Weekly Threat Bulletin – January 28th, 2026

Active Exploitation of CVE-2025-55182 Critical RCE in React Server Components and Next.js

CVE-2025-55182 represents a critical pre-authentication Remote Code Execution (RCE) vulnerability, rated with a CVSS score of 10.0, affecting React Server Components (RSC) and frameworks such as Next.js. This flaw originates from insecure deserialization within the RSC 'Flight' protocol, allowing unauthenticated attackers to execute arbitrary code on the server with high reliability through specially crafted HTTP requests. Vulnerable versions include React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0 (encompassing packages like `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack`), alongside Next.js versions 15.x, 16.x, and Canary builds from 14.3.0. Patches are available in React versions 19.0.1, 19.1.2, and 19.2.1, as well as updated Next.js versions. Given React's adoption by approximately 40% of developers and Next.js by 18-20%, the vulnerability has a broad impact, with over 968,000 instances identified and 39% of cloud environments containing vulnerable deployments. Active exploitation has been observed, leading to activities such as cloud credential harvesting, cryptocurrency mining, and the deployment of various malware. Effective defense strategies include upgrading to patched versions (e.g., `npm install react@latest react-dom@latest react-server-dom-parcel@latest`), implementing Web Application Firewall (WAF) rules, network segmentation, aggressive rate limiting, and adhering to container hardening best practices like running as non-root and utilizing read-only filesystems. Security testing must be conducted solely on authorized systems, following responsible disclosure protocols by reporting vulnerabilities to vendors such as security@vercel.com or via HackerOne bug bounty programs, and allowing adequate time for patches before public disclosure.

Threat Details and IOCs

Mitigation Advice

• Scan all web applications and code repositories to create an inventory of all instances using Next.js and React Server Components to determine the scope of exposure to CVE-2025-55182.
• For all identified applications using vulnerable versions of React or Next.js, immediately apply the security patches to upgrade to a non-vulnerable version (e.g., React 19.2.1+ or the latest Next.js release).
• Utilize a vulnerability scanner or the specific exploit tool mentioned in the article to actively test your applications and confirm whether they are vulnerable to CVE-2025-55182.
• Deploy Web Application Firewall (WAF) rules specifically designed to inspect and block malicious HTTP requests attempting to exploit the deserialization vulnerability described in CVE-2025-55182.

Compliance Best Practices

• Design and implement a network segmentation strategy that isolates internet-facing web servers from internal corporate and production networks to contain breaches and prevent lateral movement.
• Enforce a container security policy that requires all new and updated applications to run in hardened containers, such as by using non-root users and read-only file systems.
• Integrate a Software Composition Analysis (SCA) tool into your CI/CD pipeline to automatically detect and alert on known vulnerabilities in third-party libraries and frameworks.
• Analyze traffic patterns to your web applications and implement tuned, aggressive rate-limiting on API endpoints and server components to mitigate automated scanning and brute-force exploitation attempts.

CISA Adds 4 Critical Flaws to “Must-Patch” List As Exploits Surge

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with four critical flaws that are actively being exploited. These include a critical authentication bypass (CVE-2025-34026, CVSS 9.2) in Versa Concerto versions 12.1.2 through 12.2.0, enabling login screen bypass due to a Traefik reverse proxy misconfiguration and granting access to administrative endpoints. A malicious code injection (CVE-2025-54313) affects specific versions of eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7), executing `node-gyp.dll` malware on Windows systems during package installation. Additionally, a high-severity Local File Inclusion (CVE-2025-68645, CVSS 8.8) in Synacor Zimbra Collaboration Suite (ZCS) versions 10.0 and 10.1's Webmail Classic UI allows unauthenticated remote attackers to include arbitrary files from the WebRoot directory. Rounding out the list is an improper access control vulnerability (CVE-2025-31125, CVSS 5.3) in Vite, which permits the return of arbitrary file contents if the development server is externally exposed and manipulated with specific URL parameters. Federal agencies are mandated to patch these systems by February 12, 2026, and private organizations are urged to apply patches immediately.

Threat Details and IOCs

Mitigation Advice

• Identify all Versa Concerto SD-WAN orchestration platforms in the environment and determine if they are running a vulnerable version between 12.1.2 and 12.2.0.
• Upgrade all identified vulnerable Versa Concerto instances to a patched version, such as 12.2.1 GA or newer, as soon as possible.
• Scan all developer workstations and CI/CD pipelines to identify projects using vulnerable versions of the `eslint-config-prettier` package (8.10.1, 9.1.1, 10.1.6, and 10.1.7).
• On all systems with vulnerable versions of `eslint-config-prettier`, update the package to a safe version (e.g., 8.10.2+, 9.1.2+, or 10.1.8+).
• Scan all Windows developer workstations and CI/CD build agents for the presence of the malicious file `node-gyp.dll` and for execution logs related to `install.js`.
• Identify all Synacor Zimbra Collaboration Suite (ZCS) instances and confirm if they are running vulnerable versions 10.0 or 10.1.
• Upgrade all vulnerable Synacor Zimbra Collaboration Suite (ZCS) instances to a patched version (e.g., 10.0.18 or 10.1.13 or newer).
• Audit all development projects using the Vite build tool to determine if the development server is configured with the `--host` or `server.host` options, making it accessible over the network.
• For any network-exposed Vite development servers, immediately upgrade to a patched version such as 6.2.4, 6.1.3, 6.0.13, 5.4.16, or 4.5.11.

