Welcome back! In this edition, we bring you the latest in cloud security: noteworthy incidents, exclusive data, and crucial vulnerabilities. Let’s jump in.
🔍 Highlights
React2Shell: Critical RCE Vulnerability in React and Next.js
React2Shell (CVE-2025-55182) is a critical, unauthenticated remote code execution vulnerability rooted in insecure deserialization within the React Server Components (RSC) “Flight” protocol, impacting React 19 and RSC-enabled frameworks, most notably Next.js. The flaw affects default configurations, meaning standard production deployments can be exploited with a single crafted HTTP request and no developer misconfiguration, with exploitation demonstrating near-100% reliability.
Since early December 2025, exploitation has been observed in the wild by multiple security teams, including Wiz Research, with attackers targeting internet-facing Next.js applications and Kubernetes workloads, followed by post-exploitation activity such as cloud credential harvesting, cryptomining, and attempts to deploy malware frameworks like Sliver. Hardened releases for React and Next.js are now available, and immediate patching is the only effective mitigation, including for any framework bundling the affected react-server implementation.
Wiz data indicates that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182. Regarding Next.js, the framework itself is present in 69% of environments. Notably, 61% of those environments have public applications running Next.js, meaning that 44% of all cloud environments have publicly exposed Next.js instances (regardless of the version running).
Learn more in our blogs: 1 | 2
MongoBleed: Information Leak Vulnerability in MongoDB
MongoDB has disclosed a high-severity unauthenticated information leak vulnerability, tracked as CVE-2025-14847 and dubbed MongoBleed (after HeartBleed), affecting multiple supported and legacy MongoDB Server versions. The flaw can be exploited remotely by unauthenticated attackers with low complexity, potentially leading to exfiltration of sensitive data and credentials. Self-hosted MongoDB instances remain at risk until patched, whereas MongoDB Atlas instances have been upgraded automatically and no customer action is required.
Based on Wiz data, 42% of cloud environments have at least one instance of MongoDB in a version vulnerable to CVE-2025-14847, including both publicly exposed and internal resources. Wiz has been able to validate many internet-facing instances as exploitable.
Learn more in our blog.
🐞 High Profile Vulnerabilities
Critical Authentication Bypass Vulnerabilities in FortiOS and FortiProxy
Fortinet has disclosed two critical authentication bypass vulnerabilities that affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager (CVE-2025-59718, CVE-2025-59719). If FortiCloud SSO login is enabled, an unauthenticated attacker can craft a malicious SAML message to bypass login authentication entirely. Although FortiCloud SSO is disabled by default, it may be automatically enabled during FortiCare registration. The vulnerabilities were exploited in the wild shortly after public disclosure.
According to Wiz data, 1.5% of cloud environments have resources vulnerable to CVE-2025-59718 or CVE-2025-59719.
Learn more here.
Critical XXE Vulnerability in Apache Tika
A critical XML External Entity (XXE) vulnerability in Apache Tika, tracked as CVE-2025-66516 (CVSS 10.0), allows attackers to exploit crafted PDF files containing XFA forms to read local files, exfiltrate sensitive data, and trigger server-side request forgery (SSRF). The issue affects multiple Tika modules and requires urgent patching, as public proof-of-concept exploits are available.
According to Wiz data, 52% of cloud environments have resources vulnerable to CVE-2025-66516.
Learn more here.
Vulnerabilities in SonicWall SMA1000 Appliances Exploited in-the-Wild
SonicWall has disclosed a local privilege escalation vulnerability in the SMA1000 Appliance Management Console (AMC) that can allow authenticated attackers to escalate privileges to root (CVE-2025-40602). While the vulnerability alone requires prior access, SonicWall confirmed it has been chained with a previously disclosed critical pre-auth RCE (CVE-2025-23006) to achieve unauthenticated remote code execution with root privileges, significantly increasing real-world risk.
Learn more here.
RCE Vulnerability in WatchGuard Firebox Exploited in-the-Wild
On December 19, 2025 WatchGuard disclosed a critical Out-of-Bounds Write vulnerability affecting Firebox appliances running Fireware OS. Tracked as CVE-2025-14733 and rated CVSS 9.3, the flaw allows a remote, unauthenticated attacker to execute arbitrary code via the IKEv2 service. WatchGuard confirms active exploitation attempts in the wild.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to CVE-2025-14733.
Learn more here.
Critical Post-Auth RCE Vulnerability in n8n
A critical remote code execution vulnerability (CVE-2025-68613) has been disclosed in n8n’s workflow expression evaluation feature. An authenticated user who can create/edit workflows may be able to inject crafted expressions that execute in an insufficiently isolated server-side context, potentially leading to arbitrary code execution with the privileges of the n8n process and full compromise of the instance.
According to Wiz data, 7% of cloud environments have resources vulnerable to CVE-2025-68613.
Learn more here.
Gogs 0-Day Vulnerability Exploited in the Wild
Wiz Threat Research has identified active, in-the-wild exploitation of a zero-day vulnerability in Gogs, a popular self-hosted Git service. The flaw, tracked as CVE-2025-8110, allows authenticated attackers to achieve remote code execution (RCE) by abusing symbolic links to bypass a previously patched vulnerability. More than 700 publicly exposed Gogs instances were found compromised, with exploitation ongoing and no patch currently available.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to CVE-2025-8110.
Learn more in our blog.
Security incidents & campaigns
China-nexus Campaign Exploits CVE-2025-20393 in Cisco Email Security Devices
Cisco announced that UAT-9686, who they assess with moderate confidence to be a China-nexus APT, is exploiting an unpatched vulnerability in CiscoAsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager (CVE-2025-20393). The actor has deployed a passive backdoor and tools to delete logs and tunnel traffic.
Learn more here.
Cryptomining Campaign Leveraging Compromised AWS IAM Credentials
A widespread cloud attack campaign was found to use stolen AWS IAM credentials to deploy unauthorized cryptomining workloads across EC2 and ECS environments. The attackers also used persistence techniques such as disabling termination protection, creating overly permissive IAM users, and exposing public Lambda endpoints to maintain access and potentially expand their control beyond cryptomining.
Read more here.
Amadey Loader Abuses Compromised Self-Hosted GitLab to Deliver StealC Infostealer
A new Amadey malware campaign has been observed exploiting a compromised, self-hosted GitLab instance to distribute the StealC infostealer. By abusing a long-standing domain with valid TLS certificates, threat actors established a legitimate-looking payload delivery infrastructure that effectively evades traditional security controls while enabling multi-stage credential theft and cryptocurrency hijacking.
Learn more here.
GeoServer RCE Exploited in CoinMiner Campaigns
Threat actors actively exploit a known remote code execution vulnerability (CVE-2024-36401) in GeoServer to deploy cryptocurrency miners across exposed environments. Multiple campaigns have been observed abusing the same flaw to install XMRig-based CoinMiners, often alongside tools that enable persistence, lateral movement, and follow-on payload delivery.
Learn more here.
Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 👏
Listen on Spotify and Apple Podcasts.