Distant code execution flaws are among the many most prevalent and important vulnerabilities in software program immediately. Among the most high-profile cybersecurity occasions in historical past — together with the 2021 Log4Shell Log4j library vulnerability, the Apache Struts vulnerability that led to the 2017 Equifax breach and the 2014 Shellshock Bash vulnerability — had been attributed to RCE flaws.
RCE exploits aren’t new — in actual fact, they’ve existed for many years. The results of coding errors, configuration points or insecure enter dealing with, these standard targets allow attackers to execute malicious code on a goal system. As of Dec. 4, greater than 20% of the entries in CISA’s Recognized Exploited Vulnerabilities catalog are associated to RCEs.
This week’s featured information seems at just a few of the most recent RCEs and their influence.
Crucial React vulnerability allows RCE in cloud environments
A maximum-severity vulnerability in React, a well-liked open supply JavaScript library that was developed at Fb (now Meta) and launched as open supply in 2013, has raised alarms because of its potential to allow RCE in quite a few cloud environments.
Two CVEs — CVE-2025-55182 and CVE-2025-66478 — spotlight unsafe deserialization in React Server Parts and its downstream impact on the Subsequent.js framework.
Each vulnerabilities obtained a CVSS rating of 10, enabling attackers to take advantage of servers with crafted HTTP requests. Meta and React groups launched fixes and urged organizations to replace React and Subsequent.js variations instantly. Cloud connectivity vendor Cloudflare carried out proactive net utility firewall guidelines to dam exploitation, whereas cloud safety platform vendor Wiz reported that 39% of cloud environments stay susceptible, emphasizing the urgency of mitigation.
ShadyPanda exploits browser extensions to focus on tens of millions
A complicated malware marketing campaign by the China-based group ShadyPanda has contaminated 4.3 million Chrome and Edge customers via malicious browser extensions. The extensions, disguised as official instruments, had been weaponized with updates enabling RCE, letting attackers exfiltrate looking histories, search queries and credentials.
Researchers uncovered a number of extensions, together with Clear Grasp and WeTab, that monitor person exercise and transmit information to servers in China.
Regardless of removing efforts by Google and Microsoft, the attackers’ systematic exploitation of overview processes highlights ongoing vulnerabilities within the safety of browser extensions.
Crucial Oracle Identification Supervisor flaw exploited within the wild
A extreme RCE vulnerability, CVE-2025-61757, in Oracle Identification Supervisor has been actively exploited, posing vital dangers to Oracle Fusion Middleware prospects.
Found by researchers from safety vendor Assetnote, the flaw stems from uncovered REST APIs and authentication bypass points, enabling attackers to take advantage of net routes with easy modifications, akin to including a semicolon to URLs.
The vulnerability, which obtained a CVSS rating of 9.8, was patched in Oracle’s October replace however stays beneath lively exploitation.
forestall and mitigate RCE flaws
Editor’s notice: An editor used AI instruments to help within the era of this information transient. Our professional editors at all times overview and edit content material earlier than publishing.
Sharon Shea is govt editor of Informa TechTarget’s SearchSecurity web site.
