Top news stories this week
- Urgent Reaction. Active exploits of React2Shell increase enabling botnets and crypto mining.
- Health check. UK NHS trust Barts Health discloses data breach.
- Get out of jail free. Portugal amends cyber security law to protect security researchers.
- Double-edged sword. NCSC and OpenAI warn about contrasting cyber security risks of LLMs.
- Violence-as-a-service. Europol arrests highlight overlap of cybercrime and real-world violence
- Patch now. Organisations should apply system patches as soon as they are released, especially on internet-facing systems, to minimise the risk of network intrusion.
1. Active exploits of React2Shell increase enabling botnets and crypto mining
Threat actors are exploiting React2Shell, a critical vulnerability in React Server Components tracked as CVE-2025-55182, to install backdoors on corporate networks and infect systems with botnets and crypto miners at scale. The US Cybersecurity and Infrastructure Agency (‘CISA’) has urged all federal agencies to patch vulnerable systems immediately.
So what?
The vulnerability highlights the importance of a defense-in-depth approach to cyber security, which can prevent the compromise of a device on the network perimeter from escalating to a critical incident.
[Researcher: Jenny Eysert]
2. Barts Health discloses data breach
The largest UK's NHS Trust Barts Health confirmed that personal information of patients and staff was stolen by ransomware gang Cl0p after a cyber-attack in August. The trust claims that the risk to stolen data is limited as it is only accessible on the dark web and is seeking a High Court order to prohibit anyone from publishing or sharing the stolen data.
So what?
While the data breach notifications could take time, organisations should ensure that the data breach investigations are timely, complete, verify the claims of threat actors and correctly assess the risks to the data subjects.
[Researcher: Milda Petraityte]
3. Portugal government amends cyber security law to protect security researchers
After Portugal carves out protections for researchers under its cyber security law, the UK is looking into doing the same. Portugal recently sought to establish legal safe harbour for good-faith security research, thus providing legal protection for well-intended hackers. The UK has since committed to reviewing its Computer Misuse Act to provide similar safeguards.
So what?
Security research can be carried out to proactively uncover vulnerabilities and report them without fear of prosecution.
[Researcher: Lester Lim]
4. NCSC and OpenAI warn about cyber security risks related to AI models
The UK's National Cyber Security Centre (NCSC) has warned that prompt injection attacks against LLMs may never be fully mitigated because, unlike SQL injection, there's no inherent distinction between data and instructions—the model simply predicts the next token. Separately, OpenAI has warned that the cyber capabilities of its frontier AI models are accelerating and upcoming models are likely to pose a "high" risk, potentially capable of developing working zero-day exploits against well-defended systems or assisting with complex enterprise intrusion operations.
SO WHAT?
The contrasting warnings highlight that while many LLMs are inherently vulnerable to manipulation, they are simultaneously becoming powerful enough to amplify offensive cyber capabilities
[Researcher: James Tytler]
5. Europol crackdown exposes blurring lines between cybercrime and real-world violence
Europol has arrested nearly 200 individuals over the last six months linked to "Violence-as-a-Service" operations where criminals were recruited online to carry out physical attacks. Many of the criminals involved in recruiting and carrying out these violence-for-hire services are also members of ‘The Com’, a loose network of hackers and cyber criminals which has been linked to high profile ransomware attacks.
So What?
The crackdown underscores the growing convergence of cyber and physical criminal ecosystems—organizations should treat this as a prompt to review insider threat programs and recognize that threat actors may now operate across both domains.
[Researcher: James Tytler]
6. Ivanti, Fortinet and SAP announce patches for critical vulnerabilities
Ivanti urged its customers to patch the critical vulnerability CVE-2025-10573 in its Endpoint Manager (EPM) solution that enables attackers to execute code remotely.
Separately, Fortinet has released urgent security patches for two critical vulnerabilities CVE-2025-59718 and CVE-2025-59719 affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager appliances. These flaws could allow attackers to bypass FortiCloud SSO authentication.
Additionally, SAP has released an urgent update package to fix 14 vulnerabilities across multiple products. The three most critical flaws, tracked as CVE-2025-42880, CVE-2025-55754, and CVE-2025-42928, could allow remote code execution and malicious code injection.
SO WHAT?
Organisations should apply system patches as soon as they are released, especially on internet-facing systems, to minimise the risk of network intrusion.
[Researcher: Milda Petraityte]
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
