Security Week

Apple released critical iOS 26.2 and iPadOS 26.2 updates on December 12, 2025, patching two WebKit zero-day vulnerabilities actively exploited in sophisticated spyware attacks. The flaws, discovered by Google's Threat Analysis Group, allow hackers to execute malicious code through compromised websites.

CVE-2025-43529 involves a use-after-free bug, while CVE-2025-14174 is a memory corruption issue. Both were used in targeted campaigns against specific iPhone users. The update also fixes over 30 other security holes, including a kernel flaw that could grant root access.

Affected devices include iPhone 11 and newer models, plus recent iPad Pro, Air, and mini versions. Users should update immediately through Settings > General > Software Update.

Source: Cybersecurity News

UK parliamentary authorities are warning MPs and officials about a sharp rise in phishing attacks targeting their WhatsApp and Signal accounts, with Russian-based actors actively involved. The attacks involve fake messages from app support teams asking users to enter codes, click links, or scan QR codes, potentially giving hackers access to messages and contacts.

Despite new security measures introduced by the National Cyber Security Centre in October, attacks continue climbing. Parliament is now urging legislators to stop using commercial messaging apps for work and switch to Microsoft Teams instead.

This follows previous incidents, including a 2023 investigation into "Abigail" WhatsApp attacks and the identification of Russian intelligence group Star Blizzard targeting MPs since 2015.

Source: The Guardian

Notepad++ has patched a serious vulnerability that allowed hackers to hijack the popular code editor's update system. Security researcher Kevin Beaumont reported that Chinese threat actors exploited this flaw to target telecoms and financial services companies across East Asia in early December.

The attack worked by intercepting traffic between Notepad++ and its update servers, tricking users into downloading malicious files instead of legitimate updates. The vulnerability affected the WinGUp updater component, which failed to properly verify the authenticity of downloaded files.

Version 8.8.9 now includes signature verification to prevent fake updates from installing. However, experts believe the attacks required significant resources, possibly involving traffic hijacking at the internet service provider level.

Source: SecurityWeek

A critical zero-day vulnerability (CVE-2025-8110) in Gogs, a popular self-hosted Git service, is being actively exploited by attackers who have already compromised over 700 instances. The flaw allows authenticated users to bypass security protections using symbolic links, leading to remote code execution.

Discovered on July 10, 2025, the vulnerability exploits how Gogs handles file modifications through its API. Attackers create repositories with symlinks pointing to sensitive system files, then use the API to overwrite critical files and inject malicious commands.

The attacks appear automated, targeting instances with open registration enabled. Infected servers show repositories with random 8-character names and deploy Supershell malware for persistent access. Despite responsible disclosure in July, no patch is available yet.

Source: Cybersecurity News

Logitech disclosed a cybersecurity incident in an SEC filing Friday after being named as a victim in the Cl0p ransomware group's Oracle E-Business Suite hacking campaign. The consumer electronics company said hackers exploited a zero-day vulnerability in third-party software to steal employee, consumer, customer, and supplier data.

Logitech emphasized that no sensitive personal information like Social Security numbers or credit card details were compromised, and business operations remain unaffected. The Cl0p group leaked 1.8 TB of alleged Logitech data in early November.

Over 50 companies have been targeted in this Oracle EBS campaign, including The Washington Post, Harvard University, and American Airlines subsidiary Envoy Air. Security experts link the attacks to the FIN11 threat actor group.

Source: SecurityWeek

Google released an urgent Chrome security update to patch a high-severity zero-day vulnerability that hackers are actively exploiting in the wild. The emergency fix brings Chrome to version 143.0.7499.109/.110 for Windows/Mac and 143.0.7499.109 for Linux.

Google confirmed threat actors are leveraging this flaw (tracked as Issue 466192044) to compromise unpatched systems. The company is keeping technical details restricted to prevent other hackers from reverse-engineering the patch.

The update also fixes two medium-severity bugs in Chrome's Password Manager and Toolbar. Users should update immediately through Chrome's Help menu to protect against targeted attacks.

Source: Cybersecurity News

The Justice Department charged Victoria Eduardovna Dubranova, 33, a Ukrainian national, with cyberattacks on critical US infrastructure as part of two Russian state-sponsored hacking groups. Working with CyberArmyofRussia_Reborn (CARR) and NoName057(16), she allegedly targeted water systems, food processing facilities, and government networks across the US and allied nations.

The attacks caused real damage: drinking water systems in several states spilled hundreds of thousands of gallons, and a November 2024 attack on a Los Angeles meat plant spoiled thousands of pounds of meat and triggered an ammonia leak evacuation.

Dubranova faces up to 27 years if convicted on all charges. The State Department is offering rewards up to $10 million for information on the groups.

Source: CyberScoop