React2Shell RCE Threat, CodeRED Alert Disruption, Coupang Data Breach – Cybersecurity News [December 01, 2025]

Cyber incidents this week hit emergency alerting, e-commerce, infrastructure, and app stacks. To start with, ransomware against the CodeRED platform disrupted local emergency notifications and exposed clear-text passwords. In another incident, a five-month breach at a major East Asian retailer affected tens of millions of customer accounts. Attackers exploited a command injection bug in Array Networks gateways, an admin takeover flaw in the King Addons WordPress plugin, and the React2Shell RCE vulnerability in React and Next.js.

React2Shell Vulnerability Exposes React and Next.js Apps to RCE

A critical bug dubbed React2Shell has been uncovered in the React Server Components Flight protocol, allowing attackers to run code remotely on some React and Next.js apps without needing to log in. The flaw, rated 10 out of 10 in severity and tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js, is caused by insecure deserialization in the react-server package. An attacker can trigger the bug by sending a crafted HTTP request to React Server Function endpoints, and even applications that only use React Server Components may be at risk.

The vulnerability affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as Next.js experimental canary builds from 14.3.0-canary.77 and all 15.x and 16.x releases prior to recent patches. Cloud security researchers say a significant share of environments they see are running vulnerable versions, and similar issues may exist in other libraries that implement React Server. Vendors have released fixes in React 19.0.1, 19.1.2, and 19.2.1, and in a series of Next.js updates across the 15 and 16 branches. Organisations are urged to identify any affected applications, upgrade quickly, and treat unpatched instances as high risk targets in their cloud and web environments.

CodeRED Ransomware Attack Disrupts Emergency Alert Services

A major cyberattack on the OnSolve CodeRED emergency notification system has knocked out emergency alerts for several local governments and led officials to urge residents to reset their passwords. CodeRED, a cloud based alerting platform used by city, county, and state agencies for severe weather, evacuations, and other urgent events, suffered both a data breach and a service outage, forcing some regions to fall back on social media and other channels while systems were rebuilt.

The INC Ransom group has claimed responsibility, posting screenshots that appear to show stolen customer data, including email addresses and clear-text passwords, as well as alleged ransom negotiations with Crisis24, the provider behind CodeRED. In response, Crisis24 shut down its legacy environment and moved CodeRED to a more isolated infrastructure, and some regions have already chosen to end their contracts with the service. The incident shows how risky it is to store passwords in plain text, how disruptive outages can be for life safety systems, and why strong password practices, multi-factor authentication, and fast, clear breach notifications to users are so important.

Coupang Investigates Five-month Breach Impacting 33.7 Million Customers

Ecommerce giant Coupang has disclosed a prolonged data breach affecting 33.7 million customer accounts in its primary East Asian market. The company said it first became aware of unauthorized access on 18 November, when suspicious activity was detected on about 4,500 customer accounts. A deeper investigation later revealed that a threat actor had been accessing data since 24 June through overseas servers, significantly expanding the scope of the incident.

During this five-month period, attackers accessed customer names, email addresses, shipping addresses, phone numbers, and order history. Coupang has stressed that payment card information, bank details, and login credentials were not exposed, and that no account actions such as password changes are required at this time. The firm says it has blocked the unauthorized access, strengthened internal monitoring, and notified national regulators, cybersecurity agencies, and law enforcement. A formal notice has been published on its website, and affected users will be contacted via email or text. Local media reports suggest a former employee, reportedly now overseas, is the main suspect, although Coupang has not publicly attributed the breach or disclosed detailed technical information about how the intrusion occurred.

Array Networks DesktopDirect Vulnerability Exploited in the Wild

Array Networks’ AG Series secure access gateways are being actively targeted via a command injection flaw in the DesktopDirect remote access feature, with attacks observed since August 2025. The issue, which has not yet been assigned a CVE, was patched on 11 May 2025 but still affects ArrayOS versions 9.4.5.8 and earlier, where DesktopDirect is turned on. If exploited, it allows attackers to run arbitrary commands on the impacted devices.

According to a recent advisory from a regional computer emergency response team, attackers have been using the bug to deploy web shells on vulnerable gateways, with activity traced to the IP address 194.233.100.138. The scale of exploitation and the identity of the threat actors remain unclear. A separate authentication bypass vulnerability in the same product (CVE 2023 28461, CVSS 9.8) was previously abused by an East Asia linked espionage group that has targeted organisations in the region since at least 2019. Customers are urged to upgrade to ArrayOS 9.4.5.9 or later. Where patching is not immediately possible, defenders are advised to disable DesktopDirect and apply URL filtering controls to block URLs containing a semicolon as an interim mitigation.

King Addons WordPress Plugin Hit by Critical Flaw, Exploited in the Wild

A critical security flaw in the King Addons for Elementor WordPress plugin is being actively exploited to hijack vulnerable sites. Tracked as CVE-2025-8489 with a CVSS score of 9.8, it is a privilege escalation issue that lets anyone on the internet create an account with administrator rights without logging in first. The problem sits in the handle_register_ajax() function, which processes user registrations via the /wp-admin/admin-ajax.php endpoint. Because the plugin does not properly restrict which roles can be assigned during registration, an attacker can simply set their role to “administrator” in a crafted request and gain full control.

The bug affects versions 24.12.92 through 51.1.14 and was fixed in version 51.1.35 released on 25 September 2025. The plugin still has more than 10,000 active installs, and Wordfence says it has already blocked over 48,400 exploit attempts, with mass scanning starting in early November. If exploited, the flaw can be used to upload malicious code, inject spam, or redirect visitors to unsafe sites. Site owners are urged to update immediately, review administrator accounts, and look for any unusual changes or new plugins

Incidents like these highlight why enforcing SPF, DKIM, and DMARC is essential for protecting domains from spoofing and strengthening overall email security.