Overview
- Google Threat Intelligence Group said at least five additional China-linked espionage groups are exploiting CVE-2025-55182, with Iran‑nexus actors and financially motivated criminals also involved.
- Intrusions target cloud infrastructure on AWS and Alibaba Cloud, where attackers deploy persistence tools and backdoors including MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, and ANGRYREBEL.LINUX.
- Security Alliance reported a surge in wallet‑drainer implants stealing permit signatures on compromised sites, alongside campaigns installing XMRig miners.
- Telemetry points to a large attack surface, with Shadowserver tracking more than 116,000 vulnerable IPs and Criminal IP identifying about 109,000 RSC‑enabled assets in the United States.
- Patches land in react-server-dom-* versions 19.0.1, 19.1.2, and 19.2.1 and related framework updates, while vendors caution that WAF rules are stopgaps and CISA has added the bug to its KEV list.