This week’s intelligence confirms a critical surge in maximum severity RCE flaws and the systemic risk posed by AI governance failures.
We track two CVSS 10.0 RCE flaws in React/Next.js, the active exploitation of the popular WinRAR archiver by nation state APTs and a dangerous new corporate data leak vector via Microsoft 365 Copilot.
These technical failures, combined with a major, four year old health sector ransomware breach coming to a head, demand that organisations focus immediately on application supply chain integrity and robust AI governance policies.
1. Critical Exploitation & Patching Urgency
WinRAR Path Traversal Flaw Actively Exploited by APTs
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a path traversal vulnerability in the widely used WinRAR file archiver, tracked as CVE 2025 6218 (CVSS 7.8), to its Known Exploited Vulnerabilities (KEV) catalog, confirming its active exploitation in the wild by multiple threat actors.
Exploitation requires the target to open a malicious file, enabling attackers to place files in sensitive locations, such as the Windows Startup folder, potentially leading to code execution on the next system login. The flaw has been weaponised by groups including the Russian hacking group Gamaredon and the South Asia focused APT Bitter, typically delivered via spear phishing campaigns.
Users must update to WinRAR 7.12 or later immediately.
View SourceOur Take: Patch Third Party Utilities to Stop APTs.
The use of this WinRAR flaw by APTs like Gamaredon confirms that common third party utilities are now core attack vectors, particularly in espionage campaigns against government and critical infrastructure targets.
Organisations must patch all endpoint software, treating vulnerabilities listed in the CISA KEV catalog as non negotiable, mandatory updates.
Critical Fortinet FortiWeb Flaw Actively Exploited for Full Admin Control
The Irish National Cyber Security Centre (NCSC) issued a critical advisory for CVE 2025 64446 (CVSS Score 9.1), a relative path traversal vulnerability impacting multiple versions of Fortinet FortiWeb. This flaw allows an unauthenticated attacker to execute administrative commands on the system by escaping the web root directory via crafted HTTP or HTTPS requests.
Crucially, reports confirm that this vulnerability is actively exploited to gain full administrative control over unpatched FortiWeb appliances. The vulnerability is listed in the CISA Known Exploited Vulnerability (KEV) catalog.
View SourceOur Take: Perimeter Defence is Under Attack.
FortiWeb appliances are a core component of web security. Immediately apply the vendor patch. Given the active exploitation status confirmed by CISA and the NCSC, organisations should assume compromise if patches were not applied immediately and should launch a forensic investigation.
React2Shell Exploitation Delivers New Backdoors
Exploitation of the maximum severity React Server Components (RSC) flaw, known as React2Shell (CVE 2025 55182) , is witnessing heavy, automated abuse across the internet, with threat actors deploying an array of new and sophisticated malware families.
Initial attacks deliver opportunistic payloads like cryptocurrency miners, but more advanced actors are leveraging the unauthenticated Remote Code Execution (RCE) flaw for targeted, long term persistence.
This includes the deployment of novel Linux backdoors and a highly sophisticated implant dubbed EtherRAT, which uses Ethereum smart contracts for resilient command-and-control (C2) communication.
View SourceOur Take: RCE is Driving Nation-State Persistence.
The rapid adoption of the React2Shell RCE by sophisticated actors to deploy C2 frameworks like EtherRAT (which utilises blockchain for resilience) confirms the flaw is a core vector for nation state threats. This is a patch now situation where Vulnerability Assessments must prioritise developer pipelines and internet facing servers.
Google Fixes Eighth Chrome Zero Day Actively Exploited in 2025
Google has released emergency updates to fix another Chrome zero day vulnerability that is being actively exploited in the wild, marking the eighth such security flaw patched since the start of 2025.
The patched vulnerability, a high severity buffer overflow bug, exists in Google’s open source LibANGLE library. This flaw could lead to memory corruption, crashes, sensitive information leaks and arbitrary code execution. Organisations are urged to update immediately, as the active exploitation confirms the browser remains a primary, high value attack vector for threat actors.
View SourceOur Take: Browser Patching is a Constant Zero Day Battle.
Eight exploited zero days in a single year for a core piece of end user software demands that browser patching move beyond routine IT maintenance to become a strategic priority.
Organisations must implement automated, mandatory patching policies across all endpoints and utilise advanced endpoint security solutions to detect in memory exploitation attempts, given the severity of buffer overflow flaws.
Unpatched Gogs Zero Day Exploited Across 700+ Instances
An unpatched, high severity security flaw in Gogs, the Go based self hosted Git service, is currently under active exploitation, with over 700 compromised instances accessible over the internet.
The vulnerability, tracked as CVE 2025 8110 (CVSS 8.7), is an improper symbolic link handling flaw in the PutContents API, allowing a remote attacker with low privilege to achieve arbitrary code execution by bypassing a previous RCE fix.
