Threat
alerts

CVE-2025-55182 is a critical, unauthenticated RCE in React Server Components affecting React 19.x and Next.js. This unsafe deserialisation flaw is actively exploited by a bifurcated landscape: PRC-linked groups targeting espionage and persistence, alongside cybercriminals deploying ransomware. Post-exploitation tradecraft has escalated rapidly, now featuring novel Linux backdoors like "PeerBlight," WAF evasion, and direct attacks on cloud control planes.

Threat actors are increasingly pivoting toward social engineering strategies, specifically towards the "ClickFix" tactic that tricks users into manually running malicious scripts. This technique effectively circumvents standard perimeter defences, such as "Mark-of-the-Web" (MOTW) controls and browser sandboxes.

After a period of silence, the notorious JavaScript-based malware loader Gootloader has resurfaced according to researchers. Known for compromising legitimate websites to poison search engine results (SEO poisoning), the group has returned with a mature, highly specialized criminal supply chain and a suite of new evasion techniques that challenge traditional detection methods.

A critical remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287, is under active exploitation. The flaw, caused by an unsafe deserialisation of untrusted data, allows a remote, unauthenticated attacker to gain full NT AUTHORITY\SYSTEM privileges on an affected server. This allows them to push malicious packages disguised as legitimate Microsoft security updates. Worth to note: servers are only vulnerable if the WSUS role is explicitly enabled.

The intrusion into F5's product development environment was allegedly attributed to another suspected China-nexus actor, UNC5221. A threat cluster specialised in long-term cyber espionage missions with a dwell time of approximately 393 days. In 2023, the threat actor UNC5174 was observed actively exploiting a critical N-day vulnerability (CVE-2023-46747) in F5 BIG-IP appliances to gain initial network access.

F5 disclosed a security incident that internal corporate environment had been breached stating that in August 2025 a nation-state threat actor established foothold and maintained long-term, persistent access to specific F5 systems. In previous breaches, threat actor designated UNC5174 leveraged a chain of two vulnerabilities to achieve unauthenticated remote code execution. Their tactics, techniques, and procedures (TTPs) include the deployment of custom, in-memory malware such as the SNOWLIGHT downloader and the GOHEAVY tunneler, which are designed to evade traditional disk-based antivirus and forensic analysis.

The npm ecosystem was subjected to one of its most significant supply chain attacks to date. A threat actor compromised the account of a prolific open-source maintainer and published malicious versions of 18 popular packages, including chalk and debug. These have been detected and removed in several hours from discovery.

CVE-2025-25256 is a critical vulnerability affecting Fortinet’s FortiSIEM that allows a remote attacker to execute arbitrary commands on a target FortiSIEM appliance. Crucially, this attack requires no authentication credentials and no interaction from a legitimate user. Fortinet’s official advisory confirmed that exploit has been seen in the wild. Threat actors are actively mapping potential targets and are pre-positioned to exploit this new vulnerability on a mass scale.

A widespread phishing campaign is utilising Microsoft’s own infrastructure through Direct Send. The feature is designed to provide a simple method for on-premises devices and applications to send emails to recipients within the organisation.