Compliance Best Practices

• Implement a Software Composition Analysis (SCA) tool to continuously and automatically scan all software projects for dependencies with known vulnerabilities.
• Establish a private package registry to host approved and scanned versions of third-party dependencies, and update developer workflows to pull from this internal registry instead of public ones.
• Conduct a recurring, quarterly audit of the external network perimeter to identify and justify all internet-facing services, ensuring that management interfaces and development servers are not publicly exposed.
• Deploy a Web Application Firewall (WAF) in front of all public-facing web applications, including email systems like Zimbra, and configure it with rules to block common attacks like LFI and SQL injection.
• Establish and enforce a formal security policy that prohibits exposing development, testing, or staging environments directly to the internet.
• Formalize the vulnerability management program to explicitly use the CISA KEV catalog as a primary source for prioritizing patching activities, with strict SLAs for remediating any listed vulnerabilities.

GitLab Releases Critical Patch Updates to Address Multiple High-Severity Vulnerabilities

GitLab has released patch updates 18.8.2, 18.7.2, and 18.6.4 for both Community and Enterprise Editions to address multiple security vulnerabilities and stability issues. Self-managed installations are strongly advised to upgrade immediately, as GitLab.com and GitLab Dedicated instances are already updated or do not require action. High-severity vulnerabilities include CVE-2025-13927, a denial of service (DoS) in the Jira Connect integration (CVSS 7.5), affecting versions from 11.9 up to the patched releases, where unauthenticated attackers can send crafted requests with malformed authentication data. Another high-severity DoS, CVE-2025-13928 (CVSS 7.5), impacts the Releases API due to incorrect authorization validation, affecting versions from 17.7 prior to the patches. Additionally, CVE-2026-0723 (CVSS 7.4) allows attackers with knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses, affecting versions from 18.6 prior to the patches. Medium-severity issues include CVE-2025-13335 (CVSS 6.5), an infinite loop in Wiki redirects allowing authenticated users to cause DoS, affecting versions from 17.1 onward, and CVE-2026-1102 (CVSS 5.3), a DoS in an API endpoint triggered by malformed SSH authentication requests, affecting versions from 12.3 onward. The patch also includes various bug fixes for merge request reviewer crashes, searchable dropdown race conditions, container repository index repairs, Git LFS throttling, accessibility issues, Git push errors, CI jobs, Sidekiq worker behavior, migration health checks, and AI catalog workflows. Upgrades for single-node installations will incur downtime due to database migrations, while multi-node deployments can utilize zero-downtime procedures.

Threat Details and IOCs

Mitigation Advice

• Immediately upgrade all self-managed GitLab Community Edition (CE) and Enterprise Edition (EE) instances to the latest patched versions: 18.8.2, 18.7.2, or 18.6.4.
• Monitor GitLab application and web server logs for unusual volumes of requests or errors related to the Jira Connect integration, Releases API, and SSH authentication endpoints to detect potential denial-of-service attacks.
• Audit GitLab authentication logs for successful logins that may have bypassed two-factor authentication, focusing on the timeframe before patches were applied, to identify potential account compromises related to CVE-2026-0723.

Compliance Best Practices

• Isolate self-managed GitLab instances from the public internet by placing them behind a VPN or other secure access control solution, exposing them only to trusted networks.
• Configure a Web Application Firewall (WAF) in front of GitLab instances with rules to block malformed requests and anomalous traffic patterns.
• Implement a formal patch management program for all critical infrastructure, including GitLab, that includes subscribing to vendor security advisories and defining service-level agreements (SLAs) for applying critical patches.
• Enforce the use of phishing-resistant multi-factor authentication (MFA), such as FIDO2/WebAuthn security keys, for all GitLab user accounts to strengthen protection against authentication bypass attacks.

MonetaStealer: New macOS Malware Targets Crypto Wallets and Financial Data

Security researchers at Iru have identified MonetaStealer, a new macOS malware in early development, designed to target crypto wallets and sensitive financial data. This standalone, self-contained stealer masquerades as a Windows .exe file, but is actually a compiled Python script (.pyc) that bypasses basic static file scanners. While not yet fully functional, MonetaStealer targets Chrome for passwords, cookies, and browsing history, and specifically seeks out various crypto wallets including Exodus, Electrum, Metamask, and Ledger. It also searches for seed and key patterns, Wi-Fi credentials, and scrapes data from the macOS system clipboard. The malware scans user directories like ~/Documents, ~/Downloads, and ~/Desktop for .pdf, .txt, .doc, .xls, and .xlsx files containing financial keywords such as "Invoice" or "Bank," and uses a regex pattern to identify credit and debit card numbers. Collected data is compressed into a zip file named "STOLEN{sessionID}.zip" and exfiltrated using the Telegram API. Although currently noisy with frequent system password requests, its existence indicates a continued trend of new macOS stealer development, potentially by threat actors seeking to enter the malware-as-a-service market. Users are advised to exercise caution with downloads, avoiding cracked or pirated software, and to be vigilant for unusual system notifications.

