Daily Brief

A severe vulnerability in the React JavaScript library, CVE-2025-55182, enables unauthenticated remote code execution, affecting 39% of cloud environments using React and related frameworks. The flaw impacts React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as frameworks like Next.js, with exploitation likely imminent due to ease of abuse. The React team has released patches for affected versions, urging immediate upgrades to mitigate potential exploitation risks. Vercel, maintainer of Next.js, issued its own CVE (CVE-2025-66478) and corresponding patch, emphasizing the critical nature of this security threat. The vulnerability arises from improper decoding of payloads in React Server Function endpoints, allowing crafted HTTP requests to execute malicious code. Meta and the React team responded swiftly, deploying an emergency patch within four days of the flaw's disclosure by researcher Lachlan Davidson. Organizations using React are advised to apply patches immediately, as the vulnerability's widespread impact and ease of exploitation pose significant security risks. Cloudflare's Web Application Firewall may offer some protection, but direct patching remains essential to safeguard against potential attacks.

A critical privilege escalation flaw, CVE-2025–8489, in the King Addons for Elementor plugin allows attackers to gain administrative access on WordPress sites, affecting approximately 10,000 websites. The vulnerability was actively exploited starting October 31, with over 48,400 attempts blocked by Wordfence, a security service for WordPress, highlighting the urgency of the threat. Attackers exploit the flaw by sending crafted requests to create rogue admin accounts, with peak activity noted between November 9 and 10 from two primary IP addresses. Website administrators are urged to upgrade to version 51.1.35 of King Addons, which resolves the vulnerability, to prevent unauthorized access. Another critical flaw, CVE-2025-13486, in the Advanced Custom Fields: Extended plugin affects over 100,000 sites, enabling unauthenticated attackers to execute arbitrary code. This vulnerability was addressed in version 0.9.2 of the plugin, released promptly after discovery, emphasizing the need for rapid response to reported security issues. Website owners are advised to update to the latest plugin versions or disable affected plugins to mitigate potential exploitation and maintain site security.

Leroy Merlin, a major DIY retailer, disclosed a data breach affecting its French customer base, compromising personal information but excluding banking data and passwords. The breach impacts customers in France, with the company operating across Europe, South Africa, and Brazil, generating $9.9 billion in annual revenue. Upon detection, Leroy Merlin implemented measures to block unauthorized access and contain the breach, minimizing potential damage. The compromised data has not been used maliciously, and there is no evidence of it being leaked online or used for extortion. Customers have been advised to remain vigilant against phishing attempts and report any suspicious account activity or issues with loyalty discounts. BleepingComputer confirmed the authenticity of the notification and is seeking further details from Leroy Merlin about the breach's scope. No ransomware group has claimed responsibility for the attack, and the situation remains under investigation.

Freedom Mobile, a major Canadian wireless carrier, reported a data breach impacting its customer account management platform, compromising personal data of an unspecified number of customers. The breach was detected on October 23, with attackers exploiting a subcontractor's account to access sensitive customer information, including names, addresses, and phone numbers. Freedom Mobile swiftly responded by blocking suspicious accounts and IP addresses, implementing security enhancements to prevent further unauthorized access. While there is no evidence of data misuse, customers are advised to remain vigilant against phishing attempts and monitor their accounts for unusual activity. The breach follows a similar incident in 2019, where a vendor exposed data of 15,000 customers, highlighting ongoing challenges in securing customer information. Freedom Mobile, acquired by Vidéotron in 2023, has not disclosed the exact number of affected customers or whether a ransom was demanded. This incident underscores the importance of robust subcontractor management and continuous security improvements in safeguarding customer data.

A maximum-severity flaw, CVE-2025-55182, was disclosed in React Server Components, allowing unauthenticated remote code execution with a CVSS score of 10.0. The vulnerability arises from unsafe deserialization of RSC payloads, potentially enabling attackers to execute arbitrary JavaScript code on servers. Affected React versions include 19.0, 19.1.0, 19.1.1, and 19.2.0, with patches available in versions 19.0.1, 19.1.2, and 19.2.1. Next.js is also impacted, with CVE-2025-66478 affecting versions >=14.3.0-canary.77, >=15, and >=16; patches are available in multiple versions up to 16.0.7. The flaw affects libraries bundling RSC, such as Vite RSC plugin and RedwoodJS, with 39% of cloud environments potentially vulnerable. Security researcher Lachlan Davidson discovered the flaw, emphasizing the need for immediate patching to mitigate risks. Organizations are urged to apply the available patches promptly to protect against potential exploitation.

