Brief #133: Next.js RCE Affects 39% Cloud Environments, AI Agents Steal $4.6M, Supply Chain Breach Crisis

Happy Sunday!

In this week's brief:

• React and Next.js applications are facing immediate exploitation risk through newly discovered RCE vulnerabilities that affect default configurations and require urgent patching
• AI agents are now capable of autonomously exploiting smart contracts for millions in profit, with their success rate doubling every 1.3 months in recent research
• Supply chain security programs are failing spectacularly, with 97% of organizations experiencing breaches despite increased spending and established TPRM initiatives

A quick note before we dive in.

A Quick note

Is Security Blocking Your Next Enterprise Deal?

Let's discuss how fractional CISO services can unlock your pipeline without the full-time overhead.

Book a Free Discovery Call

Industry News

Critical RCE Vulnerabilities Discovered in React and Next.js Server Components

• CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) are critical unauthenticated remote code execution vulnerabilities affecting React Server Components through insecure deserialization in the RSC "Flight" protocol with near-100% exploitation reliability.

• Default configurations of Next.js applications created with create-next-app are immediately vulnerable, requiring only a crafted HTTP request for exploitation without any developer code changes needed.

• Wiz Research data reveals 39% of cloud environments contain vulnerable instances, with patches now available for React versions 19.0-19.2 and Next.js versions 14.3.0-canary through 16.x requiring immediate updating.

Attackers Abuse OAuth Flows to Bypass MFA and Gain Persistence in Azure Environments

• Threat actors are exploiting device code phishing to obtain access tokens while bypassing MFA checks, with less than 50% of customers implementing Conditional Access policies to block these flows.

• ROPC (Resource Owner Password Credentials) authentication is being weaponized for credential stuffing attacks, with only 0.2% of attempts blocked by CA rules despite being a legacy protocol that skips modern security controls.

• Attackers chain successful token acquisition to register devices and configure Windows Hello for Business, creating 90-day persistence through Primary Refresh Tokens that satisfy high-assurance authentication requirements.

Albiriox RAT Targets Global Financial and Cryptocurrency Applications

• Researchers discovered Albiriox, a new Android malware family offered as Malware-as-a-Service for $650-720 monthly by Russian-speaking threat actors who use VNC-based remote access and overlay attacks for on-device fraud.

• The malware targets over 400 financial applications including banks and cryptocurrency wallets through a two-stage deployment using dropper applications and social engineering lures that bypass static detection methods.

• Albiriox enables complete device takeover through accessibility services that circumvent Android's FLAG_SECURE protections, allowing attackers to perform fraudulent transactions while displaying black screen overlays to hide malicious activity.