Daily Security Briefing #095

December 6, 2025 | Read Online

Oracle zero-day exploited at Barts Health NHS, React2Shell RCE impacts 30+ orgs, Malicious Go packages steal data

Executive Summary

Today’s cybersecurity landscape highlights critical software vulnerabilities and sophisticated supply chain threats. The Oracle zero-day exploited by the Cl0p ransomware group resulted in a major data breach at Barts Health NHS, compromising sensitive personal and billing data. Meanwhile, the widely used React2Shell flaw has been actively exploited, affecting over 30 organizations and exposing tens of thousands of Internet-facing IPs. Attackers continue to leverage development ecosystem weaknesses, as malicious Go packages impersonating legitimate Google libraries have been stealing data for years. Additionally, numerous vulnerabilities in AI coding tools expose users to remote code execution and data exfiltration risks. These incidents underscore the pressing need for vigilance across healthcare, software development, and emerging AI environments.

Top Articles

Barts Health NHS Reveals Data Breach Linked to Oracle Zero-Day Exploited by Clop Ransomware
Barts Health NHS Trust has suffered a data breach after the Cl0p ransomware gang exploited a critical zero-day vulnerability in Oracle E-Business Suite software. The attackers accessed and published files from an invoice database, exposing personal data of patients and staff. This breach underscores the ongoing risks facing healthcare institutions relying on complex enterprise software.
GBHackers | CyberPress

React2Shell Flaw Exploited to Breach 30 Organizations, Over 77,000 IPs Vulnerable
The severe React2Shell vulnerability (CVE-2025-55182), enabling remote code execution, has been confirmed to compromise more than 30 organizations across sectors. Over 77,000 IP addresses remain exposed on the internet. Following active exploitation reports, CISA added this flaw to its Known Exploited Vulnerabilities catalog. Organizations using React Server Components must urgently apply mitigations to prevent breaches.
BleepingComputer | TheHackerNews | SentinelOne

Malicious Go Packages Impersonate Google’s UUID Library to Steal Sensitive Data
Since May 2021, two typosquatting Go packages, designed to mimic trusted Google UUID libraries, have been covertly exfiltrating user data from developers who mistakenly downloaded them. These malicious packages remained live in the Go ecosystem for over four years before being discovered by security researchers. This incident highlights the dangers of supply chain attacks in software development environments.
GBHackers | CyberPress

Researchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks
Security researchers have identified over 30 vulnerabilities in AI-powered Integrated Development Environments (IDEs) that can be exploited to perform prompt injection attacks. These flaws allow malicious actors to exfiltrate data or execute remote code by abusing legitimate AI features, posing new risks as AI tools become widespread in development workflows.
TheHackerNews

Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation
In response to active exploitation of the React2Shell RCE vulnerability (CVE-2025-55182), CISA has added the flaw to its Known Exploited Vulnerabilities catalog. Rated with a maximum CVSS score of 10.0, this vulnerability requires immediate attention from organizations using React Server Components to mitigate potentially devastating consequences from remote code execution attacks.
TheHackerNews

Drones to Diplomas: How Russia’s Largest Private University is Linked to a $25M Essay Mill
An academic cheating network generating nearly $25 million in revenue through Google Ads has been connected to a Kremlin-linked oligarch controlling Russia’s largest private university. The university’s involvement in drone manufacturing for Russia’s war effort adds complexity to investigations into this large-scale essay mill operation.
KrebsOnSecurity

New Wave of VPN Login Attempts Targets Palo Alto GlobalProtect Portals
Threat actors have launched a targeted campaign aimed at Palo Alto GlobalProtect VPN portals, attempting logins likely to gain unauthorized access. The attackers are also scanning SonicWall SonicOS API endpoints, indicating a broader reconnaissance effort against popular VPN and network gateway solutions.
BleepingComputer

New Prompt Injection Attack Vectors Through MCP Sampling
Researchers from Unit 42 have analyzed the Model Context Protocol (MCP), which connects large language model apps to external data sources, to reveal new prompt injection attack vectors. These attack methods exploit MCP’s functionality to manipulate AI responses and potentially compromise connected systems.
Unit42

From React to Remote Code – Protecting Against the Critical React2Shell RCE Exposure
SentinelOne provides insights into detection and mitigation strategies against the React2Shell remote code execution vulnerability. Their analysis covers protection techniques for React and Next.js applications under threat from this critical flaw.
SentinelOne

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.