12/10/2025-12/17/2025 New React RSC Vulnerabilities, Hackers Exploit GitHub, New PCPcat Exploiting React2Shell Vulnerability And More

1. New React RSC Vulnerabilities Enable DoS and Source Code Exposure

The React team has released fixes for newly discovered flaws in React Server Components (RSC) that could lead to denial-of-service (DoS) attacks or source code exposure. The issues were uncovered by security researchers while probing patches for CVE-2025-55182, a critical RSC vulnerability that has already been exploited in the wild. Two vulnerabilities, CVE-2025-55184 and CVE-2025-67779 (both CVSS 7.5), enable pre-authentication DoS through unsafe deserialization that can trigger infinite loops and hang server processes. A third issue, CVE-2025-55183 (CVSS 5.3), may allow attackers to retrieve Server Function source code via crafted HTTP requests under specific conditions. The flaws affect multiple 19.x versions of react-server-dom packages. Researchers RyotaK, Shinsaku Nomura, and Andrew MacPherson reported the issues. Users are strongly advised to upgrade to versions 19.0.3, 19.1.4, or 19.2.3 to mitigate risk.

2. Hackers Exploit GitHub with Fake Repos to Spread PyStoreRAT Malware

Hackers are abusing GitHub by creating fake repositories that impersonate OSINT, GPT, and DeFi tools to distribute PyStoreRAT, a modular remote access trojan designed for data theft and system control. Active since mid-2025, the campaign primarily targets cybersecurity professionals, developers, and cryptocurrency users who trust open-source platforms for tooling. The attackers publish seemingly legitimate Python or JavaScript projects, often promoted on X and YouTube, and artificially inflate stars and forks to build credibility. After users run the code, hidden loaders fetch HTA files from remote servers, ultimately installing PyStoreRAT. In many cases, malicious code is injected later through “maintenance” commits, allowing repositories to appear benign for weeks or months.

Once deployed, PyStoreRAT enables credential and wallet theft, keylogging, and remote command execution while using obfuscation and encrypted communications to evade detection. Researchers warn this campaign highlights growing supply-chain risks on GitHub and recommend strict repository verification, behavioral monitoring, and isolated testing environments as key defenses.

3. FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE

 Multiple critical vulnerabilities have been disclosed in the FreePBX platform, including a severe authentication bypass flaw.

Discovered by Horizon3.ai, the three primary flaws are:

• CVE-2025-61675 (8.6): Authenticated SQL injections across four endpoints.
• CVE-2025-61678 (8.6): An authenticated file upload flaw allowing PHP web shell deployment.
• CVE-2025-66039 (9.3): An authentication bypass when “Authorization Type” is set to “webserver,” enabling attackers to log into the admin panel with a forged header and insert malicious users.

These easily exploitable issues permit remote code execution. Updates have been released: CVE-2025-61675/61678 are fixed in versions 16.0.92/17.0.6, and CVE-2025-66039 in 16.0.44/17.0.23.

As mitigation, FreePBX advises setting “Authorization Type” to “usermanager” and disabling “Override Readonly Settings.” The “webserver” auth type is now considered legacy and offers reduced security; its configuration option has been removed from the UI. Users should analyze systems where it was enabled for signs of compromise.

4. New PCPcat Exploiting React2Shell Vulnerability to compromise 59,000+ Servers

A new malware campaign dubbed PCPcat has compromised more than 59,000 servers in under 48 hours by exploiting critical vulnerabilities in Next.js and React environments. The attacks abuse two flaws—CVE-2025-29927 and CVE-2025-66478—that enable unauthenticated remote code execution through prototype pollution and command injection.

PCPcat scans public-facing Next.js applications at scale, testing around 2,000 targets per batch every 30–60 minutes, and has achieved an unusually high success rate of 64.6%. Once a vulnerable server is identified, the malware extracts environment files, cloud credentials, SSH keys, and command histories, exfiltrating the data via simple HTTP requests. The operation is coordinated through a command-and-control server in Singapore using three ports: 666 for payload delivery, 888 for reverse tunnels, and 5656 for core management. To maintain persistence, PCPcat installs proxy and tunneling tools, allowing attackers to retain access even after patches are applied.

5. Fortinet Firewalls Under Active Attack

Threat actors are actively exploiting two critical authentication bypass flaws in Fortinet FortiGate devices, tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS 9.8), which affect FortiOS and other products. These vulnerabilities allow attackers to bypass single sign-on protections using crafted SAML messages when FortiCloud SSO is enabled. This feature is enabled by default during FortiCare registration, leaving many organizations unknowingly exposed. In observed attacks, malicious SSO logins from specific hosting providers have been used to gain administrative access, export full device configurations, and steal hashed credentials. Although these hashes require cracking, weak or reused passwords remain vulnerable. CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by December 23rd, 2025. To mitigate risk, organizations should immediately apply updates, change all passwords, and restrict management interface access to trusted internal networks only.