🛡️ ScanFortress Weekly Threat Intelligence Report

Week 49, 2025 | December 2-8, 2025

📊 Executive Summary

Week 49 of 2025 has revealed a critical landscape dominated by web application vulnerabilities, with maximum-severity flaws discovered in widely-deployed frameworks and platforms. The most alarming development is the disclosure of CVE-2025-55182, a CVSS 10.0 vulnerability affecting React Server Components and Next.js, potentially impacting over a third of cloud service providers. This flaw enables unauthenticated remote code execution, representing one of the most severe web application threats identified this year.

The week also saw significant exploitation activity targeting WordPress plugins, with the King Addons vulnerability (CVE-2025-8489) and Sneeit Framework under active attack, allowing attackers to create administrative accounts and execute arbitrary code. Infrastructure-level threats emerged with Akamai's HTTP Request Smuggling flaw (CVE-2025-66373) and an actively exploited XSS vulnerability in OpenPLC ScadaBR (CVE-2021-26829) added to CISA's Known Exploited Vulnerabilities catalog.

Threat actors continue to weaponize legitimate tools, with reports of Velociraptor DFIR being abused for command-and-control operations and ransomware deployment. The Tomiris APT group has evolved its toolkit to include multi-language reverse shells and communications via Discord and Telegram. Supply chain attacks remain persistent, with North Korean actors flooding npm with 197 malicious packages delivering updated OtterCookie malware. Organizations must prioritize immediate patching, especially for web-facing applications, and implement comprehensive security scanning to detect misconfigurations and vulnerable components.

🚨 Critical Vulnerabilities & Threats

⚠️ 1. React Server Components Remote Code Execution (CVE-2025-55182)

Severity: CRITICAL (CVSS 10.0)

A maximum-severity vulnerability in React Server Components (RSC) allows unauthenticated remote code execution by exploiting flaws in how React decodes payloads sent to React Server Actions. This vulnerability, codenamed "React2shell," affects applications built with React and Next.js frameworks, potentially impacting more than a third of cloud service providers worldwide.

Impact: Complete server compromise, data exfiltration, and unauthorized access to backend systems.

Detection: A specialized Python-based scanner has been released to identify vulnerable RSC endpoints. Organizations should immediately audit their React and Next.js applications for exposed endpoints.

🔓 2. WordPress Plugin Vulnerabilities Under Active Exploitation

Severity: CRITICAL (CVSS 9.8)

Two WordPress plugins are experiencing active exploitation campaigns:

King Addons for Elementor (CVE-2025-8489): Privilege escalation allowing unauthenticated attackers to create administrator accounts during registration
Sneeit Framework: Remote code execution vulnerability discovered June 2025, with thousands of attack attempts within hours of disclosure

ScanFortress Detection: Our vulnerability scanning module can identify outdated WordPress plugins and common misconfigurations that enable these attacks. Regular scanning helps detect vulnerable plugin versions before exploitation.

🌐 3. Akamai HTTP Request Smuggling (CVE-2025-66373)

Severity: HIGH

Akamai disclosed and patched an HTTP Request Smuggling vulnerability in its edge servers on November 17, 2025. This flaw could allow attackers to bypass security controls, poison web caches, and perform unauthorized actions by manipulating HTTP request parsing discrepancies between Akamai's edge servers and origin servers.

ScanFortress Detection: Our security headers verification and HTTP configuration analysis can identify misconfigurations that make websites vulnerable to request smuggling attacks, including improper Content-Length and Transfer-Encoding header handling.

🔍 4. OpenPLC ScadaBR XSS Vulnerability (CVE-2021-26829)

Severity: MEDIUM (CVSS 5.4) - Actively Exploited

CISA added this cross-site scripting vulnerability to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The flaw affects both Windows and Linux versions of OpenPLC ScadaBR, a widely-used industrial control system software.

ScanFortress Detection: Our XSS detection capabilities and security headers verification (including Content-Security-Policy) help identify and prevent cross-site scripting vulnerabilities across web applications.

💾 5. Supply Chain Attacks: North Korean npm Campaign

Severity: HIGH

North Korean threat actors deployed 197 malicious npm packages as part of the "Contagious Interview" campaign, downloaded over 31,000 times. These packages deliver an updated variant of OtterCookie malware that combines features of BeaverTail and previous versions, targeting software developers and their supply chains.

Impact: Compromised development environments, stolen credentials, and potential backdoors in production applications.

🔍 Threats Detectable by ScanFortress

Our comprehensive scanning platform can identify several vulnerabilities and misconfigurations highlighted in this week's threat intelligence:

🛡️ How ScanFortress Protects Your Website

🔒 SSL/TLS Certificate Validation:
Detects expired, misconfigured, or weak SSL/TLS certificates that could enable man-in-the-middle attacks. With CDN bypass attempts on the rise (as reported this week), proper certificate validation is critical.
🌐 DNS Configuration Analysis:
Identifies DNS misconfigurations that could expose origin servers to direct attacks, bypassing CDN protections. This is especially relevant given this week's reports of attackers attempting to bypass CDN security layers.
📋 Security Headers Verification:
Validates implementation of critical security headers including:
- Content-Security-Policy (CSP): Prevents XSS attacks like CVE-2021-26829
- X-Frame-Options: Protects against clickjacking
- Strict-Transport-Security (HSTS): Enforces HTTPS connections
- X-Content-Type-Options: Prevents MIME-type sniffing attacks
🍪 Cookie Security Analysis:
Examines cookie configurations for missing Secure, HttpOnly, and SameSite attributes that could lead to session hijacking and CSRF attacks.
🔎 Common Web Vulnerabilities Detection:
Identifies vulnerable components, outdated software versions, and common misconfigurations including:
- Outdated CMS and plugin versions (WordPress, etc.)
- HTTP Request Smuggling susceptibility
- Cross-Site Scripting (XSS) vulnerabilities
- Exposed sensitive endpoints and directories
- Insecure HTTP methods and configurations

🚀 Don't Wait for a Breach!

