---
title: "React2Shell RCE Threat, CodeRED Alert Disruption, Coupang Data Breach, Cybersecurity News [December 01, 2025] | DuoCircle"
description: "React2Shell RCE Threat, CodeRED Alert Disruption, Coupang Data Breach, Cybersecurity News [December 01."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cybersecurity-news-update-week-50-of-2025/"
---

Quick Answer

Cybersecurity news for the week of December 1, 2025\. React2Shell (CVE-2025-55182 for React, CVE-2025-66478 for Next.js, both rated 10.0) exposed React Server Components to unauthenticated RCE via insecure deserialization in the react-server package; affected versions include React 19.0 through 19.2.0 and Next.js 14.3.0-canary.77 onward, with fixes in React 19.0.1, 19.1.2, 19.2.1 and across the 15.x and 16.x branches. Ransomware against the CodeRED platform disrupted local emergency notifications and exposed clear-text passwords. A five-month breach at South Korean retailer Coupang affected tens of millions of customers. Attackers also exploited a command-injection bug in Array Networks gateways and an admin-takeover flaw in the King Addons WordPress plugin.

React2Shell RCE Threat, CodeRED Alert Disruption, Coupang Data Breach, Cybersecurity News \[December 01, 2025\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/12/React2Shell-RCE-Threat-CodeRED-Alert-Disruption-Coupang-Data-Breach---Cybersecurity-News-December-01-2025.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcybersecurity-news-update-week-50-of-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=React2Shell%20RCE%20Threat%2C%20CodeRED%20Alert%20Disruption%2C%20Coupang%20Data%20Breach%2C%20Cybersecurity%20News%20%5BDecember%2001%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcybersecurity-news-update-week-50-of-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcybersecurity-news-update-week-50-of-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcybersecurity-news-update-week-50-of-2025%2F&title=React2Shell%20RCE%20Threat%2C%20CodeRED%20Alert%20Disruption%2C%20Coupang%20Data%20Breach%2C%20Cybersecurity%20News%20%5BDecember%2001%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=React2Shell%20RCE%20Threat%2C%20CodeRED%20Alert%20Disruption%2C%20Coupang%20Data%20Breach%2C%20Cybersecurity%20News%20%5BDecember%2001%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcybersecurity-news-update-week-50-of-2025%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/duocircle/images/2025/12/spf-record-generator-4560.jpg) 

[Cyber incidents](https://www.anthropic.com/news/disrupting-AI-espionage) this week hit emergency alerting, e-commerce, infrastructure, and app stacks. To start with, ransomware against the CodeRED platform disrupted local emergency notifications and exposed clear-text passwords. In another incident, a five-month breach at a **major East Asian retailer** affected tens of millions of customer accounts. _Attackers exploited a command injection bug in Array Networks gateways, an admin takeover flaw in the King Addons WordPress plugin, and the React2Shell RCE vulnerability in React and Next.js_.

## React2Shell Vulnerability Exposes React and Next.js Apps to RCE

A critical bug dubbed React2Shell has been uncovered in the [React Server Components](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) Flight protocol, allowing attackers to run code remotely on some React and [Next.js apps without needing to log in](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp). The flaw, **rated 10 out of 10 in severity** and tracked as [CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182) for React and [CVE-2025-66478](https://nvd.nist.gov/vuln/detail/CVE-2025-66478) for Next.js, is caused by [insecure deserialization in the react-server package](https://cloud.google.com/blog/products/identity-security/responding-to-cve-2025-55182). An attacker can trigger the bug by sending a crafted HTTP request to React Server Function endpoints, and even applications that only use React Server Components may be at risk.

The vulnerability affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as [Next.js experimental canary builds](https://nextjs.org/blog/CVE-2025-66478) from 14.3.0-canary.77 and all 15.x and 16.x releases prior to recent patches. Cloud security researchers say a significant share of environments they see are running vulnerable versions, and similar issues may exist in other libraries that implement React Server. Vendors have released fixes in **React 19.0.1, 19.1.2, and 19.2.1**, and in a series of Next.js updates across the 15 and 16 branches. Organisations are urged to identify any affected applications, upgrade quickly, and treat unpatched instances as high risk targets in their cloud and web environments.

[![Ransomware Attack ](https://media.mailhop.org/duocircle/images/2025/12/spf-record-8813.jpg)](https://media.mailhop.org/duocircle/images/2025/12/spf-record-8813.jpg)

## CodeRED Ransomware Attack Disrupts Emergency Alert Services

A major cyberattack on the OnSolve CodeRED emergency notification system has knocked out [emergency alerts for several local governments](https://www.cambridgema.gov/Departments/cambridgepolice/News/2025/11/communitynoticecyberattackagainstcodered) and [led officials to urge residents to reset their passwords](https://www.uptexas.org/312/Emergency-Notifications). CodeRED, a cloud based alerting platform used by city, county, and state agencies for severe weather, evacuations, and other urgent events, suffered both a [data breach](https://cybersecuritynews.com/pharma-firm-inotiv-data-breach/) and a service outage, forcing some regions to fall back on social media and other channels while systems were rebuilt.

