A ticking time bomb in modern web apps On December 3, 2025, maintainers of React.js revealed a critical vulnerability, tracked as CVE-2025-55182, affecting the “Server Components” feature in React and, by extension, many of its frameworks like Next.js. The vulnerability, which has been nicknamed “React2Shell”, allows unauthenticated attackers to run arbitrary code on a vulnerable server by merely issuing a specially crafted HTTP request. What makes this bug especially dangerous is that it exploits a core server-side mechanism that’s meant to enable modern, efficient web deployments, meaning many applications are vulnerable even if they haven’t implemented any custom server logic. As one security advisory says: even default deployments of React Server Components are exploitable. With a maximum severity rating (CVSS 10.0), React2Shell is among the worst kinds of vulnerabilities: one that can immediately lead to full server compromise, data theft, or downstream attacks. Threat actors wasted no time — widespread exploitation underway React2Shell was officially made public at the end of June, and within hours of its announcement, we had observed the following: One or more organizations in China were probing for vulnerable servers and gaining unauthorized access. Indeed, the Earth Lamia and Jackpot Panda cybercrime organizations are known to have had access to high-impact vulnerabilities for many years in order to conduct espionage, steal data and launch supply-chain attacks against various sectors. They frequently target – among others – the financial, government, retail, logistics, IT services and educational sectors, and often do so in the regions of Southeast Asia, Latin America and the Middle East. The Hacker News They released reports of attempted remote-code execution and reconnaissance against compromised systems. Among the actions of these intruders were the creation of system commands (e.g. “who am I”), writing files to the compromised servers and reading critical files (/etc/passwd) stored on those servers. While it is not possible to accurately assess how many cloud-based publicly-accessible web apps are built on React or Next.js platforms, some estimates indicate that as many as 39% might contain an exploitable React / Next.js stack based on their current level of use. What React2Shell means for modern software and enterprises 1. Widely used frameworks — massively expanded risk surface Most of the interactive web apps and cloud services are powered by React and Next.js. Since React2Shell is about the server-side part of the default setup, a lot of developers, who maybe are not considered “at risk”, just got exposed. The vulnerability doesn’t go to the depth of the niche apps only; in fact, even the mainstream websites and big web platforms are susceptible. 2. Zero-day + public exploit = race against time Public proof-of-concept (PoC) exploit availability means attackers can hardly be stopped by sophisticated tooling or insider knowledge when exploiting vulnerable servers. In the case that a system is unpatched, then it becomes an easy target and the time frame can be as short as minutes from disclosure. React2Shell 3. Potentially severe consequences — from data breaches to full compromise React2Shell being an instance of remote code execution is the reason why attacker can virtually do everything, such as malware installation, lateral movement within the network, data exfiltration, web-shell or ransomware dropping, and using the compromised servers for the attacks to be sent further. The exposure risk is not only limited to the domain of data; hence, full server takeover is possible too. React Server Components 4. Trust in default configurations is broken — security must be proactive This issue demonstrates that even default installations, i.e., those without custom server code, are still vulnerable. Security teams cannot rely on the safety of “out-of-the-box” anymore. Hence, every deployment, framework version, and dependency should be audited. How to respond — immediate and strategic steps A situation has arisen where immediate action needs to be taken by organizations who utilize the React.js or Next.js (or other frameworks utilizing React Server Components). A direct course of action has been provided below to help guide this process. Where Sprit Network Fits In – Your Cybersecurity Ally in Turbulent Times At Sprit Network, we realize that issues like React2Shell do not only reveal weaknesses of the system but also put the business reputation, data integrity, and operational continuity at a risk. We are the solution to this problem in the following ways: We live in a world where even the most trusted frameworks can be turned into weapons overnight and this is the reason why having a proactive, experienced partner is more important than ever before. Sprit Network empowers you to turn the situation around from reactive firefighting to strategic risk management, thus, making vulnerabilities controllable challenges rather than existential threats. Conclusion: Urgency, Action, and Resilience The React2Shell vulnerability highlights the stark fact that modern web platforms, even what are considered the most popular “standard” web frameworks, are not free from potentially disastrous classes of vulnerabilities. Skilled attackers are already actively taking advantage of this vulnerability, making an action of slow response even more likely to result in being compromised, regardless of whether you are operating a web app for a startup or managing the large scale infrastructure of an enterprise. The time to take action has arrived to those currently using or planning to use React/Next.js: audit, patch and secure your web apps; and if you require the assistance of a cybersecurity expert, take advantage of vendor partners like Sprit Network. Cybersecurity isn’t a choice; it’s an absolute necessity in ensuring your organization does not become a target of cyber crime.