Microsoft addressed a Windows LNK file vulnerability, CVE-2025-9491, in its November 2025 Patch Tuesday updates, a flaw exploited since 2017 by multiple threat actors. The vulnerability allowed remote code execution by concealing malicious commands within LNK files, impacting users who interacted with these disguised shortcuts. Exploitation involved state-sponsored groups from China, Iran, North Korea, and Russia, targeting entities for data theft and espionage, with campaigns dating back several years. Microsoft initially deemed the flaw not critical for immediate patching, citing existing warnings in Microsoft Office applications against opening untrusted LNK files. The patch now ensures the full command string within LNK files is visible, mitigating risks of concealed malicious content, while 0patch offers a micropatch with additional warnings. The issue's exploitation by the XDSpy group and others underlines the persistent threat posed by unpatched vulnerabilities in widely used software. Organizations are advised to update systems promptly and remain vigilant against LNK file-based threats, reinforcing the need for robust security measures and user education.

Russia's Roskomnadzor has blocked access to Roblox, citing the platform's alleged distribution of LGBT and extremist content, impacting users across Russia. The decision follows repeated claims that Roblox failed to prevent the dissemination of unsafe materials, including content promoting illegal activities. Roblox, a popular global gaming platform with over 1 billion Android downloads, faces significant operational challenges due to this restriction. The ban is part of Russia's broader strategy to control online content, previously targeting messaging apps like WhatsApp, Viber, and Signal for similar reasons. Roskomnadzor's actions reflect ongoing tensions between digital platforms and regulatory bodies over content moderation and compliance with national laws. This move may lead to increased scrutiny on other international platforms operating in Russia, affecting their business operations and user engagement. Companies should prepare for potential regulatory actions by enhancing content moderation capabilities and ensuring compliance with local regulations.

Google has expanded its Android in-call scam protection feature to include U.S. fintech apps like Cash App and JPMorgan Chase, aiming to safeguard millions of users from phone-based scams. The feature alerts users when launching financial apps during calls with unknown numbers, warning against potential impersonation scams targeting banking information. A persistent 30-second warning pop-up advises users to end suspicious calls, aiming to disrupt social engineering tactics used by scammers. Initially trialed in the U.K., the feature has already aided thousands in avoiding costly scams and is now being tested in the U.S. market. The scam protection is available on Android 11 and later versions, requiring users to remain vigilant against risky actions such as installing unofficial APKs. Users are encouraged to verify account statuses directly with banks and avoid sharing personal information with unknown callers to enhance security.

A critical flaw in the King Addons for Elementor plugin allows attackers to gain administrative access on WordPress sites. The vulnerability is identified as CVE-2025-8489 with a CVSS score of 9.8. The issue affects plugin versions 24.12.92 through 51.1.14 and enables privilege escalation through improper role restrictions during user registration. Attackers can exploit this flaw by sending crafted HTTP requests to the "/wp-admin/admin-ajax.php" endpoint, specifying the administrator role. Over 10,000 active installations of the plugin are at risk, potentially allowing attackers to upload malicious code or conduct other harmful activities. The vulnerability was patched in version 51.1.35, released on September 25, 2025, following its discovery by security researcher Peter Thaleikis. Wordfence has blocked over 48,400 exploit attempts since the flaw's disclosure, with mass exploitation beginning on November 9, 2025. Site administrators are urged to update to the latest plugin version, audit for unauthorized admin accounts, and monitor for unusual activity.

Google has extended its Android in-call scam protection feature to include major U.S. financial apps such as Cash App and JPMorgan Chase, aiming to enhance user security. This feature, introduced with Android 16, alerts users when they are on a call with an unknown number while using a financial app, warning against potential impersonation scams. Users receive a 30-second warning pop-up advising them to end the call, aiming to disrupt the attacker's social-engineering tactics and prevent unauthorized financial transactions. Initially trialed in the U.K., the feature has reportedly helped thousands avoid financial losses and is now being tested across the U.S., Brazil, and India. The protection system is available on Android 11 and later versions, reinforcing the importance of keeping mobile operating systems up to date for optimal security. Users are encouraged to remain vigilant against risky actions prompted by unknown callers, such as installing unofficial apps or disabling security features like Play Protect. This initiative reflects Google's ongoing commitment to safeguarding users against evolving cyber threats, particularly those exploiting social engineering techniques.

