Executive Summary
- CVE-2025-55182 (React2Shell) actively exploited against 766 Next.js hosts for credential harvesting including AWS secrets, SSH keys, and API tokens
- $280 million cryptocurrency theft from Drift Protocol via sophisticated Security Council takeover attributed to North Korean threat actors
- Cisco IMC critical vulnerability (9.8 CVSS) enables unauthenticated remote code execution and privilege escalation
- Progress ShareFile pre-authentication RCE flaws enable unauthenticated file exfiltration from enterprise environments
- Residential proxies evade IP reputation systems in 78% of sessions, enabling widespread malicious traffic distribution
Top Threats Today
1. CVE-2025-55182 Next.js Credential Harvesting Campaign
Severity: Critical Affected: Technology
Active large-scale exploitation of React2Shell vulnerability targeting 766 Next.js hosts for credential harvesting. Attackers are stealing database credentials, SSH private keys, AWS secrets, shell command history, Stripe API keys, and GitHub tokens from compromised systems.
Recommended Action
- Immediately audit all Next.js deployments for React2Shell exploitation indicators
- Rotate all exposed credentials: AWS keys, GitHub tokens, database passwords, and SSH keys
- Deploy WAF rules to detect and block React2Shell attack patterns
2. Cisco IMC Authentication Bypass (CVE-2025-XXXX)
Severity: Critical Affected: Technology
Cisco has released emergency patches for a 9.8 CVSS vulnerability in Integrated Management Controller affecting IMC and SSM platforms. Unauthenticated remote attackers can bypass authentication and gain elevated system access without credentials.
Recommended Action
- Apply Cisco IMC and SSM security patches immediately across all managed infrastructure
- Restrict network access to IMC interfaces to authorized management networks only
- Monitor IMC logs for authentication bypass attempts and unauthorized access
3. Progress ShareFile Pre-Authentication RCE Chains
Severity: Critical Affected: Technology
Two vulnerabilities in Progress ShareFile can be chained to enable unauthenticated remote code execution and file exfiltration from enterprise file transfer systems. No authentication required for exploitation.
Recommended Action
- Update Progress ShareFile to latest patched version immediately
- Restrict ShareFile access through network segmentation and IP whitelisting
- Audit ShareFile access logs for suspicious file transfer activity and unauthorized exports
4. Drift Protocol $280M Cryptocurrency Theft
Severity: Critical Affected: Finance
Drift Protocol lost $280 million in a sophisticated attack where threat actors (attributed to North Korean APT) gained rapid control of the platform's Security Council administrative powers through a novel attack vector, demonstrating capability for coordinated financial system compromise.
Recommended Action
- Review all administrative access logs and security council transaction history for anomalies
- Implement multi-signature requirements and hardware security module protections for admin functions
- Engage incident response and law enforcement for recovery coordination
5. Claude Code Source Leak Enabling Malware Distribution
Severity: High Affected: Technology
Anthropic's Claude Code source code leak is being actively exploited by threat actors creating fake GitHub repositories to deliver Vidar information-stealing malware. A critical vulnerability in Claude Code was discovered days after the leak, expanding the attack surface.
Recommended Action
- Review GitHub dependency trees for suspicious Claude Code repositories or forks
- Alert users to verify Claude Code installations and update to patched version
- Monitor for Vidar infostealer indicators of compromise on developer systems
Today’s Action Checklist
- ☐ URGENT: Patch Cisco IMC, Progress ShareFile, and Next.js React2Shell vulnerabilities across all systems
- ☐ URGENT: Rotate all exposed credentials from compromised hosts (AWS, GitHub, SSH, database, API keys)
- ☐ HIGH: Audit and restrict network access to management interfaces (IMC, ShareFile, admin portals)
- ☐ HIGH: Deploy detection rules for residential proxy traffic and IP reputation bypasses
- ☐ HIGH: Review admin and security council access logs for unauthorized changes or anomalies
- ☐ MEDIUM: Verify Claude Code integrity and update to latest patched version
- ☐ MEDIUM: Implement enhanced monitoring for RAT and cryptomining malware indicators