Threat Details and IOCs

Mitigation Advice

• Block all outbound traffic to the domain `api.telegram.org` at the network firewall and web proxy to prevent data exfiltration from this malware.
• Configure your Endpoint Detection and Response (EDR) or SIEM to generate a high-priority alert for any file creation events on macOS endpoints that match the pattern `STOLEN*.zip` within the `~/Desktop` directory.
• Create a detection rule in your EDR to alert on any process execution on a macOS device where the filename has a `.exe` extension, as this is anomalous behavior for the operating system.
• Conduct a threat hunt across all macOS endpoints for suspicious processes that have recently accessed multiple files with extensions `.pdf`, `.txt`, `.doc`, `.xls`, or `.xlsx` in the `~/Documents`, `~/Downloads`, or `~/Desktop` directories.
• Add a rule to your Data Loss Prevention (DLP) solution to detect and block files or clipboard content containing text that matches the regex `\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b`.

Compliance Best Practices

• Implement a mandatory, recurring security awareness training program that educates employees on the risks of downloading and executing software from unverified sources, especially pirated or 'cracked' applications.
• Develop and deploy an application allowlisting policy for all macOS endpoints to restrict execution to only signed, approved software necessary for business functions.
• Enforce a policy of least privilege by removing local administrator rights from all standard user accounts on macOS devices.
• Establish and enforce a data handling policy that prohibits storing sensitive documents containing financial data on local user directories and mandates the use of secure, monitored, and backed-up corporate cloud storage or network drives.
• Implement a comprehensive network egress filtering policy that denies all outbound traffic by default and only allows connections to services and ports that are explicitly required for business operations.

Oracle E-Business Suite CVE-2025-61882 Actively Exploited RCE Vulnerability

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-61882 with a CVSS score of 9.8, affects Oracle E-Business Suite versions 12.2.3 through 12.2.14. This zero-day vulnerability is actively exploited in the wild by threat actors, including the Clop ransomware group, for data exfiltration and extortion, leading to its inclusion in CISA's Known Exploited Vulnerabilities (KEV) Catalog. The exploit chain leverages a combination of Server-Side Request Forgery (SSRF), Path Traversal, HTTP request smuggling, and XSLT injection to achieve unauthenticated RCE. The exploitation process involves setting up a local HTTP server to host a malicious XSL file. The attacker first retrieves a CSRF token from the target, then crafts an HTTP request smuggling payload. This payload is embedded within the `return_url` parameter of an XML structure sent to the `UiServlet` in Oracle E-Business Suite, triggering an SSRF. The vulnerable system is then coerced into fetching and processing the malicious XSL file from the attacker's server. The XSL file contains base64-encoded JavaScript that, when executed via XSLT processing, runs arbitrary commands on the target system, leading to an interactive shell session on either Linux/Unix or Windows platforms. Oracle has released an emergency patch, and applying these updates, with the October 2023 Critical Patch Update as a prerequisite, is strongly recommended. Detection rules for SIEM/EDR tools, monitoring for suspicious HTTP traffic to Oracle Concurrent Processing, unusual system behavior, anomalous authentication/process creation patterns, and suspicious Java process behavior are advised, along with reviewing Oracle's security alert for specific Indicators of Compromise (IOCs).

Threat Details and IOCs

Mitigation Advice

• Identify all Oracle E-Business Suite instances and immediately apply the emergency patch for CVE-2025-61882 if they are running versions 12.2.3 through 12.2.14.
• Scan web server and WAF logs for POST requests to the URI path '/OA_HTML/configurator/UiServlet' that contain suspicious or abnormally long, encoded data in the 'return_url' parameter.
• Create a detection rule in your EDR or SIEM to alert on Java processes originating from the Oracle E-Business Suite application that spawn shell processes such as 'sh', 'bash', 'cmd.exe', or 'powershell.exe'.
• Implement strict egress filtering rules on your firewall to block Oracle E-Business Suite servers from initiating outbound connections to untrusted destinations on the internet.

Compliance Best Practices

• Establish a formal patch management program that includes a comprehensive asset inventory of all Oracle E-Business Suite instances and defines strict service-level agreements (SLAs) for applying critical security updates.
• Implement network segmentation to isolate Oracle E-Business Suite servers from general corporate and internet-facing networks, restricting access to only authorized users and systems.
• Deploy a Web Application Firewall (WAF) in front of Oracle E-Business Suite and create rules to block malicious requests, such as those targeting known vulnerable endpoints or exhibiting patterns of SSRF and request smuggling.
• Harden the operating system configuration for Oracle E-Business Suite servers by ensuring the application runs under a service account with the minimum necessary permissions, preventing it from executing arbitrary system commands or accessing non-essential resources.