Skip to content
Contact Us
All posts

Threat Report 157

By  Craig Pepper  ·  2 minute read

This week’s report: new phishing campaign abusing Google services to bypass email security controls; a critical vulnerability in widely used web technologies that exposes many public-facing websites and enterprise applications; and a severe flaw in an IBM platform commonly used by large organisations. Further details and recommended actions are outlined below. 

Google Cloud Phishing Attack Bypasses Email Security

Cybercriminals have found a clever way to send phishing emails that look like they come from Google itself. They are abusing a feature in Google Cloud called Application Integration to send malicious emails from a legitimate Google email address. These emails look like normal notifications, such as voicemail alerts or file access requests, which tricks both people and email security systems designed to block fake messages.

This technique is particularly dangerous because it uses a trusted source—Google—to launch attacks. For UK businesses and especially digital health organisations, employees are more likely to trust and click on a link in an email that appears to be a legitimate notification from a service they use every day. This could lead to stolen passwords, which attackers can use to access sensitive company or patient data, a significant risk for organisations handling NHS data under the DSPT framework.
 
Recommendations:
  • Warn employees about this new phishing technique and remind them to be cautious even with emails from trusted senders.
  • Advise staff to hover over links before clicking to see the real destination address.
  • Ensure that any requests for credentials or sensitive information are verified through a separate communication channel.

Critical ‘React2Shell’ Flaw Affects Web Servers and IoT Devices

A critical vulnerability, named React2Shell (CVE-2025-55182 ), has been discovered in a widely used web technology called React Server Components and Next.js. This flaw is extremely severe, with a CVSS score of 10.0 out of 10. It allows an attacker to take complete control of a vulnerable web server or internet-connected device without needing a password. Criminals are already using this flaw to build a botnet—a network of hacked devices—called RondoDox.
 
Many modern websites and web applications, including those used in health tech and by NHS suppliers, are built using React and Next.js. If your organisation’s website or a supplier’s portal uses this technology, it could be at risk of a complete takeover. An attacker could steal data, disrupt services, or use the compromised server to launch further attacks. With tens of thousands of systems still vulnerable, this poses a significant supply chain risk.
 
Recommendations:
 
  • Identify if any of your web applications or those of your suppliers use React Server Components or Next.js.
  • Update to a patched version immediately if you are using an affected version.
  • Ask your software suppliers if they have been affected by this vulnerability and what steps they have taken to mitigate the risk.

Severe Authentication Flaw in IBM API Connect

IBM has revealed a critical security flaw (CVE-2025-13915 ) in its API Connect product, which is a system used by many large companies to manage their Application Programming Interfaces (APIs). APIs are the connections that allow different software applications to talk to each other. This vulnerability has a severity score of 9.8 out of 10 and allows a remote attacker to bypass security checks and gain unauthorised access to the application.

APIs are the backbone of modern digital services, including many digital health platforms that connect to NHS systems or handle patient data. If your organisation uses IBM API Connect, this flaw could allow an attacker to gain control over the connections between your critical software. This could lead to a major data breach, service disruption, or allow an attacker to tamper with data in transit. The risk is especially high for any organisation that relies on this platform for secure data exchange.
 
Recommendations:
  • If your organisation uses IBM API Connect versions 10.0.8.0 through 10.0.8.5 or 10.0.11.0, you must apply the security fix provided by IBM immediately.
  • As a precaution, IBM also advises disabling the self-service sign-up feature on the Developer Portal if it is enabled.
  • Review access logs for any unusual or unauthorised activity related to your API management platform.

Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services.
22.12.25 Threat Report

22.12.25 Threat Report

 29/12/25 Threat Report

29/12/25 Threat Report

 22.09.2025 Threat Report

22.09.2025 Threat Report

Contact Us