The [INC Ransom group has claimed responsibility](https://www.bleepingcomputer.com/news/security/onsolve-codered-cyberattack-disrupts-emergency-alert-systems-nationwide/), posting screenshots that appear to show stolen customer data, including email addresses and clear-text passwords, as well as alleged ransom negotiations with Crisis24, the provider behind CodeRED. In response, Crisis24 shut down its legacy environment and moved [CodeRED to a more isolated infrastructure](https://www.malwarebytes.com/blog/news/2025/11/millions-at-risk-after-nationwide-codered-alert-system-outage-and-data-breach), and some regions have already chosen to end their contracts with the service. The incident shows how risky it is to store passwords in plain text, how disruptive outages can be for life safety systems, and why strong password practices, [multi-factor authentication](https://www.onelogin.com/learn/what-is-mfa), and fast, clear breach notifications to users are so important.

[![multi-factor authentication](https://media.mailhop.org/duocircle/images/2025/12/spf-record-check-8813.jpg)](https://media.mailhop.org/duocircle/images/2025/12/spf-record-check-8813.jpg)

## Coupang Investigates Five-month Breach Impacting 33.7 Million Customers

[Ecommerce giant Coupang](https://www.aboutcoupang.com/) has disclosed [a prolonged data breach affecting 33.7 million customer](https://www.bbc.com/news/articles/c36zwywll02o) accounts in its primary East Asian market. The company said it first became aware of unauthorized access on 18 November, when suspicious activity was detected on **about 4,500 customer accounts**. A deeper investigation later revealed that a [threat actor](/phishing-protection/threat-actors-exploit-google-calendar-for-phishing-and-spoofing/) had been accessing data since 24 June through overseas servers, significantly expanding the scope of the incident.

_During this five-month period, attackers accessed customer names, email addresses, shipping addresses, phone numbers, and order history_. [Coupang has stressed](https://news.coupang.com/archives/58857/) that [payment card information](https://www.infosecurity-magazine.com/news/cyber-attack-exposes-credit-card/), bank details, and login credentials were not exposed, and that no account actions such as password changes are required at this time. The firm says it has blocked the unauthorized access, strengthened internal monitoring, and notified national regulators, cybersecurity agencies, and law enforcement. [A formal notice has been published on its website](https://mc.coupang.com/ssr/desktop/contact/notice?categoryCode=NOTICE), and affected users will be **contacted via email or text**. Local media reports suggest a former employee, reportedly now overseas, is the main suspect, although Coupang has not publicly attributed the breach or disclosed detailed technical information about how the intrusion occurred.

[![Impact of Coupang’s Prolonged Breach](https://media.mailhop.org/duocircle/images/2025/12/email-smtp-service-4569.jpg)](https://media.mailhop.org/duocircle/images/2025/12/email-smtp-service-4569.jpg)

## Array Networks DesktopDirect Vulnerability Exploited in the Wild

[Array Networks’ AG Series](https://www.jpcert.or.jp/at/2025/at250024.html) **secure access gateways** are being actively targeted via a command injection flaw in the DesktopDirect remote access feature, with attacks observed since August 2025\. _The issue, which has not yet been assigned a CVE, was patched on 11 May 2025 but still affects ArrayOS versions 9.4.5.8 and earlier, where DesktopDirect is turned on. If exploited, it allows attackers to run arbitrary commands on the impacted devices._

According to a recent advisory from a regional computer emergency response team, attackers have been using the bug to deploy web shells on vulnerable gateways, with activity traced to the [IP address 194.233.100.138](https://www.virustotal.com/gui/ip-address/194.233.100.138/details). The scale of exploitation and the identity of the threat actors remain unclear. A separate [authentication bypass vulnerability](https://www.cisa.gov/news-events/alerts/2024/11/25/cisa-adds-one-known-exploited-vulnerability-catalog) in the same product ([CVE 2023 28461, CVSS 9.8](https://www.cve.org/CVERecord?id=CVE-2023-28461)) was previously abused by an East Asia linked espionage group that has targeted organisations in the region since at least 2019\. Customers are urged to upgrade to **ArrayOS 9.4.5.9 or later**. Where patching is not immediately possible, defenders are advised to disable DesktopDirect and apply URL filtering controls to block URLs containing a semicolon as an interim mitigation.

