Discovered: December 3rd, 2025 (rapid exploitation observed)

Impacted Tech:  React Server Components (RSC), Next.js using RSC, and frameworks leveraging React’s server-side streaming semantics – including deployments on Vercel, AWS Lambda, and custom Node.js servers.

Summary:
A newly disclosed vulnerability in React Server Components, known as React2Shell (CVE-2025-55182) allows unauthenticated attackers to break out of the React rendering pipeline and execute arbitrary JavaScript on the server. Major cloud providers, including AWS, report active exploitation by China-nexus threat groups, with attacks observed within hours of public proof-of-concept publication. Because RSC is widely deployed across high-traffic Next.js and React platforms, the vulnerability presents broad, high-impact risk for data exfiltration, account takeover, supply-chain–style compromise, and credential theft.

Technical Details:

An unauthenticated attacker can make a malicious POST request and can smuggle a payload that React mistakenly treats as a legitimate server-side action. React ultimately evaluates the attacker’s input using a server-execution mechanism that mirrors vm.runInThisContext, causing the payload to run with the same privileges as the Node.js runtime. In vulnerable builds, this results in direct remote code execution.

Verify Exposure:
1. Determine whether your application uses React Server Components or Next.js server actions.

2. Test the RSC endpoint with a benign malformed server-action payload – servers that fail to reject the request may be exposed.

3. Review logs for unexpected module resolution errors or failed server-action evaluations.

Interim Mitigation Measures:

• Update vulnerable React/Next.js applications to the latest patched versions.
• If immediate patching is not possible, apply temporary WAF or middleware filters to block malformed server-action payloads, and disable RSC/server actions or restrict their exposure behind authentication.

Urgency: Critical. Exploitation is widespread, requires minimal skill, and grants full server execution. Deploy patches or compensating controls immediately.

Additional Resources:

Discovered: October 10th, 2025 (first exploitation observed)

Impacted Tech: Fortinet FortiWeb (WAF) Manager / Appliances – versions 8.0.1 and earlier (fixed in 8.0.2)

Summary:
A path-traversal and authentication bypass vulnerability allows unauthenticated attackers to create local administrative accounts through the FortiWeb management interface. Once exploited, an attacker effectively gains full control of the WAF appliance – enabling persistent access, unauthorized configuration changes, and potential lateral movement deeper into the environment. This weakness is already being exploited in the wild, and a public proof-of-concept is circulating.

Technical Details:

The following weaknesses, when chained, allow for complete compromise of the vulnerable FortiWeb appliance:

1. Path traversal to internal CGI endpoints: By starting with a valid FortiWeb API path, an attacker can traverse to another internal CGI executable (fwbcgi). If the endpoint located at:

/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi

1. Authentication bypass via the impersonation handler: Once the attacker reaches fwbcgi, FortiWeb fails to enforce authentication checks on certain code paths that handle user impersonation. This allows an unauthenticated request to invoke administrative actions directly, specifically, the creation of new local admin users with unrestricted permissions. Attackers observed in the wild are using this to drop accounts such as “Testpoint,” “trader1,” and similar operator-style usernames.

Verify Exposure:
1. Check whether the FortiWeb management interface is reachable from the internet.

2. Attempt a “safe” API path traversal test: send a POST request to /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi. An HTTP 200 response indicates exposure and potential exploitability.

Interim Mitigation Measures:

• Update all FortiWeb appliances to version 8.0.2 or later, which appears to block the known exploit chain. (Fortinet has not yet published a formal advisory or patch note.)
• If immediate patching is not possible, restrict the management interface so it is not reachable from the internet (allow internal access only or place behind a VPN).
• Audit all admin accounts on FortiWeb for any new or unexpected local users (e.g., usernames “Testpoint”, “trader1”, “trader” detected in ongoing attacks).
• Review logs for HTTP POSTs to /cgi-bin/fwbcgi or unusual trusthost settings like 0.0.0.0/0, ::/0 assigned to newly created users.

Urgency: Critical. Exploitation has been confirmed in the wild, the attack requires no authentication, and compromise of a WAF appliance often leads to broad secondary impact – ranging from data exfiltration to lateral movement inside the network.

Additional Resources: