Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 5 December
Critical remote execution vulnerability in React Server
A maximum severity vulnerability in React Server allows remote code execution through a single HTTP request, with nearly 100% reliability according to Wiz.
The flaw, dubbed CVE-2025-55182 (CVSSv3 10.0 according to Facebook), is caused by insecure deserialization in the Flight protocol of React Server Components and affects versions 19.0.1, 19.1.2, and 19.2.1. Various frameworks that integrate React by default, including Next.js, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku, are also vulnerable, even when applications do not explicitly use React features. The vector is remote and unauthenticated, allowing an attacker to execute privileged JavaScript on the server using specially crafted payloads.
GitHub and Google have published a POC of the exploit and further details about the flaw, respectively. Administrators and developers are urged to update React and all affected dependencies, as well as to review their codebases to identify vulnerable implementations.
Possible risks in Notepad++ auto-updater
Researcher Kevin Beaumont says that suspicious activity has been detected in a small number of Notepad++ users. Beaumont describes a potential risk associated with the automatic update system (GUP/WinGUP): during the process, if malicious actors are involved, a non-legitimate binary could be executed from temporary folders, potentially compromising security.
Although there is no evidence of a massive attack, as a preventive measure, it is recommended to make sure you are using version 8.8.8 or higher, download Notepad++ from its official site, and, for corporate environments, consider disabling automatic updating.
Google fixes multiple bugs in Android and warns of two 0-day exploits
Google published its monthly security bulletin for Android, fixing 107 vulnerabilities, including two 0-day vulnerabilities that are already being exploited to access information and escalate privileges.
- The first, CVE-2025-48633, allows an attacker to access information that should be protected, such as internal system data, memory, or user data.
- The second 0-day, CVE-2025-48572, enables an attacker to obtain higher permissions than they should, allowing them to perform actions as if they were a user with greater authority or even with system permissions.
The company also highlighted CVE-2025-48631 as the most critical flaw of the month, capable of causing a remote denial of service without additional privileges. The bulletin includes two patch levels (2025-12-01 and 2025-12-05) to facilitate adaptation by manufacturers, who release updates according to their own schedules.
The fixes cover flaws in the framework, system, kernel, and multiple third-party components, including Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm.
ShadyPanda: Malicious extension operation with RCE capabilities
Koi Security has documented an operation called ShadyPanda, active since 2018, which has distributed 145 extensions for Chrome and Edge with more than 4.3 million combined installations. The extensions evolved from legitimate functionalities to malicious activities such as affiliate fraud, search hijacking, and cookie and query exfiltration.
In 2024, several reputable add-ons received an update that incorporated a backdoor with remote code execution capability, downloading arbitrary JavaScript from servers controlled by the actor. The associated spyware collects browsing history, keystrokes, clicks, persistent identifiers, and local storage data, sending them to multiple domains hosted in China. Although Google has removed the extensions from its store, several remain active in Microsoft Edge Add-ons, including versions with millions of installations.
Researchers warn that the actor retains the ability to reactivate the backdoor through updates and recommend immediately uninstalling the affected add-ons and resetting credentials.
Study reveals that asking AI for help in verse increases the possibility of getting dangerous answers by up to six times
A team of researchers from Icaro Lab, with participation from the Sapienza University of Rome, has shown that formulating dangerous requests to AI models such as a poem instead of direct prose, a technique dubbed adversarial poetry, can override their security mechanisms.
In their study, they found that, by converting 1200 standard malicious prompts into verse, the success rate in obtaining insecure responses went from an average of 8% in prose to an average between 43% and 62% in verse. The experiment involved 25 AI models from 9 different vendors.
https://arxiv.org/html/2511.15304v1
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
