Daily Threat Briefing: React2Shell Crisis & Aussie Healthcare Under Fire

Executive Summary

The last 24 hours have been critical for Australian cyber defenders. A new maximum-severity vulnerability in the React framework, dubbed "React2Shell," is being actively exploited by state-sponsored actors, sending shockwaves through the SaaS and FinTech sectors. Simultaneously, the Australian healthcare and education sectors are grappling with fresh ransomware extortion attempts and significant data leaks.

Vulnerability Spotlight: The "React2Shell" Crisis

CVE-2025-55182 (CVSS 10.0): React Server Components RCE The Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) has issued an "act now" alert regarding a critical Unauthenticated Remote Code Execution (RCE) flaw in React Server Components.

  • The Threat: This vulnerability affects React 19 and widely used frameworks like Next.js. It allows attackers to execute arbitrary code on the server by sending a single malicious HTTP request, bypassing authentication entirely.
  • Active Exploitation: Intelligence indicates that China-nexus threat actors, including Earth Lamia and Jackpot Panda, are weaponising this flaw to deploy persistent backdoors and XMRig cryptocurrency miners into cloud environments.
  • Action: Engineering teams must upgrade to React versions 19.0.1+ or Next.js patched releases immediately. WAF rules should be tuned to block suspicious serialisation payloads.

CVE-2025-68613 (CVSS 9.9): n8n Workflow Automation RCE A critical flaw in the popular workflow automation tool n8n has been disclosed. Attackers can inject malicious expressions into workflows to gain full control over the underlying server. This is particularly dangerous for SaaS providers and FinTech firms relying on n8n for backend automation.

WooCommerce Store API Vulnerability A critical privacy flaw affecting WooCommerce (versions 8.1 to 10.4.2) was patched yesterday. The vulnerability allowed logged-in users to access the sensitive order details (PII) of guest customers via the Store API. While an auto-update has been rolled out to many stores, eCommerce administrators should manually verify their version is 10.4.3 or higher.

Sector-Specific Intelligence

Healthcare: Genea Targeted by Termite Ransomware

The Termite ransomware gang has claimed responsibility for a cyber attack on Genea, one of Australia's leading fertility service providers. The group alleges they have exfiltrated 700GB of highly sensitive data, including patient medical histories and diagnostic results. This incident reinforces the healthcare sector's position as the primary target for extortion in late 2025.

Education: University of Sydney Data Breach

The University of Sydney has notified stakeholders of a significant data breach affecting approximately 27,000 individuals, including staff, alumni, and students.

  • Root Cause: A "DevSecOps" failure where production data was improperly stored in a non-production development environment—an unprotected online IT code library.
  • Lesson: Educational institutions must enforce strict data sanitisation policies for test environments.

Government: Muswellbrook Shire Council Data Dump

Following a ransomware incident last month, the SafePay gang has reportedly published 175GB of stolen data from the Muswellbrook Shire Council. The dump includes internal correspondence and resident data, highlighting the catastrophic failure of "pay or we leak" negotiations.

IoT: Solar Inverters & Smart Homes

New research from Bitdefender and NETGEAR indicates a sharp rise in attacks targeting Australian smart homes, with a specific focus on solar inverters. These devices are being probed for vulnerabilities that could allow attackers to destabilise local power grids or pivot into home networks.

Strategic Recommendations

  1. Patch React & Next.js Stacks: Prioritise CVE-2025-55182. If immediate patching is impossible, isolate affected services from the public internet.
  2. Sanitise Non-Prod Environments: Review all development and staging environments to ensure no live PII is present. The USyd breach demonstrates that "obscurity" is not security.
  3. Review Third-Party Integrations: With the n8n and WooCommerce vulnerabilities, audit all third-party automation and eCommerce plugins for recent security updates.
  4. Healthcare Vigilance: Medical providers should urgently review egress filtering and backup immutability, as Termite ransomware is actively hunting in the region.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote