Transcript
A (0:01)
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST A React flaw hits a perfect 10 CVSS score Microsoft patches an exploited link it left open for years, Evil Jinx bypasses MFA in schools and Univers, shadypanda hides malicious extensions for years and Google's agentic AI wipes a developer's hard drive. But it does say it's sorry, this is Cybersecurity Today. I'm your host, Jim Love.
A (0:48)
A maximum severity vulnerability has been disclosed in React Server components that could allow remote code execution. The Hacker News reports that the flaw has tracked as CVE2025 555182 and nicknamed React to Shell carries a CVS score of 10.0, the highest possible rating. It affects React Server side architecture and frameworks built on top of it, including Next js. Endor Labs said an attacker needs only network access to send a crafted HTTP request to to any server function endpoint. The vulnerability affects default framework configurations, meaning standard deployments are immediately exploitable without special conditions. Researchers from Oligo Security and Cato Networks discovered the underlying issues and reported them to Meta and Vercel. Meta supports React and Vercel supports Next js. React server components sit at the boundary between the server logic and and the client rendering. This flaw breaks that boundary under the right conditions. It allows an attacker to run code on the server, access sensitive data, or manipulate application behavior. Wiz, a cloud security Firm, said that 39% of cloud environments contain instances vulnerable to either CVE2025 555182 or related CVE2025 666478, which I believe was collapsed into 55182. Meta and Vercel have released patches, and both companies have issued security advisories recommending the developers update immediately until those patches can be applied. Endor Labs recommends deploying Web application firewall rules, monitoring HTTP traffic for suspicious or malformed requests, and, if possible, temporarily restricting network access to affected applications. But of course, that's just a stopgap. Developers using React server components or Next JS should update to the fixed versions as soon as humanly possible.
A (3:13)
Microsoft has quietly fixed a Windows shortcut vulnerability that it left unpatched for years, despite repeated warnings from security researchers. The flaw involves the way Windows processes link files, the small shortcut icons you see on the desktop or in folders. Malicious versions of these files can trigger code execution simply by being displayed in Windows Explorer for a long time. Microsoft classified the issue as low risk and declined to issue a security update. Researcher John page, known as HYP3R links or hyperlinks, has been flagging this problem for years, including publishing proof of concept attacks that showed how easily a crafted shortcut file could be weaponized. But this month, Microsoft quietly reversed its position. The company added this fix to its December cumulative update and confirmed that the vulnerability has been exploited in the wild. The patch was not included in the main patch Tuesday notes, and was documented only after researchers noticed the change. Shortcut based attacks have a long history. They were used in some early high profile campaigns, including Stuxnet, because the attack triggers without the user needing to open a file. Now that Microsoft acknowledges active exploitation, administrators should ensure that December's cumulative Windows updates are indeed applied.