Distant code execution flaws are among the many most prevalent and demanding vulnerabilities in software program at the moment. A number of the most high-profile cybersecurity occasions in historical past — together with the 2021 Log4Shell Log4j library vulnerability, the Apache Struts vulnerability that led to the 2017 Equifax breach and the 2014 Shellshock Bash vulnerability — had been attributed to RCE flaws.
RCE exploits aren’t new — in truth, they’ve existed for many years. The results of coding errors, configuration points or insecure enter dealing with, these common targets allow attackers to execute malicious code on a goal system. As of Dec. 4, greater than 20% of the entries in CISA’s Recognized Exploited Vulnerabilities catalog are associated to RCEs.
This week’s featured information appears at a couple of of the newest RCEs and their impression.
Vital React vulnerability allows RCE in cloud environments
A maximum-severity vulnerability in React, a well-liked open supply JavaScript library that was developed at Fb (now Meta) and launched as open supply in 2013, has raised alarms attributable to its potential to allow RCE in quite a few cloud environments.
Two CVEs — CVE-2025-55182 and CVE-2025-66478 — spotlight unsafe deserialization in React Server Elements and its downstream impact on the Subsequent.js framework.
Each vulnerabilities acquired a CVSS rating of 10, enabling attackers to take advantage of servers with crafted HTTP requests. Meta and React groups launched fixes and urged organizations to replace React and Subsequent.js variations instantly. Cloud connectivity vendor Cloudflare applied proactive net utility firewall guidelines to dam exploitation, whereas cloud safety platform vendor Wiz reported that 39% of cloud environments stay weak, emphasizing the urgency of mitigation.
ShadyPanda exploits browser extensions to focus on thousands and thousands
A complicated malware marketing campaign by the China-based group ShadyPanda has contaminated 4.3 million Chrome and Edge customers by means of malicious browser extensions. The extensions, disguised as legit instruments, had been weaponized with updates enabling RCE, letting attackers exfiltrate looking histories, search queries and credentials.
Researchers uncovered a number of extensions, together with Clear Grasp and WeTab, that monitor person exercise and transmit knowledge to servers in China.
Regardless of elimination efforts by Google and Microsoft, the attackers’ systematic exploitation of assessment processes highlights ongoing vulnerabilities within the safety of browser extensions.
Learn the complete story by Jai Vijayan on Darkish Studying.
Vital Oracle Identification Supervisor flaw exploited within the wild
A extreme RCE vulnerability, CVE-2025-61757, in Oracle Identification Supervisor has been actively exploited, posing important dangers to Oracle Fusion Middleware clients.
Found by researchers from safety vendor Assetnote, the flaw stems from uncovered REST APIs and authentication bypass points, enabling attackers to take advantage of net routes with easy modifications, resembling including a semicolon to URLs.
The vulnerability, which acquired a CVSS rating of 9.8, was patched in Oracle’s October replace however stays underneath lively exploitation.
Find out how to forestall and mitigate RCE flaws
Editor’s be aware: An editor used AI instruments to help within the technology of this information temporary. Our professional editors at all times assessment and edit content material earlier than publishing.
Sharon Shea is government editor of Informa TechTarget’s SearchSecurity web site.
