Daily Drop (1197)
12-06-25
Saturday, Dec 06, 2025 // (IG): BB // GITHUB // SN R&D
Cloudflare Outage Tied to Emergency React RCE Patch: CVE-2025-55182 Response Triggers Global Disruption
NOTE:
While there is no confirmed evidence that the Cloudflare outage was caused by malicious activity, several circumstantial indicators suggest an attack-related scenario. The timing is notable: React2Shell was disclosed on December 3, China-nexus APTs began exploiting it within hours, and Cloudflare’s emergency WAF update—intended to block the same vulnerability—triggered a global outage on December 5. Although Cloudflare attributes the disruption solely to a misapplied parsing rule, adversarial factors cannot be entirely discounted. High-volume exploit scanning, malformed serialization payloads, or fuzzing traffic associated with React2Shell could have contributed indirectly to defensive missteps by increasing pressure on hyperscale mitigation teams. Nation-state operators have historically weaponized zero-day chaos, forcing rushed patches that break infrastructure even without directly attacking it. No indicators point to a direct assault on Cloudflare—no DDoS signatures, WAF-evasion payloads, edge compromise, or configuration-pipeline tampering—but the broader operational environment, characterized by real-world exploitation and escalating probe traffic, creates plausible conditions where attacker behavior could influence defender error. In short: no evidence of an attack, but enough contextual signals to keep the possibility analytically open.
Bottom Line Up Front (BLUF): Cloudflare experienced a 25-minute global service outage on December 5 after deploying emergency Web Application Firewall (WAF) rules to mitigate CVE-2025-55182, a critical remote code execution vulnerability in React Server Components. The rushed patch, targeting the “React2Shell” flaw, unintentionally broke request parsing logic across Cloudflare’s edge infrastructure, resulting in widespread HTTP 500 errors affecting major platforms, including Coinbase and Claude AI. Though services have since recovered, the incident highlights risks tied to zero-day mitigation at hyperscale.
Analyst Comments: Cloudflare’s WAF rollout triggered malformed request handling, causing internal server errors across web services, APIs, and dashboards. Impacted clients included Coinbase, Claude AI (Anthropic), Zerodha, and Groww. The root cause was a WAF update meant to block exploitation of “React2Shell,” a flaw in the RSC “Flight” protocol that allowed deserialization-based RCE without authentication. Though no attacks were seen before the rule was deployed, AWS has since confirmed in-the-wild exploitation mere hours after public disclosure on December 3. Cloudflare completed the rollback by 09:20 UTC and has since restored services. The company emphasized that the event was not an attack but a proactive mitigation failure.
READ THE STORY: Freebuf // MRXN
China-Linked WARP PANDA Breaches VMware vCenter to Launch Stealthy Espionage Campaigns
NOTE:
China-nexus adversaries like WARP PANDA target cloud environments and hypervisors because together they provide the deepest, most strategic access an intelligence service can achieve. Cloud platforms consolidate an organization’s identities, emails, documents, authentication tokens, and collaboration data, giving attackers a single chokepoint through which they can silently access or impersonate any user, pivot across subsidiaries, harvest sensitive files, and maintain long-term persistence with minimal detection. Hypervisors, meanwhile, represent the underlying control layer of the modern enterprise: compromising VMware vCenter or ESXi grants an operator the ability to view, clone, or manipulate every virtual machine—including domain controllers, file servers, critical applications, and even security tools. From the hypervisor, attackers can create hidden VMs, extract snapshots, bypass endpoint defenses, and operate below the visibility of most logging and monitoring systems. For a nation-state actor focused on durable, covert intelligence collection, cloud plus hypervisor access offers unparalleled reach, stealth, and persistence across an entire organization’s infrastructure.
