VulnHub

Hackers using the RondoDox botnet are exploiting a vulnerability in Next.js known as React2Shell to take control of over 90,000 unpatched devices. This includes a range of products such as routers, smart cameras, and small business websites. The attack is particularly concerning because it targets devices that often lack regular updates or security patches, making them easy targets for cybercriminals. Users of these devices should be vigilant and consider updating their systems to protect against this growing threat. The scale of the devices affected raises alarms about the potential for widespread disruption if left unaddressed.

Investigations by TRM Labs have linked ongoing cryptocurrency thefts to a breach of LastPass that occurred in 2022. Attackers managed to access encrypted vaults and have been draining cryptocurrency wallets years after the initial breach. They are laundering the stolen funds through exchanges based in Russia. This incident raises significant concerns about the long-term risks associated with data breaches, as compromised information continues to be exploited long after it is stolen. Users of LastPass and others in the cryptocurrency space should be particularly vigilant about securing their assets and monitoring for any unauthorized transactions.

Over 10,000 Fortinet firewalls are currently at risk due to a two-factor authentication (2FA) bypass vulnerability that has been known for five years. This vulnerability allows attackers to exploit systems that have not implemented proper security measures, potentially granting them unauthorized access to sensitive data and networks. The issue is particularly pressing because it affects devices that are publicly accessible on the internet, increasing the likelihood of exploitation. Organizations using these firewalls need to act quickly to secure their systems and protect against potential breaches. It's crucial for users to verify their configurations and apply any available updates to mitigate this serious risk.

Covenant Health, a healthcare organization based in Andover, Massachusetts, experienced a significant ransomware attack in May 2025, attributed to the Qilin group. This incident compromised the personal data of over 478,000 individuals, raising serious concerns about patient privacy and data security. Affected individuals may have had their sensitive health information exposed, which could lead to identity theft and other security risks. The breach emphasizes the ongoing vulnerabilities within the healthcare sector, where attackers increasingly target patient data for ransom. As healthcare providers continue to digitize their services, the need for robust cybersecurity measures becomes more pressing.

Trust Wallet has reported a significant theft of approximately $8.5 million from over 2,500 crypto wallets, which they believe is linked to a broader security incident known as the Shai-Hulud attack that occurred in November. The attackers compromised Trust Wallet's web browser, allowing them to access users' funds. This incident raises concerns for crypto investors about the security of their wallets and the potential for similar attacks in the future. As the crypto industry continues to grow, vulnerabilities like this one highlight the importance of maintaining robust security measures. Users are advised to exercise caution when using web wallets and consider additional security practices.

Researchers have discovered a phishing campaign that leverages Google Cloud Application Integration to send emails that mimic legitimate messages from Google. This scheme uses a combination of trusted cloud services, user validation checks, and brand impersonation to trick users into believing the emails are authentic. The attackers aim to capture sensitive information by exploiting the trust associated with Google’s brand. This incident raises concerns for both individuals and organizations that rely on Google services, as it highlights the vulnerabilities in cloud-based email systems. Users are advised to be cautious and verify the authenticity of emails, especially those requesting sensitive data or actions.

The RondoDox botnet has been actively exploiting the React2Shell vulnerability to target Next.js servers since December. This vulnerability allows attackers to compromise systems that are not properly secured, potentially leading to unauthorized access and control. Organizations using Next.js should be particularly vigilant, as the botnet's operators are weaponizing this flaw to expand their reach. It’s crucial for companies to implement security measures to protect their servers from these types of attacks. As the situation develops, users need to stay informed about their server configurations and ensure they are updated against known vulnerabilities.

Covenant Health, a healthcare organization, suffered a significant data breach when the Qilin ransomware group hacked into its systems in May 2025. The incident has affected approximately 478,000 individuals, compromising sensitive personal information. While the exact nature of the stolen data has not been detailed, breaches of this scale often involve medical records and financial information, which can have serious implications for the affected individuals. This attack raises concerns about the security measures in place at healthcare facilities and the ongoing risks posed by ransomware groups. The incident serves as a reminder for organizations to strengthen their cybersecurity protocols to protect sensitive data from similar attacks.

A new wave of the GlassWorm malware campaign is targeting macOS developers by distributing malicious extensions for Visual Studio Code and OpenVSX. These extensions contain trojanized versions of popular cryptocurrency wallet applications, which can compromise users' sensitive information and funds. Developers who install these malicious extensions may unknowingly expose themselves and their projects to significant risks. The attack highlights the ongoing vulnerabilities within software development environments and the need for developers to be cautious about the tools and extensions they use. Users are advised to verify the authenticity of any extensions before installation, especially those related to cryptocurrency.

In April and May 2023, a Chinese advanced persistent threat (APT) group exploited a zero-day vulnerability in Ivanti's Endpoint Mobile Management (EPMM) platform, impacting thousands of organizations. This attack allowed unauthorized access and control over mobile devices managed through Ivanti's software, raising serious concerns about the security of sensitive data within those systems. The incident serves as a stark reminder of the vulnerabilities that can exist in widely used management tools. Security experts warn that similar attacks could occur again if organizations do not take proactive measures to secure their systems. Companies using Ivanti EPMM should assess their security posture and implement necessary updates to prevent future breaches.

The European Space Agency (ESA) has confirmed a data breach after a hacker, known as '888', attempted to sell stolen data online. The breach involved external science servers, raising concerns about the security of sensitive information related to ESA's projects. This incident highlights the risks that organizations face from cybercriminals looking to exploit vulnerabilities for financial gain. The ESA's acknowledgment of the breach indicates that they are taking steps to address the situation, but the full scope of the data compromised remains unclear. As this breach could potentially affect ongoing scientific research and collaborations, it underscores the need for robust cybersecurity measures in institutions handling critical data.

The RondoDox botnet has been identified exploiting a serious vulnerability known as React2Shell (CVE-2025-55182) to compromise Next.js servers. This flaw allows attackers to inject malware and cryptominers into systems that have not been properly secured. Organizations using Next.js frameworks are particularly at risk, as the botnet targets these servers directly. This incident underscores the necessity for companies to regularly update their software and apply security patches to prevent such attacks. The ongoing exploitation of this vulnerability poses significant risks to data integrity and can lead to unauthorized resource usage, impacting both performance and costs for affected users.