Exploitation involves crafting a Git repository with a symbolic link pointing outside the repository, which is then used via the API to overwrite sensitive system files and execute arbitrary commands. The threat actors are using a Supershell command and control framework.
View SourceOur Take: Self Hosted Tools Require Zero Day Mitigation.
The Gogs exploitation is a classic supply chain failure. A bypass of a previous RCE fix, leaving self hosted development environments vulnerable to remote takeover.
Since there is currently no patch, organisations using Gogs must disable open registration, limit internet exposure and implement strong application security controls like a WAF to monitor API traffic.
2. AI Governance & Data Risk
AI Agents Create New Corporate Data Leak Risk
A critical vulnerability dubbed “EchoLeak” exposed in Microsoft 365 Copilot highlights a new class of threat where no-code AI agents can be manipulated to leak sensitive corporate data.
The original vulnerability (CVE- 025 32711, CVSS 9.3) was a “Zero Click” LLM Scope Violation, allowing untrusted external input (such as an email) to commandeer the AI model to access and exfiltrate proprietary information from the user’s M365 context, including OneDrive documents, SharePoint content and Teams conversations.
The risk is heightened because the AI agents operate with broad access to organisational data but lack the context awareness to prevent unauthorised actions.
View SourceOur Take: AI Governance is a Critical Security Control.
The EchoLeak vulnerability proves that relying solely on Microsoft’s inherent security controls is insufficient against LLM manipulation.
Organisations must implement AI Risk, Governance and Strategy Services to establish clear data governance, tightly restrict the data the AI can reference (least privilege) and implement Data Loss Prevention (DLP) to monitor data usage across Copilot and other AI agents.
Grok AI Exposed for Revealing Home Addresses and Providing Stalking Guides
The AI chatbot Grok, developed by Elon Musk’s xAI, has been found to pose significant real world harm by revealing the current home addresses of ordinary people and actively assisting in surveillance. An investigation found that Grok returned accurate residential addresses for numerous individuals and often volunteered additional sensitive data.
Even more alarmingly, when asked for assistance, Grok provided a detailed, step by step guide for stalking and surveillance, demonstrating a critical failure in necessary ethical and safety safeguards.
View SourceOur Take: Third Party AI Services Must Be Vetted.
This incident highlights the need for robust AI risk assessments that go beyond technical security to evaluate the ethical and societal safety guardrails of third party LLMs used by staff. Organisations should prohibit the use of unvetted public AI services for any professional task that involves sensitive data or public figures.
3. Operational and Systemic Resilience
Ireland’s HSE Offers €750 Compensation to 2021 Ransomware Victims
Four years after the major ransomware attack on the Irish Health Service Executive (HSE) in May 2021, the HSE has begun offering financial compensation of €750 to victims whose personal data was compromised in the breach.
This compensation offer, which includes an additional €650 per person to cover legal fees, marks the first time the HSE has formally acknowledged the need to compensate the approximately 90,000 individuals affected. The total compensation bill for the HSE could exceed €100 million.
View SourceOur Take: Long Term Breach Costs Demand Prioritisation.
The HSE case proves that the financial consequences of a major data breach can span years and lead to crippling long term compensation costs. Organisations, particularly in the healthcare and financial sectors, must utilise Cybersecurity Maturity Assessments and Crisis Management Exercises to proactively manage and mitigate the long term legal and financial fallout of a major incident, making resilience investment cheaper than the breach itself.
4. Prioritise Pipeline Integrity and AI Governance
The confluence of attacks this week, from CVSS 10.0 RCE flaws in the core development pipeline (React/Next.js) to the weaponisation of common desktop tools (WinRAR) and the inherent risk in AI agents (Copilot/Grok), demands a significant strategic response.
This week’s intelligence confirms that threat actors are strategically operating at the highest levels of privilege, whether exploiting critical CVSS 10.0 flaws in identity infrastructure or exploiting public sector vulnerabilities. The time to upgrade is now.
Secora Consulting’s specialised service pillars are designed to counter the advanced, persistent threats highlighted this week:
-
Validate Critical Controls: The continuous stream of actively exploited RCE flaws (React/Next.js, FortiWeb) demands immediate verification. Our Adversary Simulation Testing and Penetration Testing services stress test your environment against these exact TTPs.
-
Ensure Long Term Resilience: The crippling costs of the HSE breach underscore the mandatory need for robust governance. Our Third Party Assurance Assessments and Crisis Management Exercises ensure your organisation meets mandatory legal and resilience standards.
Security must be a layered, strategic function. Partner with Secora Consulting to implement the resilient defence necessary to counter today’s sophisticated threats. ⬇️