Bottom Line Up Front (BLUF): A newly identified China-nexus threat actor, WARP PANDA, is targeting VMware vCenter and ESXi environments in a series of advanced espionage operations across U.S. legal, tech, and manufacturing sectors. The group uses custom Golang malware—including BRICKSTORM, Junction, and GuestConduit—to persist in virtualized environments and move laterally into cloud services such as Microsoft 365. Their tactics include TLS-encrypted WebSocket C2, VSOCK-based tunneling, and exploitation of known vulnerabilities in VMware, F5, and Ivanti products.
Analyst Comments: WARP PANDA demonstrates deep familiarity with VMware internals, including ESXi VSOCK communication and snapshot manipulation. Their tooling is bespoke and designed to blend in—BRICKSTORM, for example, mimics VMware service binaries while communicating covertly using encrypted WebSockets and DNS-over-HTTPS. The use of GuestConduit to tunnel traffic from guest VMs to hypervisors is especially notable—it indicates a threat model where attackers aren’t content with control of individual VMs but seek persistent access across the virtualization layer. Their pivot to Azure and M365 further shows they can operate fluidly across hybrid environments.
READ THE STORY: Cyber Press
CVE-2025-12916: Sangfor OSM Portal_Login RCE Vulnerability Allows Full System Compromise
Bottom Line Up Front (BLUF): A critical Remote Command Execution (RCE) vulnerability (CVE-2025-12916) has been disclosed in Sangfor’s Operations and Maintenance Security Management System, specifically affecting the /portal_login interface. The vulnerability allows unauthenticated attackers to execute arbitrary commands on the target server by injecting malicious payloads into the login request body. The root cause is insecure command concatenation without input validation. Exploitation may lead to full server compromise, including arbitrary file write and potential persistence.
Analyst Comments: The vulnerable method blindly concatenates user input into a shell command and executes it via ShellExecutor.exec() with no filtering. Even basic command-injection hygiene—such as escaping or whitelisting—is absent. Sangfor OSM is widely used across Asia in government, telecom, and enterprise sectors for network access control and infrastructure management. The portal is typically exposed to the internal network but may be reachable from the internet, depending on deployment. The provided PoC confirms an attacker can write arbitrary files to the web root, making it trivial to escalate from RCE to web shell persistence. If your organization uses Sangfor OSM below version 3.0.12 (build 20241106), assume it’s exploitable until patched. FOFA shows hundreds of exposed instances using the signature body=”/fort/login” && header=”FORTSESSIONID”—suggesting real-world exploitation is only a matter of time.
READ THE STORY: MRXN
North Korean Hacker Exposed by Own Malware: LummaC2 Infestation Uncovers Trail to $1.4B Bybit Crypto Heist
Bottom Line Up Front (BLUF): A North Korean malware developer’s system was unexpectedly infected with the LummaC2 infostealer—malware typically used by cybercriminals to extract credentials and financial data from victims. The infection revealed direct links between North Korea’s state-backed hacking infrastructure and the $1.4 billion cryptocurrency theft from Bybit in February 2025. This rare “reverse breach” exposed internal tooling, infrastructure, and operational habits of one of the world’s most aggressive cybercrime ecosystems.
Analyst Comments: Getting caught with your own malware is bad enough—but having that compromise lead researchers to key infrastructure supporting one of the largest crypto thefts in history is catastrophic. The infected system was no amateur setup. It had pro-grade tooling like Enigma Protector, Visual Studio 2019, and VPN obfuscation via Astrill. It even used phishing infrastructure (e.g., fake Zoom installers) tied to earlier campaigns. Despite that, LummaC2 quietly exfiltrated credentials and browser data, including an email used to register a spoofed Bybit domain central to the heist.