[![IP address 194.233.100.138](https://media.mailhop.org/duocircle/images/2025/12/sender-policy-framework-8813.jpg)](https://media.mailhop.org/duocircle/images/2025/12/sender-policy-framework-8813.jpg)

## King Addons WordPress Plugin Hit by Critical Flaw, Exploited in the Wild

A critical security flaw in the [King Addons for Elementor WordPress plugin](https://wordpress.org/plugins/king-addons/) is being actively exploited to hijack vulnerable sites. Tracked as [CVE-2025-8489 with a CVSS score of 9.8](https://www.cve.org/CVERecord?id=CVE-2025-8489), it is a privilege escalation issue that lets anyone on the internet create an account with administrator rights without logging in first. _The problem sits in the handle\_register\_ajax() function, which processes user registrations via the /wp-admin/admin-ajax.php endpoint_. Because the plugin does not properly restrict which roles can be assigned during registration, an attacker can simply set their role to “**administrator**” in a crafted request and gain full control.

The bug affects **versions 24.12.92 through 51.1.14** and was fixed in version 51.1.35 released on 25 September 2025\. The plugin still has more than 10,000 active installs, and [Wordfence says it has already blocked over 48,400 exploit attempts](https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-king-addons-for-elementor-plugin/), with mass scanning starting in early November. If exploited, the flaw can be used to upload [malicious code](https://www.malwarebytes.com/blog/news/2024/11/malicious-qr-codes-sent-in-the-mail-deliver-malware), inject spam, or redirect visitors to unsafe sites. Site owners are urged to update immediately, review administrator accounts, and look for any unusual changes or new plugins

Incidents like these highlight why enforcing [SPF](/resources/what-is-spf), [DKIM](/resources/what-is-dkim), and [DMARC](/resources/what-is-dmarc) is essential for protecting domains from spoofing and strengthening overall [email security](/).

## Topics

DKIMDMARCemail securityNewsSecurityspfUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 5m  Apple Pay Scam, Crypto Fraud Victims, Retirement Phishing Loss, Cybersecurity News \[April 06, 2026\]  Apr 13, 2026 ](/blog/announcements/cyber-security-news-update-week-15-of-2026/)[  News 6m  GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News \[June 02, 2025\]  Jun 9, 2025 ](/blog/announcements/cyber-security-news-update-week-24-of-2025/)[  News 6m  Malicious npm Packages, Salesloft GitHub Breach, Malvertising Commit Trick, Cybersecurity News \[September 08, 2025\]  Sep 15, 2025 ](/blog/announcements/cyber-security-news-update-week-38-of-2025/)[  News 6m  Hackers Hijack WordPress, SonicWall Backup Breach, Oracle Data Theft, Cybersecurity News \[October 06, 2025\]  Oct 13, 2025 ](/blog/announcements/cybersecurity-news-update-week-42-of-2025/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"React2Shell RCE Threat, CodeRED Alert Disruption, Coupang Data Breach, Cybersecurity News [December 01, 2025]","description":"React2Shell RCE Threat, CodeRED Alert Disruption, Coupang Data Breach, Cybersecurity News [December 01.","url":"https://www.duocircle.com/blog/announcements/cybersecurity-news-update-week-50-of-2025/","datePublished":"2025-12-08T18:43:10.000Z","dateModified":"2025-12-08T18:45:40.000Z","dateCreated":"2025-12-08T18:43:10.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cybersecurity-news-update-week-50-of-2025/"},"articleSection":"announcements","keywords":"DKIM, DMARC, email security, News, Security, spf, Updates","wordCount":1085,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/12/spf-record-generator-4560.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"React2Shell RCE Threat, CodeRED Alert Disruption, Coupang Data Breach, Cybersecurity News [December 01, 2025]","item":"https://www.duocircle.com/blog/announcements/cybersecurity-news-update-week-50-of-2025/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"React2Shell RCE Threat, CodeRED Alert Disruption, Coupang Data Breach, Cybersecurity News [December 01, 2025]","item":"https://www.duocircle.com/blog/announcements/cybersecurity-news-update-week-50-of-2025/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"React2Shell RCE Threat, CodeRED Alert Disruption, Coupang Data Breach, Cybersecurity News [December 01, 2025]","description":"React2Shell RCE Threat, CodeRED Alert Disruption, Coupang Data Breach, Cybersecurity News [December 01.","url":"https://www.duocircle.com/blog/announcements/cybersecurity-news-update-week-50-of-2025/","datePublished":"2025-12-08T18:43:10.000Z","dateModified":"2025-12-08T18:45:40.000Z","dateCreated":"2025-12-08T18:43:10.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cybersecurity-news-update-week-50-of-2025/"},"articleSection":"announcements","keywords":"DKIM, DMARC, email security, News, Security, spf, Updates","wordCount":1085,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/12/spf-record-generator-4560.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```