Dozens of organizations breached by React2Shell exploitation.

Summary

By the CyberWire staff

Dozens of organizations breached by React2Shell exploitation.

Researchers continue to track the impact of React2Shell (CVE-2025-55182), a maximum-severity RCE flaw affecting all frameworks that implement React Server Components. Suspected Chinese threat actors began exploiting the flaw within hours of its disclosure on December 3rd, and cybercriminal gangs and nation-state actors are now scanning for vulnerable systems.

Palo Alto Networks' Unit 42 says at least 30 organizations have been breached via multiple vectors of attack. Unit 42's Justin Moore told the Record, "We have observed scanning for vulnerable RCE, reconnaissance activity, attempted theft of AWS configuration and credential files, as well [as] installation of downloaders to retrieve payloads from attacker command and control infrastructure." Unit 42 attributes this activity to an initial access broker associated with China's Ministry of State Security.

Control what runs in your environment. Reduce your attack surface.

ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.

Ransomware attacks target hypervisors.

Huntress warns of a surge in ransomware attacks targeting hypervisors, which can allow attackers to deploy ransomware across dozens or hundreds of virtual machines. These attacks increased from 3% in the first half of 2025 to 25% in the second half of the year, with the Akira ransomware gang driving the trend. Huntress has observed the following tactics:

"Once inside a network, attackers often pivot towards hypervisors using compromised internal authentication credentials in environments where network segmentation has failed to deny lateral movement to the hypervisor management page. This move grants them elevated control over multiple guest systems from a single management interface.
"We’ve seen misuse of Hyper-V management utilities to modify VM settings and undermine security features. This includes disabling endpoint defenses, tampering with virtual switches, and preparing VMs for ransomware deployment at scale."

Humans Are Not the Weakest Link. Guess who FAIls?

Humans have been labeled the weakest link for ages. But this year showed how easily both humans and AI can be manipulated. In this session, Cato CTRL experts reveal real attacks from the wild where adversaries steered people and AI systems into harmful actions using simple prompts and inputs. The session reframes how you should think about AI risk and what to do when machines start making the mistakes, so register to join us.

Companies paid more than $2 billion to ransomware gangs over the past three years.

The US Treasury Department's Financial Crimes Enforcement Network (FinCEN) has released data on ransomware attacks reported through the Bank Secrecy Act, covering more than 4,000 attacks between January 2022 and December 2024, BleepingComputer reports. FinCEN found that companies paid more than $2.1 billion in payments to ransomware gangs over the three-year period.

The report notes, "Ransomware incidents and payments reached an all-time high in 2023—at 1,512 incidents, totaling approximately $1.1 billion in payments—an increase of 77 percent in total payments year-over-year from 2022 to 2023." These numbers decreased following law enforcement disruptions of the ALPHV/BlackCat and LockBit ransomware operations, but victims still paid out $734 million in 2024.

Notes.

Today's issue includes events affecting , and China the United States.

Trends

Holiday Season Sees Surge in Online IP Infringements Across Domains and Social Platforms (CSC) Check out this post from CSC.

Nearly 3 out of 4 medical doctors potentially exposed on people search sites [2025] (Incogni Blog) As the trend of violence directed against medical workers becomes more prominent1, researchers at Incogni set out to check what, if any, role people search

Technologies, Techniques, and Standards

Industry to Shift to 47-Day SSL/TLS Certificate Validity by 2029 (The SSL Store) Starting in 2026, SSL/TLS certificate lifespans will be reduced from the current maximum of 13 months. By 2029, all public SSL/TLS certificates will have a 1.5-month maximum validity. Here’s what you need to know.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

CyberMarketingCon 2025 (Austin, TX, USA, Dec 7 - 10, 2025) CyberMarketingCon will be held December 7-10 in bustling downtown Austin, Texas. Come to learn, network, and enjoy what this beautiful, unique city and your amazing fellow attendees have to offer.

Gartner Identity & Access Management Summit 2025 (Grapevine, Texas, USA, Dec 8 - 10, 2025) Join us at the premier conference for IAM leaders and architects to tackle priorities like IAM program management, automation, identity threat detection and response (ITDR), cybersecurity and privacy, and identity governance and administration (IGA) in an increasingly complex environment.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 12.09.25

Top stories.

Dozens of organizations breached by React2Shell exploitation.

Ransomware attacks target hypervisors.

Companies paid more than $2 billion to ransomware gangs over the past three years.

Notes.

Trends

Technologies, Techniques, and Standards

Events