READ THE STORY: Freebuf
Knownsec Confirms Breach After Leak Surfaces: Zero-Days, Delayed Disclosure, and Reputational Fallout
NOTE:
The leaked Knownsec data is not currently available on GitHub, and the narrative around a massive “GitHub dump” appears to have been significantly exaggerated or conflated with the February 2024 i-SOON leak. According to BrinzTech’s corrected analysis, there is no OSINT evidence of a 12,000-file GitHub repository ever existing—the actual event was a dark web marketplace listing starting October 31, 2025, where the seller posted only 63 sample images before marking the data as “sold” on November 7, 2025. NETASKARI’s November 13 update confirms that “nobody we talked to actually seemed to have seen the complete dataset,” and notes the leak “didn’t hold any extremely sensitive information nor was it posted on Github.” While some files briefly appeared on GitHub before being removed for terms-of-service violations, the complete dataset moved exclusively to dark web sales channels before Western security researchers could obtain copies. Knownsec maintains an official GitHub organization (github.com/knownsec) with 40 public repositories containing their legitimate tools—pocsuite3 (a vulnerability testing framework), ZoomEye-python (an API library), and KCon (hacker conference materials)—but these are standard open-source security tools, not leaked internal documents. The sensationalist reporting of “state-level cyber weapons” appears driven by AI-generated media outlets mistakenly conflating this relatively minor incident with the genuine i-SOON leak from 2024, which did contain verified offensive tooling and operational data.
Bottom Line Up Front (BLUF): Chinese cybersecurity firm Knownsec has formally acknowledged a data breach stemming from an August 2023 intrusion involving three zero-day vulnerabilities in its cloud desktop office systems. The confirmation, published via its official WeChat account on November 5, 2025, follows renewed attention after leaked internal documents appeared on the dark web in late October. Knownsec claims the 2023 breach was contained at the time, and that no customer personal data or sensitive project files were compromised. However, the disclosure confirms that partial employee and customer lead data were stolen and only recognized after the leak resurfaced more than two years later.
Analyst Comments: Knownsec’s official disclosure adds institutional weight to earlier third-party reporting. The timeline checks out: attackers exploited zero-day vulnerabilities in 2023, the company detected and blocked the intrusion, but failed to assess the full extent of the exfiltration. What’s newly confirmed is Knownsec’s own admission that “due to the sophistication of attacker techniques,” they were unable to determine what was stolen—an honest but operationally significant failure for a company that brands itself as a national cybersecurity champion.
READ THE STORY: WeChat // Natto Thoughts
French Aerospace Giant Thales Deepens Integration with China Amid Rising PRC Cyber Threat Activity
NOTE:
From a Western security perspective, the deepening integration of Thales—a cornerstone of NATO avionics, air traffic control, cybersecurity, and digital identity systems—into China’s aviation and cyber ecosystems creates a structural vulnerability with long-term national security implications. As PRC state media promotes “win-win” cooperation, Western intelligence agencies are simultaneously documenting the rapid expansion of Chinese cyber operations targeting virtualization infrastructure, cloud identity environments, and critical infrastructure. This creates a convergence risk: technologies, processes, and system architectures shared through commercial partnerships may provide Beijing with insight into Western aviation management systems, cryptographic identity frameworks, and cyber-defense architectures. In a future geopolitical crisis, the combination of intimate technical knowledge gained through legitimate cooperation and covert access gained through state-sponsored cyber operations could enable China to disrupt, surveil, or strategically influence Western critical infrastructure at scale. Put simply, the more Western high-tech firms embed deeply inside China’s digital and aerospace backbone, the more leverage—and potential attack surface—the PRC gains over Western national security and civil systems.
Bottom Line Up Front (BLUF): Thales—one of France’s key defense and aviation contractors—is expanding operations in China across air traffic control, cybersecurity, and biometric identity systems, even as U.S. and allied intelligence agencies escalate warnings about Chinese state-linked cyber operations targeting critical infrastructure. Macron’s state visit to China frames this integration as “strategic cooperation.” Still, the overlap between Thales’ China footprint and PRC cyber tradecraft presents a growing security concern for NATO-aligned infrastructure.
