Transcript
A (0:00)
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST.
B (0:18)
React flaw drama among researchers and another Cloudflare outage Major flaws in AI coding tools could lead to remote compromise and financial services firm Ransomware breach impacts more than 70 US banks and credit unions.
B (0:36)
This is Cybersecurity Today and I'm your host David Shipley. Let's get started.
B (0:43)
Today's top story, and one causing widespread confusion, comes from reporting by cyberscoop. It highlights a growing divide between what researchers say is happening with a new React vulnerability and what's actually happening inside victim organizations. According to response teams, the vulnerability, known as React to Shell, has triggered a mix of skepticism, doubt and outright debate across some in the security community. Some researchers insist exploitation in the wild is minimal, mostly scanning and experimentation. Others, including multiple incident response teams, are reporting real compromises, real malware deployments and dozens of affected organization.
B (1:28)
That tension between perceived uncertainty and confirmed impact is shaping this to become one of the most chaotic vulnerability disclosures and responses we've seen in years. Now, why does this flaw matter? You know remote code execution in React React isn't just another average web library. It's one of the most widely used frameworks powering modern web applications, especially React server components which run sensitive logic server side. A remote code execution flaw in a server side React component is significant. First of all, no authentication required. Not good. The attack surface here is huge. Cloud providers, SaaS, apps, custom enterprise services all use React or Next JS. Server side compromise gives attackers a foothold. Once they're in, they can steal creds, move laterally, deploy malware, or extract cloud secrets. This is why the vulnerability carries the CVSS score of 10, the maximum possible. And by the way, CSET added CVE2025 55182 to its known exploited vulnerabilities list almost immediately last week. Hopefully that should end debate about whether exploitation is real happening or theoretical. Despite public disagreements around some proof of concept exploit code, the on the ground data paints a clear picture. As CyberScoop reports, Palo Alto's Unit 42 has confirmed more than 30 organizations have been impacted so far. Watchtower is observing indiscriminate exploitation across the Internet, and Wiz has seen cryptojacking deployments and cloud credential extraction attempts in customer environments. Unit 42 links some of the activity to UNC 5174 believed to have ties to China's Ministry of State Security. Investigators have found Snowlight and V Shell malware deployed during follow on attacks. The broader pattern includes remote code execution attempts, reconnaissance, theft of cloud configuration files, and downloaders fetching additional payloads. Wiz research gives us a sense of why this vulnerability is so attractive. 39% of cloud environments contain vulnerable React or next JS instances, 44% expose next JS systems publicly, and 69% use the next JS framework in some form. In short, the attack surface here is enormous. Even defenders acting quickly on this have run into trouble. Cloudflare reported a temporary outage last week linked to changes they deployed to detect and mitigate this vulnerability. It's a reminder that sometimes fixing issues at this scale can cause even more operational challenges, especially for global providers. While the debate continues in some corners of the research community, the incident data is starting to become clear. React to Shell is being exploited and organizations are being compromised. This is a high severity vulnerability in a widely deployed framework, and defenders should prioritize patching and monitoring now. Don't wait until full consensus emerges.