• Zero-Day Wire
  • Posts
  • Top 5 Threat News (Dec 1-8, 2025): React Backdoor Breaks Internet, Chinese Malware & Android Zero-Days

Top 5 Threat News (Dec 1-8, 2025): React Backdoor Breaks Internet, Chinese Malware & Android Zero-Days

A CVSS 10.0 React flaw crashed 28% of Cloudflare's traffic, Chinese malware lived undetected for 17 months, and Microsoft finally patched a shortcut bug hackers used since 2017

December 07, 2025

In partnership with

THIS WEEK IN CYBER MONDAY šŸ”’

Dec 1 - Dec 8, 2025 | Top 5 Weekly Highlights

1. šŸšØ React2Shell: When Your Web Framework Becomes a Backdoor

A maximum-severity bug (CVSS 10.0) in React Server Components lets hackers run code on your server with zero authentication.

Default React 19 and Next.js 15/16 setups are vulnerable out of the box. No configuration changes neededā€”just install and you're exposed.

Chinese hacking groups started exploiting it hours after the Dec 3 disclosure. By Dec 5, they were stealing AWS credentials and installing malware. CISA added it to their "patch this NOW" list on Dec 6.

Why you care: 39% of cloud environments run vulnerable versions. If you use React/Next.js, you're probably exposed.

Fix: Update to React 19.0.1+ or Next.js 15.1.5/16.0.6+ immediately. This isn't a drill.

āš”ļøWant to start an online business in 2026? A newsletter is the fastest, easiest business for beginners.

You can (easily) launch a newsletter too

This newsletter you couldnā€™t wait to open? It runs on beehiiv ā€” the absolute best platform for email newsletters.

Our editor makes your content look like Picasso in the inbox. Your website? Beautiful and ready to capture subscribers on day one.

And when itā€™s time to monetize, you donā€™t need to duct-tape a dozen tools together. Paid subscriptions, referrals, and a (super easy-to-use) global ad network ā€” itā€™s all built in.

beehiiv isnā€™t just the best choice. Itā€™s the only choice that makes sense.

2. āš” Cloudflare Tried to Fix React2Shell... and Broke the Internet Instead

On Dec 5, Cloudflare pushed a config change to protect customers from React2Shell. Within minutes, 28% of their traffic died for 25 minutes.

Sites like LinkedIn, Zoom, and Discord went dark with 500 errors.

Turns out, their fix triggered a cascade failure in their global network.

This is Cloudflare's second major outage in 3 weeks. When one company powers 20% of the internet, their bad day becomes everyone's bad day.

Lesson: Even the giants can fumble. Diversify your infrastructure if you can.

3. BRICKSTORM: China's Invisible Backdoor That Lived Undetected for 17 Months

CISA, NSA, and Canada just warned about BRICKSTORMā€”sophisticated Chinese malware that hides in VMware servers and Windows systems.

It's designed for stealth. The malware auto-reinstalls itself if you try to remove it.

In one case, Chinese hackers maintained access from April 2024 to September 2025. They used multiple encryption layers, fake web traffic, and hidden virtual machines to stay invisible.

Who's targeted: Government agencies and IT companies.

What to do: Scan your VMware and Windows systems using CISA's detection tools. Segment your networks. Monitor edge devices.

4. šŸ“± Google Patches 2 Android Zero-Days Used by Spyware Vendors

Your Android just got a security patch. Install it.

Google's December update fixed 107 bugs, including two zero-days (CVE-2025-48633 and CVE-2025-48572). These let attackers steal your data and take control of your phone.

The exploits hit Android 13-16 (basically everyone). Google won't say who's behind the attacks, but the fingerprints point to commercial spyware like Pegasus or state-sponsored hackers targeting activists, journalists, and high-value targets.

The scary part: These are framework vulnerabilitiesā€”the deep stuff that security companies love because they're invisible and powerful.

Fix: Update to Android security patch level 2025-12-05 or later. Check Settings ā†’ About phone ā†’ Software updates.

5. šŸŖŸ Microsoft Finally Patches Windows Shortcut Bug That Hackers Used Since 2017

Microsoft silently fixed a flaw that state-sponsored hackers exploited for years.

CVE-2025-9491 let attackers hide malicious code in Windows shortcut files (.lnk). When you checked the file properties, Windows only showed you the first 260 charactersā€”the rest was invisible. Hackers padded files with spaces to hide malware commands.

Who used it: 11 state-sponsored groups including Evil Corp, APT37 (North Korea), Mustang Panda (China), and more. They deployed malware like PlugX, Gh0st RAT, and Trickbot through innocent-looking shortcuts.

Microsoft finally rolled a fix in November 2025 (possibly June) that shows the full command. No fanfare, no announcementā€”just a quiet patch after 8 years of exploitation.

What to do: Make sure your Windows is fully updated. Don't open .lnk files from untrusted sources (ever).

šŸŽÆ The Big Picture

This week proved that zero-day season never ends. From web frameworks to mobile OS to desktop shortcuts, attackers are everywhere. The React2Shell chaos showed how one library vulnerability can cascade globally. BRICKSTORM reminded us that nation-states play the long game. And those Android zero-days? Classic spyware tactics.

Your move: Patch everything. Audit your dependencies. Segment your network. And please, for the love of security, enable auto-updates.

Your Feedback Matters

Did You Enjoy This Weekā€™s News?

Login or Subscribe to participate in polls.

Got questions? Found something we missed? Drop feedback in the comments. Stay safe out there. šŸ›”ļø

Reply

or to participate.