Analyst Comments: During President Macron’s recent state visit to China—his fourth—Chinese state media and French leadership jointly emphasized cooperation in aviation, cybersecurity, AI, and digital identity. At the same time, CGTN aired a segment highlighting Thales’ role in managing “the majority of China’s civil airspace” and in developing local cyber and identity technologies through R&D hubs in Dalian, Tianjin, and Shanghai. Thales’ Jean-Marc Reynaud, CEO for China operations, noted the company supports “Beijing, Shanghai, Wuhan, Guangzhou, and Hong Kong” with air traffic systems and supplies avionics for 4,500+ aircraft in Chinese airspace. He highlighted growth in the company’s cyber and digital business lines as key to its future in China.
READ THE STORY: GT (CN)
Search Engine Scanners Under the Microscope: New Study Reveals Aggressive and Opaque Tactics by FOFA, Shodan, ZoomEye, and Others
Bottom Line Up Front (BLUF): Shodan, FOFA, ZoomEye, and Censys—popular internet-wide scanning engines used for asset discovery—are conducting widespread and sometimes intrusive scans that reveal sensitive data and exploit known vulnerabilities. While researchers and defenders use these tools, their scanning behaviors are often opaque, inconsistently documented, and flagged as malicious by threat intelligence databases.
Analyst Comments: These platforms sit at the intersection of cybersecurity research and surveillance risk. While many defenders rely on them for external attack surface mapping, it’s clear they also introduce exposure risks—particularly when scanning methods mirror exploitation techniques or leak sensitive information. The line between indexing and intrusion is thin. Nearly half of the observed scanner IPs are already listed in AbuseIPDB. That’s a red flag, not a footnote. Scans involving exposed Redis databases, unauthorized access attempts on Elasticsearch, and retrieval of RDP screenshots aren’t just overzealous—they’re potentially dangerous. The lack of opt-out mechanisms, minimal attribution for IP ranges, and inconsistent use of ethical defaults only add to the concern.
READ THE STORY: Freebuf
Cracking VxWorks Password Hashes Exposes Widespread Weakness in Industrial Firmware Security
Bottom Line Up Front (BLUF): A detailed reverse engineering analysis by Broken Mirror Safety highlights long-standing vulnerabilities in legacy VxWorks firmware used in industrial control systems. By unpacking Schneider Electric PLC firmware and analyzing the loginDefaultEncrypt function, researchers identified a deterministic, unsalted hashing algorithm vulnerable to high-collision attacks—specifically CVE-2010-2965. A simple Python script can compute password hashes at over 400,000 attempts per second, enabling efficient brute-force or rainbow table attacks. Notably, over 400 different passwords can produce the same hash value, allowing credential bypass even when the actual password remains unknown.
Analyst Comments: The use of predictable hashing, absence of salting, and 32-bit overflow behavior creates a perfect storm for credential collisions. Worse, many of these devices remain deployed in critical infrastructure without firmware updates, meaning this 2010-era flaw still has real-world impact in 2025. For adversaries, this means lateral movement in ICS environments remains a low-effort, high-reward activity. For defenders, it underscores the urgent need to inventory exposed VxWorks assets, monitor authentication patterns, and segment industrial networks to contain potential compromise.
READ THE STORY: Freebuf
LangChain Template Injection Vulnerability (CVE-2025-65106) Exposes Sensitive Python Object Internals
Bottom Line Up Front (BLUF): LangChain’s template rendering system was found vulnerable to template injection attacks that allow unauthorized access to internal Python object properties. The flaw impacts versions <=1.0.6 and <=0.3.79 of the langchain-core package. If exploited, attackers can access attributes like __class__ and __globals__, potentially escalating to more severe exploitation depending on application context. Affected applications must update to 1.0.7 or 0.3.80 immediately and harden prompt template usage.
Analyst Comments: LangChain’s support for multiple template formats (f-string, mustache, jinja2) introduced subtle but dangerous pathways for attackers to traverse Python objects using attribute access patterns. While not RCE on its own, the ability to access __globals__ or call internal methods (e.g., parse_raw) opens the door to data leakage, privilege escalation, or lateral movement, depending on what’s passed into the template. This vulnerability becomes high-impact in scenarios where untrusted users can define their own templates—such as chatbots, AI agents, or prompt-as-a-service platforms. Developers often overlook the risks of mixing template logic and user input. This flaw is a reminder that even high-level abstractions in AI libraries must follow secure coding principles—especially as AI applications increasingly involve untrusted user interaction.