Microsoft has addressed a high-severity Windows LNK vulnerability, CVE-2025-9491, exploited by state-backed and cybercrime groups in zero-day attacks. The flaw allows attackers to hide malicious commands in Windows LNK files, requiring user interaction to execute malware on compromised devices. Threat actors, including Evil Corp and Mustang Panda, have distributed malicious LNK files in archives to bypass email security measures. Microsoft's mitigation involves displaying all characters in the Target field of LNK files, but it doesn't remove malicious arguments or provide user warnings. ACROS Security released an unofficial patch via 0Patch, limiting shortcut target strings to 260 characters and alerting users to potential threats. The vulnerability has been exploited in attacks targeting European diplomats, deploying malware such as PlugX RAT and complicating the threat landscape. The issue remains a concern as Microsoft's silent mitigation may not fully protect users, prompting reliance on third-party patches for enhanced security.

The Water Saci threat actor has launched a sophisticated campaign targeting Brazilian users with a banking trojan, utilizing WhatsApp for rapid malware spread. The attack chain involves HTA files and PDFs, leveraging AI to transition from PowerShell to Python, enhancing the malware's propagation capabilities. Users receive deceptive messages from trusted contacts, prompting interaction with malicious attachments that initiate the infection process. The trojan monitors active windows for banking activity, using AutoIt scripts to maintain persistence and evade detection through anti-virtualization checks. The campaign's use of WhatsApp Web and browser automation tools signifies a strategic shift in exploiting trusted communication platforms for malware delivery. A separate RelayNFC Android malware campaign targets Brazilian users, conducting NFC relay attacks to capture and misuse contactless payment data. These developments indicate a growing sophistication in cybercriminal tactics in Brazil, emphasizing the need for enhanced security measures and user awareness.

Security researchers have analyzed DragonForce ransomware, which emerged in 2023 and has evolved into a "ransomware cartel" with global operations and increased attack frequency. DragonForce's latest variant exploits drivers like truesight.sys to disable security measures, enhancing its encryption capabilities by fixing previous vulnerabilities linked to Akira ransomware. The group collaborates with Scattered Spider, a threat actor known for advanced social engineering, to execute high-profile breaches, including a notable attack on Marks & Spencer. DragonForce operates as a ransomware-as-a-service (RaaS), offering affiliates 80% of profits and customizable tools, which lowers entry barriers for aspiring cybercriminals. Scattered Spider employs tactics such as MFA fatigue and SIM swapping to gain initial access, using remote monitoring tools to maintain persistence and conduct thorough reconnaissance. The cartel's strategy of combining specialized skills in social engineering and ransomware deployment complicates defensive efforts for organizations worldwide. Security professionals are urged to implement phishing-resistant MFA and robust endpoint detection to counteract these sophisticated, multi-stage cyber threats.

The Aisuru botnet launched a record-breaking DDoS attack peaking at 29.7 Tbps, showcasing the growing threat of hyper-volumetric attacks. Cloudflare successfully mitigated the attack, which lasted 69 seconds and targeted an undisclosed entity using UDP carpet-bombing tactics. Aisuru operates as a botnet-for-hire service, leveraging compromised routers and IoT devices, with estimates of up to four million infected hosts globally. The botnet's attacks have disrupted internet service providers, indicating the potential for significant impact on critical infrastructure and services. Cloudflare reports a 227% increase in DDoS attacks exceeding 1 Tbps quarter-over-quarter, with 1,304 hyper-volumetric incidents recorded in Q3 2025 alone. The attacks primarily originate from countries like Indonesia and Thailand, targeting sectors such as telecommunications, gaming, and financial services. The rapid and short-lived nature of these attacks poses challenges for defenders, highlighting the need for robust, proactive DDoS mitigation strategies.

The University of Phoenix disclosed a data breach linked to a Clop ransomware campaign exploiting Oracle E-Business Suite vulnerabilities, impacting students, staff, and suppliers. Sensitive data, including names, social security numbers, and bank details, were accessed without authorization, posing significant privacy concerns for affected individuals. The breach was detected on November 21, after the attackers listed the university on their data leak site, prompting immediate notification to regulatory bodies and affected parties. The incident is part of a broader campaign targeting multiple U.S. universities and companies, including Harvard University and GlobalLogic, through a zero-day vulnerability in Oracle EBS. The Clop ransomware group has a history of exploiting software vulnerabilities, previously targeting platforms like GoAnywhere MFT and MOVEit Transfer, affecting thousands of organizations. The University of Phoenix is coordinating with regulatory entities and preparing to notify impacted individuals with guidance on protective measures. This breach underscores the critical need for robust cybersecurity measures and timely patch management to protect against sophisticated cyber threats.