Urgent: 'React2Shell' RCE Exploited by State Actors & New Healthcare Supply Chain Risks

Executive Summary

The Australian cyber threat landscape has reached a critical juncture in the last 24 hours. The primary focus for all security teams today is the rapid weaponisation of the ‘React2Shell’ vulnerability (CVE-2025-55182), which is actively being exploited by Chinese state-sponsored actors and cybercriminal syndicates to compromise web applications across the SaaS, FinTech, and Government sectors. Simultaneously, the healthcare sector faces a renewed supply chain crisis following a breach at a major IT services provider.

Here is your daily threat briefing for 13 December 2025.

Critical Vulnerability Alert: 'React2Shell' (CVE-2025-55182)

Sectors Impacted: SaaS, FinTech, Government, eCommerce

The Australian Cyber Security Centre (ACSC) has issued an "Act Now" alert regarding a critical Remote Code Execution (RCE) vulnerability in React Server Components, affecting versions 19.0 through 19.2.0.

  • The Threat: Dubbed "React2Shell," this flaw allows unauthenticated attackers to execute arbitrary code on the server by manipulating the deserialisation logic of the Flight protocol.
  • Current Activity: Intelligence indicates that multiple Advanced Persistent Threat (APT) groups, including those nexus to China, are operationalising this exploit to install web shells and exfiltrate sensitive customer data from Australian organisations.
  • Why It Matters: With over 500 Australian organisations estimated to be vulnerable, this represents a "perfect 10" severity risk. FinTech platforms and SaaS providers using Next.js (App Router) are particularly exposed.
  • Action: Patch immediately to the latest safe version. If patching is not feasible today, implement strict WAF rules to block malformed serialisation requests.

Sector Spotlight: Healthcare & Education

Threat Actor: KillSec Trend: Supply Chain Compromise & Extortion-Only Attacks

A significant supply chain attack has been identified targeting the Australian healthcare sector. Hexicor, a prominent IT services provider, has reportedly been compromised by the KillSec ransomware gang.

  • Impact: This breach has potentially exposed credentials and sensitive patient data for dozens of downstream healthcare and aged-care clients.
  • Tactical Shift: This incident aligns with a broader trend observed in the last 24 hours: a 40% rise in "extortion-only" attacks against Australian healthcare providers. Attackers are increasingly skipping the encryption phase to avoid automated detection, focusing instead on stealthy data theft to demand silence fees.
  • Education Sector: KillSec has also claimed responsibility for an attack on the Albright Institute, highlighting their aggressive targeting of sectors holding personally identifiable information (PII).

Emerging Tech Risks: AI & Cloud Systems

Vulnerabilities: CVE-2025-64671 & CVE-2025-34291

As Australian enterprises rush to adopt Agentic AI, new attack surfaces are opening up:

  • GitHub Copilot RCE (CVE-2025-64671): A new remote code execution vulnerability has been discovered in the GitHub Copilot plugin for JetBrains IDEs. This poses a severe risk to software supply chains, potentially allowing attackers to inject malicious code directly into developer environments.
  • Langflow AI (CVE-2025-34291): A critical vulnerability in the popular Langflow AI agent platform allows for complete account takeover and RCE. Exploitation could expose API keys for integrated cloud services (AWS, Azure) and SaaS tools.

IoT & Operational Technology (OT)

Sectors: Manufacturing, Smart Infrastructure

  • ScadaBR Vulnerability: A new vulnerability in ScadaBR automation software, widely used in Australian manufacturing and building management systems, has been added to the Known Exploited Vulnerabilities (KEV) catalogue. Attackers are using this entry point to pivot into Operational Technology (OT) networks.
  • Smart Vehicle Warning: The eSafety Commissioner has issued a warning regarding the weaponisation of smart car telemetry. Features allowing remote tracking and locking are being exploited in domestic abuse scenarios, urging manufacturers to implement stricter access governance.

Recommendations

  1. Prioritise React Patching: Treat CVE-2025-55182 as an emergency change request.
  2. Review Third-Party Access: Healthcare organisations should immediately audit access logs for any connections from MSPs or third-party IT providers like Hexicor.
  3. Secure AI Workflows: Ensure developers using AI coding assistants have updated their plugins and that AI agent platforms are behind strict authentication layers.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote