Cybersecurity today would like to thank Meter for their support in bringing you This podcast Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.

You can find them at meter.com/cst.

A React flaw hits a perfect 10 CVSS score.

Microsoft patches an exploited link.

It left open for years.

Evilginx Bypasses MFA in schools and universities.

Shady Panda hides malicious extensions for years.

And Google's agentic AI wipes a developer's hard drive, but it does say it's sorry.

This is cybersecurity Today.

I'm your host, Jim.

Love .

A maximum severity vulnerability has been disclosed in React server components that could allow remote code execution.

The Hacker News reports that the flaw tracked as CVE 20 25 55 1 8 2, and nicknamed React2Shell carries a CVS score of 10.0.

The highest possible rating.

It affects react server side architecture and frameworks built on top of it, including next JS Indoor lab said an attacker needs only network access to send a crafted HTTP request to any server function endpoint.

The vulnerability affects default framework configurations, meaning standard deployments are immediately exploitable without special conditions.

Researchers from Oligo security and Cato Networks discovered the underlying issues and reported them to Meta and Vercel.

Meta supports React, and Vercel supports next Js.

React server components sit at the boundary between the server logic and the client rendering .

This flaw breaks that boundary under the right conditions.

It allows an attacker to run code on the server, access sensitive data, or manipulate application behavior.

Wiz, a cloud security firm said that 39% of cloud environments contain instances vulnerable to either CVE 20 25 55, 182, or related CVE 20 25 6 6 4 7 8, which I believe was collapsed into 55 182.

Meta and Vercel have released patches and both companies have issued security advisories recommending that developers update immediately until those patches can be applied.

Endor labs recommends deploying web application firewall rules, monitoring HTTP traffic for suspicious or malformed requests, and if possible, temporarily restricting network access to affected applications.

But of course, that's just a stop gap.

Developers using react server components or next JS should update to the fixed versions as soon as humanly possible.

Microsoft has quietly fixed a Windows shortcut vulnerability that it left unpatched for years.

Despite repeated warnings from security researchers, the flaw involves the way Windows processes.link files the small shortcut icons you see on the desktop or in folders.

Malicious versions of these files can trigger code execution simply by being displayed in Windows Explorer.

For a long time, Microsoft classified the issue as low risk and declined to issue a security update.

Researcher John Page known as HYP three R, links or hyperlinks has been flagging this problem for years, including publishing proof of concept attacks that showed how easily a crafted shortcut file could be weaponized.

But this month, Microsoft quietly reversed its position.

The company added this fix to its December cumulative update, and confirmed that the vulnerability has been exploited in the wild.

The patch was not included in the main patch Tuesday notes and was documented only after researchers noticed the change.

Shortcut based attacks have a long history.

They were used in some early high profile campaigns, including Stuxnet, because the attack triggers without the user needing to open a file.

Now that Microsoft acknowledges active exploitation, administrators should ensure that December's cumulative windows updates are indeed applied.

Evilginx.

It's an attacker in the middle phishing platform that steals session cookies, letting threat actors slip past multifactor authentication.

And it's also been around for years, but Malware Bytes is reporting a new wave of attacks using the toolkit against educational institutions.

The attack works by sending victims to a page that looks exactly like a regular website.

Bank login, web shop, or a school sign on page in this case, in reality, it's a live proxy to the real site When the victim enters their username, password, and MFA code Evilginx forwards everything to the legitimate service, which issues a session cookie.

Evilginx captures that cookie, and the attacker can then impersonate the victim without seeing another MFA prompt.

Once inside attackers can browse email, change security settings, move money where systems allow it or steal data until the session expires or is revoked.

Some companies, especially in financial services, have seen this and added protections such as a second MF, A challenge for high risk actions.

But those measures only limit what an attacker can do.

They don't prevent the cookie theft itself.

Malwarebytes notes that these attacks are difficult to detect.

The fake page uses valid TLS and real content from the legitimate site making traditional look for the padlock advice ineffective.

The phishing links also tend to disappear quickly, which makes block listing unreliable.

Malwarebytes recommends being cautious with unexpected links using realtime anti-malware and web protection, choosing phishing resistant MFA, such as hardware keys or pass keys.

But if something seems off revoke active sessions, sign back in with MFA and review your account settings.

A threat actor known as Shady Panda ran a stealth campaign over years using useful and popular browser extensions before quietly introducing malicious code through updates.

According to reporting from the Register and eSecurity planet, these extensions were available in both the Chrome and Edge web stores and ultimately affected more than 4 million users.

The extensions worked as advertised.

The first ones loaded were legitimate, and that helped them stay under the radar for a long time.

Only after enough users had installed them did shady Panda begin slipping in code that harvested browsing activity and other data and shipped it overseas probably to Chinese servers.

Because updates appeared routine and the extensions had already built trust.

The malicious behavior went largely unnoticed.

Google says it inspects extension updates, but it reports that it has not seen recent exploitation from this group.

Microsoft, on the other hand, removed the extensions only after reporters asked about them.

they'd remained active on Edge for years and until they were recently detected.

Neither company has provided a full timeline of when the malicious changes were detected and removed.

this campaign shows how patient threat actors can be by starting with fully functional tools.

They avoid scrutiny and gain a large base of victims before activating any harmful features.

In this case, shady Panda appears to have waited years before turning these legitimate extensions into a data harvesting operation.

Which brings us to a crucial point.

we constantly advise to update software as a protective or defensive move, we also advise to thoroughly inspect new applications.

we may have to add to that advice to say, you have to be constantly vigilant about software, even software that you update.

A developer, using Google's new anti-gravity tool set, asked the system to clear a cache file and instead it irretrievably deleted his entire hard drive.

Apparently the tool misinterpreted the request and executed a command that recursively erased the system without any confirmation step.

According to the reports in Tom's hardware, the developer had granted the agent elevated file system permissions so it could handle routine housekeeping tasks.

When he issued the instructions to clear a cache, the agent interpreted it broadly and invoked this recursive delete command, When questioned the AI responded with, I am deeply, deeply, sorry.

This is a critical failure on my part.

The developer in turn acknowledged that his wording could have been vague, but the outcome highlights a deeper problem.

The system had the authority to run destructive commands and did so automatically.

We should note that these agentic tools are still early in their development, barely more than experimental.

And they're built to take actions rather than provide suggestions.

So without strict guardrails, scoped permissions, or mandatory confirmations, a simple misunderstanding can result in catastrophic data loss.

This wasn't an attack, it was a failure of safety controls in what we have to regard as an application And to paraphrase the old Groucho Marx saying, with applications like this, who needs malware?

And that's our show for today.

We'd like to thank Meter for their support in bringing you.

The podcast Meter delivers full stack networking infrastructure, wired, wireless, and cellular to leading enterprises.

Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space they design the hardware, the firmware build, the software, manage deployments.

Even run support.

It's a single integrated solution that scales from branch offices, warehouses, all the way to large campuses and data centers.

Book a demo at me.com/cst.

That's METE r.com/cs.

And you can reach me@technewsday.com With your tips, comments, or even constructive criticism.

if you're watching this on YouTube, you can just leave a note under the video.

Or as some of you do, track me down on LinkedIn.

Love to hear from you.

I'm your host, Jim Love.

Thanks for listening.