Scan your website now to identify vulnerabilities before attackers do. With active exploitation campaigns targeting WordPress plugins, React applications, and web infrastructure, regular security scanning is no longer optional—it's essential.

ScanFortress provides automated, comprehensive security scanning that helps you:

✅ Identify vulnerable components before exploitation
✅ Ensure proper security header implementation
✅ Validate SSL/TLS configurations
✅ Detect DNS and infrastructure misconfigurations
✅ Maintain continuous security posture monitoring

📈 Industry Trends & Analysis

🎯 Weaponization of Legitimate Tools

A concerning trend continues with threat actors increasingly weaponizing legitimate security and administration tools. This week's reports highlight the abuse of Velociraptor DFIR (Digital Forensics and Incident Response) for establishing command-and-control infrastructure and deploying ransomware. Attackers exploit critical vulnerabilities for initial access, then deploy Velociraptor for persistent remote access and lateral movement, making detection more challenging as the tool's traffic appears legitimate.

The Tomiris APT group has also evolved to use open-source C2 frameworks including Havoc and AdaptixC2, alongside communications via Discord and Telegram, demonstrating how adversaries blend into normal network traffic.

🔗 Supply Chain Attacks Intensify

Supply chain compromises remain a primary attack vector, with multiple incidents reported this week:

npm ecosystem: 197 malicious packages from North Korean actors (31,000+ downloads)
Shai Hulud 2.0: npm worm targeting Russia, India, Brazil, and China with wiper capabilities
PickleScan vulnerabilities: Three zero-day flaws allowing bypass of ML model malware detection

These attacks target developers and development infrastructure, aiming to compromise applications before they reach production environments.

🌊 Cloud and SaaS Security Incidents

The Gainsight/Salesforce security incident expanded significantly, with the impacted customer list growing beyond the initially reported 3 customers. This incident highlights the cascading risks in cloud service provider ecosystems, where a single compromise can affect numerous downstream customers.

The Marquis Software Solutions ransomware attack exposed data from dozens of U.S. banks and credit unions, discovered in August 2025 but disclosed in November, emphasizing the extended dwell time attackers maintain in compromised environments.

🔧 Framework and Platform Vulnerabilities

Critical vulnerabilities in widely-deployed frameworks pose systemic risks:

React/Next.js (CVE-2025-55182): CVSS 10.0, affecting a third of cloud providers
WordPress plugins: Ongoing exploitation of King Addons and Sneeit Framework
Vim for Windows (CVE-2025-66476): Arbitrary code execution in popular text editor

These vulnerabilities demonstrate how flaws in foundational components create widespread exposure across the internet.

🏭 Industrial Control Systems Under Attack

CISA released five ICS advisories addressing high-severity vulnerabilities in video surveillance platforms, intelligent metering gateways, medical imaging software, and manufacturing control systems. The active exploitation of OpenPLC ScadaBR (CVE-2021-26829) indicates sustained targeting of industrial infrastructure.

✅ Recommendations & Action Items

🔴 Immediate Actions (Critical Priority)

Patch React and Next.js applications: Immediately audit and update all React Server Component implementations. Use the newly released scanner to identify exposed RSC endpoints.
Update WordPress plugins: Upgrade King Addons for Elementor to the latest version and remove or update Sneeit Framework immediately. Audit user accounts for unauthorized administrators.
Review Akamai configurations: If using Akamai CDN, verify that edge servers have been updated (patched November 17, 2025). No customer action required, but validation recommended.
Scan for OpenPLC ScadaBR: Organizations using industrial control systems should immediately patch CVE-2021-26829 and implement network segmentation.

🟡 Short-Term Actions (High Priority)

Implement comprehensive security headers: Deploy Content-Security-Policy, HSTS, X-Frame-Options, and other protective headers to mitigate XSS and injection attacks.
Enable regular security scanning: Use ScanFortress to establish continuous monitoring for vulnerabilities, misconfigurations, and outdated components.
Audit npm dependencies: Review all npm packages for suspicious or malicious code. Implement dependency scanning in CI/CD pipelines.
Review cookie security: Ensure all cookies use Secure, HttpOnly, and SameSite attributes appropriately.
Validate SSL/TLS configurations: Ensure certificates are valid, properly configured, and use strong cipher suites.

🟢 Ongoing Security Practices

Implement defense in depth: Don't rely solely on CDN protection. Secure origin servers with proper firewall rules, authentication, and monitoring.
Monitor for CDN bypass attempts: Implement logging and alerting for direct connections to origin servers that bypass CDN security layers.
Establish incident response procedures: Prepare for potential compromises with documented response plans, especially for supply chain incidents.
Security awareness training: Educate development teams about supply chain risks, especially regarding npm packages and social engineering campaigns like "Contagious Interview."
Regular vulnerability assessments: Schedule weekly or monthly security scans to identify new vulnerabilities as they're disclosed.
Maintain
Featured image: Photo by Unsplash

Text Size

×

Cyber Threat Intelligence - Week 49, 2025