This week’s intelligence confirms a critical surge in maximum severity flaws and systemic exploitation across both developer pipelines and corporate identity infrastructure.
We track a CVSS 10.0 RCE flaw in React/Next.js, the urgent patching required for a CVSS 9.8 WordPress takeover and a dangerous cross tenant bypass in Microsoft Teams.
These technical failures, combined with the sophisticated use of identity theft by the Lazarus APT group, demand immediate action to secure privileged access and the application supply chain.
1. Microsoft Teams Guest Access Bypassess Defender Protection
Cybersecurity researchers have highlighted a cross tenant security blind spot in Microsoft Teams that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature.
When a user accepts a guest invitation to an external tenant, their security protections are determined entirely by the hosting environment, not by their home organisation’s security policies. This creates “protection-free zones” where a threat actor can spin up a malicious Microsoft 365 tenant using a low cost license that lacks Defender protections by default.
The attack chain is particularly dangerous because the malicious invitation email originates from Microsoft’s own infrastructure, effectively bypassing SPF, DKIM and DMARC checks and allowing the attacker to distribute phishing links or malware laced attachments without the victim’s organisation being aware.
View SourceOur Take: Prioritise Zero Trust for Collaboration
Zero Trust principles must be extended to collaboration platforms. Organisations should enforce strict outbound access policies and implement dedicated conditional access policies for guest users, regardless of the hosting tenant’s configuration, to ensure a consistent security baseline.
2. Cloudflare Mitigates Record 29.7 Tbps DDoS Attack from AISURU Botnet
Cloudflare successfully blocked a record 29.7 terabits per second (Tbps) Distributed Denial of Service (DDoS) attack launched by the AISURU botnet, setting a new high for volumetric attacks mitigated by the company. The attack, which lasted 69 seconds, was one of many hyper volumetric attacks regularly launched by AISURU, a botnet estimated to comprise 1 to 4 million devices and often sold as a “botnet-for-hire” service.
Cloudflare’s report highlighted that DDoS attacks are rapidly growing in size and sophistication, with those exceeding 1 Tbps surging by 227% quarter over quarter in Q3 2025. The attacks targeted sectors including AI firms, Mining/Metals and Automotive.
View SourceOur Take: Cloud Native DDoS Defense is Mandatory
The exponential growth in hyper volumetric attacks confirms that traditional on premises or less robust cloud defences are obsolete. Organisations must prioritise cloud native, scalable mitigation services to absorb these massive attacks, treating DDoS defence as a mandatory operational cost.
3. Scattered Lapsus$ Hunters Prepare Credential Theft Campaign Targeting Zendesk Environments
Hackers affiliated with the Scattered Lapsus$ Hunters are believed to be preparing a major threat campaign against Zendesk environments, according to Reliaquest researchers.
Over the past six months, approximately 40 typo squatting and impersonating domains have been created that mimic Zendesk portals, with some hosting fake single sign on portals designed to steal credentials. Researchers believe the primary objective is to harvest credentials from users with elevated permissions, such as system administrators and helpdesk personnel.
Evidence suggests the campaign is moving into an active phase, with attackers submitting fraudulent tickets to legitimate Zendesk portals to target support staff and infect them with remote access Trojans and other malware. The attackers’ techniques and use of services like Cloudflare masked nameservers are similar to a previous campaign targeting Salesforce environments.
View SourceOur Take: Protect Helpdesk and High-Privilege Users
This campaign highlights the use of typo squatting to target customer service and support personnel with elevated privileges. Companies using platforms like Zendesk must deploy advanced email and URL protection for helpdesk staff, combined with strict MFA enforcement and regular phishing simulation training.
4. Lazarus Group’s Remote IT Worker Scheme Captured in Action
Researchers successfully infiltrated and monitored a sophisticated, persistent infiltration scheme by the Lazarus APT group, which utilises North Korean IT contractors as remote workers to gain access to Western companies. The joint investigation captured the full attack cycle on video by luring the Lazarus operators into controlled virtual machines disguised as genuine developer laptops.
The scheme focused on stealing identities and taking over remote machines rather than deploying traditional malware.
The operators relied on AI job automation tools to pass interviews, used browser based OTP generators to handle 2FA for victim accounts and installed Google Remote Desktop to maintain persistent, 24/7 control of the compromised workstation.
The operation revealed the group’s goal was to obtain the victim’s identity documents, SSN and banking information, all while operating through the victim’s laptop and funneling earnings back to North Korea.
View SourceOur Take: Strengthen Contractor Vetting and Identity Controls
This sophisticated operation confirms that identity based attacks remain a top priority for nation state actors. Companies must implement rigorous vetting processes for remote contractors, require non browser based 2FA and deploy EDR/monitoring solutions that track persistent remote access tools like Google Remote Desktop.
5. Critical WordPress Flaw in King Addons Plugin Allows Unauthenticated Admin Takeover
A critical privilege escalation vulnerability, tracked as CVE 2025 8489 (CVSS 9.8), is being actively exploited in the wild, affecting the King Addons for Elementor WordPress plugin.
The flaw is caused by the plugin’s failure to restrict user roles during registration, allowing an unauthenticated attacker to grant themselves administrator privileges by specifying the role in a crafted HTTP request. This vulnerability grants an attacker complete control of the affected website, enabling them to upload malicious code or inject spam.