Stealthy Espionage: China-linked APT31 Targets Russian IT through Cloud Services Recent research by Positive Technologies has exposed a long-running espionage campaign by the China-linked advanced persistent threat group APT31, also known as Altaire, Violet Typhoon, Judgement Panda, and others, against the Russian IT sector, especially companies that integrate solutions for government agencies. China-Linked APT31 This campaign is particularly advanced given the fact that APT31 uses legitimate cloud services, such as Yandex Cloud and Microsoft OneDrive, for C2 and data exfiltration-an approach to help attackers evade detection by blending into regular network traffic. China-Linked APT31 Moreover, the group takes advantage of various, custom, and publicly available tools to keep up the persistence for a long time. These include scheduled tasks masquerading as Chrome or Yandex Disk and backdoors like CloudSorcerer, OneDriveDoor, and COFFProxy. This stealthiness has allowed them to stay hidden in the networks of their victims for months or years, siphoning away passwords, internal documents, and other sensitive information. redsecuretech.co.uk+1 Fileless Phishing: Matrix Push C2 Abuses Browser Notifications Threat actors are exploiting built-in features of browsers with a new command-and-control (C2) platform called Matrix Push C2. Matrix Push C2 This “fileless” framework tricks users into subscribing to browser notifications, often through social engineering on harmful or compromised websites. Once subscribed, attackers send fake alerts (e.g., “Verify login,” “Update browser”) that look like real system messages and include familiar branding and logos. If the user clicks on these alerts, they are redirected to phishing pages or malware sites. The attacker’s dashboard also lets them see who clicked, which notifications users interacted with, and even track installed browser extensions, such as crypto wallets. Notably, Matrix Push C2 is being sold as malware-as-a-service (MaaS), with subscription options that range from monthly to yearly, allowing less-skilled threat actors to access this complex attack. CISA Alarm: Critical Oracle Identity Manager Zero-Day Under Active Exploitation The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning: a zero-day vulnerability in Oracle Identity Manager, tracked as CVE-2025-61757, is being actively exploited. CISA Warns This vulnerability enables remote, unauthorized attackers to execute code, thus bypassing authentication through a bug in Oracle’s URL filter. Once exploited, the attackers can compile malicious Groovy code that executes at compile time, thus yielding a potent foothold. Given the severity (CVSS 9.8), CISA has added this to the Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by December 12, 2025. What These Threats Indicate about the Current Cyber Landscape In relation to one another, all three of these incidents have highlighted some troubling trends in the cyber threat landscape of 2025: • Cloud infrastructure is being weaponized: APT31’s use of trusted cloud services for C2 and data theft illustrates how threat actors are increasingly abusing trusted platforms instead of spinning up blatant infrastructure. • Browser-based attacks are evolving: The Matrix Push C2 indicates attackers don’t always needed to rely on file-based malware – they can exploit browser functionality to deliver phishing content and maintain a persistent hold. • Critical enterprise vulnerabilities are still a top target: The Oracle Identity Manager zero-day indicates that sophisticated attackers are still targeting high value enterprise systems, and that zero-days in trusted software represent a serious risk that could be consequential for a large number of organizations. These changes are demonstrating the need for modern, layered cyber defenses that provide more than traditional antivirus, or firewall tools. How Sprit Network Can Address These Risks At Sprit Network, we are paying close attention to these emerging threat vectors, and we are able to assist organizations in defending against them. Threat Intelligence & Monitoring Secure Configuration & Zero-Day Response Browser Security Enhancement Incident Response & Forensics Conclusion The November 2025 cyber threat landscape continues to evolve in concerning ways: from state-linked espionage groups such as APT31 hiding in plain sight via the cloud, to crimeware actors innovating with browser-based, fileless phishing through Matrix Push C2, and to ongoing zero-day vulnerabilities continuing to be leveraged in high-stakes environments, such as the one in Oracle Identity Manager. These developments should constitute a wake-up call that legacy defenses are no longer sufficient. What’s required now for organizations is proactive, intelligence-driven, and multilayered cyber defense strategies. That’s where Sprit Network comes in. Our blend of threat intelligence, vulnerability management, browser hardening, and incident response ensures your organization stays ahead of modern threats-not just reacting, but anticipating. Whether you’d like to learn more about how Sprit Network can help your team defend against these emerging risks or would like to schedule a consultation tailored to your needs, please don’t hesitate to reach out.