Last week we covered React2Shell's immediate impact: the Cloudflare WAF rules that broke Shopify and Zoom, the CVSS 10.0 rating, the rapid weaponization.
This week's story is what came after: coordinated nation-state exploitation documented by Google, plus a significant policy shift from the UK government acknowledging fundamental limitations in AI security.
Also this week, we shipped something we've been working on for a while. Pixee for SCA uses AI agents to evaluate whether vulnerabilities are truly exploitable by contextually looking at deployment configuration, data flow, and API arguments rather than just call graphs. (Shameless plug I know, but it's relevant to the triage challenges we keep covering.)
Google Threat Intelligence published detailed attribution this week, documenting five China-nexus threat groups actively exploiting React2Shell (CVE-2025-55182). The scale: 116,000+ vulnerable systems, backdoors deployed, credential harvesting campaigns running, tunneling malware establishing persistence.
Meanwhile, React disclosed three additional RSC vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779) discovered while researchers probed the original patches. Denial-of-service conditions and source code exposure surfaced specifically because researchers started examining RSC security more closely.
Framework-level vulnerabilities tend to reveal architectural security debt—attack surfaces that weren't comprehensively threat-modeled before release.
The UK's National Cyber Security Centre declared that prompt injection attacks on LLMs "can't be fully mitigated." Their recommendation: shift from prevention strategies to impact reduction.
This marks the first major government cybersecurity agency to officially acknowledge fundamental limitations in securing AI systems. The timing matters—OpenAI warned separately of "high cybersecurity risk" from frontier AI models the same week.
For security teams, the question remains how you reduce risk across these new attack surfaces when prevention isn't fully achievable.
Microsoft expanded its bug bounty program to include all third-party and open-source code in online services "in scope by default." Previously, researchers needed pre-approval to report vulnerabilities in dependencies. Now any third-party code flaw in Microsoft's production environment qualifies for bounty rewards.
When the largest software vendor declares third-party code "in scope by default," it signals something about where accountability is heading.
This week: 11 disclosed | 5 actively exploited | 2 zero-days
CVE-2025-55182 - React Server Components (React2Shell) Status: Actively exploited by nation-state actors Source
GeoServer RCE - GeoServer Status: Added to KEV Source
CVE-2025-14174 - Apple WebKit (iOS/macOS) Status: Zero-day Source
CVE-2025-43529 - Apple WebKit (iOS/macOS) Status: Zero-day Source
Gladinet Hardcoded Keys - Gladinet CentreStack/Triofox Status: Actively exploited Source
CVE-2025-55183 - React Server Components Status: Patch available Source
CVE-2025-55184 - React Server Components Status: Patch available Source
CVE-2025-67779 - React Server Components Status: Patch available Source
JumpCloud Remote Assist - JumpCloud Remote Assist Status: Patch available Source
Notepad++ Updater Flaw - Notepad++ Status: Patch available Source
CVE-2025-66039 - FreePBX Status: PoC available Source
• SAML Authentication Broken Almost Beyond Repair - Deep technical analysis of authentication bypass vulnerabilities affecting Ruby, PHP, and GitLab SAML implementations that require library rewrites rather than simple patches.
• Catching Malicious Package Releases Using a Transparency Log - Technical implementation guide for using transparency logs to detect malicious package releases, with actionable deployment patterns.
• CISA Orders Immediate Patching as GeoServer Flaw Faces Active Exploitation - Federal mandate with compliance deadline for GeoServer RCE vulnerability added to KEV catalog.
• Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw - Sophisticated WebKit zero-day exploitation linked to Chrome vulnerabilities, requiring emergency patching across iOS and macOS.
• JumpCloud Remote Assist Vulnerability Can Expose Systems to Takeover - Full system takeover vulnerability during uninstall/update process affecting enterprise remote access infrastructure.
• DORA Compliance Checklist for Cybersecurity - Actionable compliance checklist for EU financial institutions facing DORA enforcement deadlines.