08.12.2025 Threat Report

This week’s report covers yhr React/Next.js React2Shell RCE (CVE‑2025‑55182) under active exploitation, the newly public Windows LNK zero‑day history and mitigation (CVE‑2025‑9491), and Android’s December update patching two exploited zero‑days...

React/Next.js “React2Shell” pre‑auth RCE now in NHS Cyber Alert and CISA KEV

A High‑severity Cyber Alert (CC‑4723) for a critical remote code execution flaw affecting React Server Components and dependent frameworks such as Next.js. The bug, tracked as CVE‑2025‑55182 and nicknamed “React2Shell,” allows an unauthenticated attacker to trigger insecure deserialisation in the RSC Flight protocol and execute arbitrary commands on vulnerable servers. CISA has since added the CVE to its Known Exploited Vulnerabilities catalogue after confirmed in‑the‑wild abuse, and researchers report rapid attacker interest as public details spread. Any UK health organisation running React RSC stacks—especially patient‑facing portals, booking apps, or supplier platforms—should assume scanning is underway and patch at pace.

React/Next.js is everywhere in modern digital health, patient portals, telehealth dashboards, clinician tools, and partner APIs. A pre‑auth RCE on the web tier can expose PHI, tamper with clinical workflows, or become a stepping‑stone into core systems. If you host React RSC, this is top priority.

Recommendations:

• Upgrade React Server Components / downstream frameworks to patched versions (React server packages 19.0.1 / 19.1.2 / 19.2.1, plus framework‑specific fixes).

• Add WAF rules for suspicious RSC endpoint payloads and increase logging on Server Function routes.

• Review internet‑exposed apps for RSC usage; prioritise patient‑facing services first.

Windows .LNK shortcut flaw exploited as zero‑day for years, now publicly tracked

Multiple outlets reported that Microsoft has “silently mitigated” a Windows shortcut (.LNK) vulnerability, now assigned CVE‑2025‑9491, after evidence it has been weaponised for years by state‑aligned and criminal groups. The bug is a UI misrepresentation issue: attackers can craft LNK files whose dangerous command‑line content is hidden from the Properties view, making malicious shortcuts look benign. When opened, they can execute code in the user context and drop malware or establish persistence. Although the underlying fix arrived in November’s cumulative updates, the reporting and wider threat‑actor context landed this week, meaning phishing kits and commodity actors are likely to follow quickly. Treat any LNK lure as high risk.

Healthcare remains a prime phishing target. LNK‑based lures are “easy mode” for attackers because they bypass user intuition and can be embedded in email attachments or file shares. In busy clinical settings with shared workstations, one click can seed ransomware staging or data theft.

Recommendations:

• Ensure November/December Windows cumulative updates are deployed across endpoints and RDS/VDI estates.

• Block LNK execution from user‑writable locations and tighten attachment policies in email gateways.

• Raise phishing awareness specifically around “shortcut” files and odd desktop‑icon attachments.

Android December security update patches two exploited zero‑days

Google’s December Android Security Bulletin landed with 107 fixes, including two vulnerabilities already exploited in targeted attacks: CVE‑2025‑48633 (information disclosure in the Framework) and CVE‑2025‑48572 (elevation of privilege). Both impact Android 13–16. While exploitation appears targeted, Android zero‑days routinely migrate into broader spyware and financially motivated toolchains. In health and care, Android devices are common for BYOD clinician access, community care, ambulance tablets, MDM‑managed corporate mobiles, and patient‑facing apps. Delayed patching increases the risk of credential theft, session hijack, and surveillance, especially where devices hold authenticator apps or clinical messaging. OEM rollout times vary, so UK organisations should push updates via MDM and confirm patch levels.

Mobile endpoints are now clinical endpoints. If an attacker can read data or gain higher privileges on Android, they can lift NHSmail tokens, Teams/clinical chat sessions, or patient‑app credentials. That’s a quiet breach route that often skips perimeter defences. Patch compliance matters here.

Recommendations:

• Push December Android security updates through MDM; verify devices report current patch levels.

• Re‑assess which clinical apps allow offline PHI storage on mobiles; minimise where possible.

• Encourage staff BYOD users to update promptly; block out‑of‑date OS versions from high‑risk apps.

This week is a mix of “patch now” web‑tier risk and quietly dangerous endpoint issues. React2Shell is the standout: it’s pre‑auth, widely deployed, and already under exploitation. Close that door first, then mop up the Windows LNK exposure and Android patch lag before they turn into incident work over Christmas.

Need help? Periculo can support with rapid exposure triage, detection tuning, and ongoing Threat Intelligence tailored to NHS and UK health tech. Contact us below.