Security firms have blocked over 48,400 exploit attempts since active exploitation began in late October 2025, underscoring the urgency for users to immediately update the plugin to the patched version 51.1.35 or later.
View SourceOur Take: Emergency Patching for CMS Plugins
The immediate exploitation of this flaw underscores the danger of third-party plugin vulnerabilities in content management systems. All WordPress administrators must treat patching high-severity flaws as an emergency, and implement a Web Application Firewall (WAF) to virtually patch known exploits until updates are deployed.
6. Australian Man Jailed for 7+ Years Over Airport and In Flight WiFi Attacks
Australian man Michael Clapsis was sentenced to 7 years and 4 months in prison for conducting systemic cybercrimes, including stealing sensitive data through “evil twin” Wi-Fi attacks at major Australian airports and on domestic flights.
Clapsis used a specialised device (WiFi Pineapple) to set up rogue access points that mimicked legitimate networks (like Qantas WiFi) to steal victims’ email, social media and bank credentials. The systemic crime spree also involved stealing over 700 intimate photos and videos from women’s online accounts over six years.
The severe sentence handed down by the District Court Judge underscores the legal gravity of unauthorised impairment of electronic communication and wide ranging data theft.
View SourceOur Take: Public Wi-Fi and Legal Gravity
This sentence emphasises the legal gravity of unauthorised data interception and “evil twin” attacks. For users, the lesson is simple, never trust public WiFi for sensitive transactions and always use a Virtual Private Network (VPN). For infrastructure operators, continuous rogue AP detection is essential.
7. Maximum Severity Flaw in React and Next.js Exposed to RCE
A maximum severity security flaw has been disclosed in React Server Components (RSC) that could result in unauthenticated Remote Code Execution (RCE) if successfully exploited.
The vulnerability, tracked as CVE 2025 55182 (codenamed React2shell), carries a maximum CVSS score of 10.0. The issue stems from a logical deserialisation flaw in which React fails to safely process payloads sent to React Server Function endpoints, allowing an unauthenticated attacker to craft a malicious HTTP request that executes arbitrary JavaScript code on the server.
This critical vulnerability also affects Next.js applications using the App Router (CVE 2025 66478, also CVSS 10.0) and other libraries that bundle RSC.
Security experts stress that the flaw affects default framework configurations and can be exploited with just network access, making standard deployments immediately vulnerable.
View SourceOur Take: Supply Chain Alert for Developers
A CVSS 10.0 RCE flaw affecting widely used frameworks like React and Next.js is a critical supply chain risk. Development teams must immediately apply patches and treat this as a major incident.
8. Ireland’s NCSC Highlights Systemic Cyber Risks in 2025 Assessment
The National Cyber Security Centre (NCSC) of Ireland launched its 2025 National Cyber Risk Assessment, providing a comprehensive review of the cyber threats and sectoral vulnerabilities facing the country.
The assessment identifies three key systemic risks threatening Ireland’s delivery of essential services, critical sectors (such as energy, transport and financial services) and society as a whole:
- Dynamic geopolitical environment.
- Evolving technology and its implications on security.
- Supply chain security.
To mitigate these risks, the NCSC has issued five recommendations, including the need to strengthen visibility and detection, enhance proactive cyber defence capabilities and secure critical supply chains through stronger government procurement rules and embedding security by design.
The assessment provides the evidence base for strengthening Ireland’s preparedness, resilience and strategic response to growing threats, including increasingly sophisticated nation state activity and accelerating cybercrime.
View SourceOur Take: Systemic Risk Strategy
The NCSC’s focus on geopolitical risks, evolving technology and supply chain security is relevant globally. Organisations should mirror these recommendations by establishing a clear strategy for enhancing visibility and detection capabilities and embedding security by design principles into all procurement processes.
Hardening Identity and Securing Systemic Resilience
The incidents of Week 49 paint a clear picture that adversaries are relentlessly focused on exploiting the weakest link, whether that is a developer’s deserialisation flaw, a third party plugin’s privilege loophole, or a cross tenant identity bypass in cloud collaboration tools. The sheer scale of the 29.7 Tbps DDoS attack and the sophistication of the Lazarus APT’s identity theft scheme confirm that threats are both massive and meticulously targeted.
The key takeaway is the need to shift from passive security management to proactive, validation driven defence. Relying solely on security by default is no longer tenable, as demonstrated by the Teams and React/Next.js vulnerabilities. To adequately protect against these threats, organisations must move beyond compliance based checkboxes and engage in deep security testing. This includes commissioning Application and Cloud Security Assessments to identify critical RCE and privilege escalation flaws, as well as initiating comprehensive Penetration Testing and Red Team exercises to challenge core business resilience against nation state level threats and sophisticated identity attacks.
Ultimately, these weekly events serve as a constant reminder that continuous assurance is non negotiable. Strengthening your security posture means continually validating your controls, securing critical supply chains, and embedding security by design principles across your technology stack from cloud architecture to application code to ensure your defences are hardened against maximum severity threats.
Security must be a layered, strategic function. Contact us today to strengthen your security architecture and turn these threats into actionable defence strategy. ⬇️