Overview
- CVE-2025-55182 enables unauthenticated remote code execution in React Server Components and has been widely exploited since public disclosure on December 3.
- Sysdig detailed EtherRAT, a new implant that resolves command-and-control via an Ethereum smart contract using consensus across nine RPC endpoints, deploys five Linux persistence methods, self-updates, and downloads its own Node.js runtime.
- Palo Alto Networks Unit 42 reported more than 50 impacted organizations across the U.S., Asia, South America, and the Middle East, as Shadowserver identified 165,000 IPs and 644,000 domains with vulnerable code.
- Attackers range from China-linked groups Earth Lamia and Jackpot Panda to opportunistic actors deploying cryptominers and newly observed tools such as PeerBlight, CowTunnel, and ZinFoq.
- Researchers noted overlaps between EtherRAT tooling and the DPRK-linked Contagious Interview cluster without confirming attribution, and guidance stresses updating packages, redeploying clean builds, auditing logs, and rotating credentials.