Full Report
Hackers are increasingly exploiting newly disclosed vulnerabilities in third-party software to gain initial access to cloud environments, with the window for attacks shrinking from weeks to just days. [...]
Analysis Summary
The following summary highlights the primary vulnerabilities identified in the Google Cloud Threat Horizons report as key drivers for cloud environment breaches.
# Vulnerability: Rapid Exploitation of RCE Flaws for Cloud Access
## CVE Details
- **CVE ID:** CVE-2025-55182 (React2Shell) / CVE-2025-24893 (XWiki Flaw)
- **CVSS Score:** 9.8 (Critical) / 8.8 (High)
- **CWE:** CWE-94 (Code Injection) / CWE-77 (Command Injection)
## Affected Systems
- **Products:** React/Next.js Frameworks (React2Shell); XWiki (Open-source enterprise wiki).
- **Versions:**
- **React2Shell:** Specific versions of React and Next.js (refer to vendor advisories).
- **XWiki:** Versions prior to the fix for CVE-2025-24893.
- **Configurations:** Systems exposed to the public internet without proper input validation or patched dependencies.
## Vulnerability Description
These flaws represent Remote Code Execution (RCE) vulnerabilities. **React2Shell** allows attackers to execute arbitrary JavaScript code within the context of the application. The **XWiki** flaw allows for server-side code execution, which has been weaponized by botnets like RondoDox to transform cloud servers into malicious nodes.
## Exploitation
- **Status:** Exploited in the wild (actively used by botnets and cryptominers).
- **Complexity:** Low (Technical details and PoCs are widely documented).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** Total (Access to environment variables, source code, and secrets).
- **Integrity:** Total (Ability to modify application code and configuration).
- **Availability:** Total (Potential for cryptomining, resource exhaustion, or total deletion).
## Remediation
### Patches
- **React/Next.js:** Update to the latest stable versions immediately to mitigate React2Shell.
- **XWiki:** Apply updates provided by the XWiki development team for CVE-2025-24893.
### Workarounds
- Implement Web Application Firewalls (WAF) to filter malicious patterns in incoming requests.
- Restrict egress traffic from cloud instances to prevent "callback" communication with C2 servers.
## Detection
- **Indicators of Compromise:**
- Outbound connections to known cryptomining pools.
- Presence of "RondoDox" or "s1ngularity" related artifacts in logs or file systems.
- Unexpected creation of high-privileged CI/CD service account tokens.
- **Detection methods and tools:**
- Monitor CloudTrail/Audit logs for unauthorized reconnaissance of Kubernetes pods.
- Use automated CSPM (Cloud Security Posture Management) tools to identify internet-exposed vulnerable services.
## References
- React2Shell Advisory: hXXps[://]www.bleepingcomputer[.]com/news/security/critical-react2shell-flaw-in-react-nextjs-lets-hackers-run-javascript-code/
- Google Cloud Threat Horizons Report: hXXps[://]services.google[.]com/fh/files/misc/cloud_threat_horizons_report_h12026.pdf
- XWiki RondoDox Attack Analysis: hXXps[://]www.bleepingcomputer[.]com/news/security/rondodox-botnet-malware-now-hacks-servers-using-xwiki-flaw/