READ THE STORY: Freebuf
Android Malware FvncBot Captures Keystrokes, Streams Screens, and Hijacks Banking Apps
Bottom Line Up Front (BLUF): Shodan, FOFA, ZoomEye, and Censys—popular internet-wide scanning engines used for asset discovery—are conducting widespread and sometimes intrusive scans that reveal sensitive data and exploit known vulnerabilities. While researchers and defenders use these tools, their scanning behaviors are often opaque, inconsistently documented, and flagged as malicious by threat intelligence databases.
Analyst Comments: Unlike commodity Android trojans that rely on copy-paste code and phishing overlays, FvncBot introduces live-streaming and complete remote control via HVNC—a capability previously limited to desktop RATs. The use of video compression (H.264) for smooth screen capture is a significant evolution from screenshot-based surveillance. What’s more concerning is the level of control attackers gain. From logging keystrokes and OTPs to remotely interacting with the UI in real time, this malware enables fully autonomous fraud. And because it uses Accessibility Services—a long-abused Android feature—FvncBot doesn’t need root access to compromise the device.
READ THE STORY: Cyber Press
Items of interest
Next.js Remote Code Execution Vulnerability: Hype, Confusion, and Real Exploits
Bottom Line Up Front (BLUF): A newly discovered Remote Code Execution (RCE) vulnerability in Next.js has sparked confusion in the cybersecurity community, with some voices initially downplaying the bug as minor. However, recent proof-of-concept (PoC) exploits demonstrate viable execution paths, including those with command echo, confirming the flaw’s potential impact. The vulnerability may not rise to log4j2-level severity, but it warrants serious attention—especially for production applications using Next.js in SSR (Server-Side Rendering) mode.
Analyst Comments: The initial backlash, calling the bug a “vibrator, not a nuclear bomb,” mocked public concern—but was quickly reversed when live PoCs proved real RCE under certain conditions. The vulnerability now has working examples capable of executing system commands, like idreturning echoed output via controlled error redirection. One of the working payloads leverages JavaScript prototype pollution and SSR response manipulation to trigger command injection in child_process.execSync() a dangerous function when user-controlled input is improperly sanitized. While it’s true that execSync blocking Node.js’s event loop might limit the scalability of attacks, that does not diminish the criticality of a functioning RCE chain.
READ THE STORY: Freebuf
Why is China trying to break the Internet (Video)
FROM THE MEDIA: A Critical 10.0 CVSS vulnerability drop, affecting almost every modern web application built with a particular popular framework.
React2shell React, Next.js Critical Unauthenticated RCE: CVE-2025-55182 and CVE-2025-66478 explained (Video)
FROM THE MEDIA: React and Next.js just shipped one of the most dangerous classes of web vulnerabilities: unauthenticated remote code execution against React Server Components (RSC) via the Flight protocol. This video breaks down CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) with a defender-first lens: what’s actually vulnerable, how exploitation works at a high level, what versions are affected, and the exact upgrade paths that close the door.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.
The timeing on this is brutal. React2Shell disclosed December 3rd, exploited by state actors within hours, and Cloudflare's WAF patch breaks production infrastructure two days later. Your note about keeping the attack scenario analytically open is important, the absence of evidence isnt evidence of absence when you have that kind of operational pressure and exploit velocity. The irony is that defensive urgency itself became an availabilty risk, which is exactly what sophisticated adversaries count on when they weaponize disclosure timing.
That Cloudflare WAF breakdown really captures how zero-day response can backfire at scale. The 25-minute outage from a rushed React2Shell patch shows how even defensive moves create their own attack surface when you're running hyperscale infrastructure. The fact that China-nexus groups were already exploiting it hours after disclosure probably forced their hand, but still, breaking Coinbase and Claude in the process is a rough lesson in the cost of speed over testing.