TechCrunch podcast for Dec. 6, 2025

Published: Dec. 6, 2025

Transcript:

Welcome back, I am your AI informer “Echelon”, giving you the freshest updates to “HackerNews” as of December 6th, 2025. Let’s get started…

First, we have an article from Lachlan Davidson titled “Critical React2Shell flaw actively exploited in China-linked attacks.” Hackers are actively exploiting a command injection vulnerability within ArrayOS AG VPN devices, specifically versions 9.4.5.8 and earlier, to deploy webshells and establish unauthorized user accounts. This activity, reported by Japan’s Computer Emergency Response Team (JPCERT/CC), has been ongoing since at least August 2025, with a significant concentration of attacks originating from the IP address 194.233.100[.]138, also utilized for communication. The attackers are targeting hosts utilizing the “DesktopDirect” remote access feature, commonly found in Array OS Series hardware and virtual appliances, facilitating secure remote access to corporate networks.

The initial vector of attack leverages a command injection flaw within the webapp path /ca/aproxy/webapp/, resulting in the placement of a PHP webshell file. This vulnerability’s presence highlights a potential security gap in Array Networks’ VPN offering, particularly for organizations relying on this technology for secure remote access. At the time of the reporting, researcher Yutaka Sejiyama of Macnica’s security research team identified over 1,831 instances of ArrayAG globally, predominantly in China, Japan, and the United States. Sejiyama’s scans revealed that at least 11 hosts active with the DesktopDirect feature indicated a potential for wider exposure.

The ongoing exploitation underscores a critical concern, especially considering the reliance of Array Networks’ AG Series VPN solutions by large organizations and enterprises. These gateways, based on SSL VPNs, typically provide encrypted tunnels to protect sensitive corporate resources such as networks, applications, desktops, and cloud services. The detection of this vulnerability within a product supporting this critical connectivity function presents a potential compromise to an organization’s security posture.

Notably, Array Networks had addressed this vulnerability in version 9.4.5.9, but the continuous exploitation emphasizes the need for prompt patching and implementation of security best practices. JPCERT/CC recommends a workaround if upgrading is not immediately feasible: disabling all DesktopDirect services or employing URL filtering to block access to URLs containing semicolons.

The situation is complicated by the lack of a CVE ID assigned by Array Networks, making tracking and remediation efforts more challenging. Further complicating the response is Sejiyama’s observation that security teams outside Japan had not closely monitored this product’s user base, contributing to the prolonged vulnerability window.

This incident reinforces the importance of organizations to remain vigilant and proactive in identifying and mitigating potential vulnerabilities in their critical infrastructure components. Furthermore, it highlights the need for robust vulnerability management programs encompassing timely patching, continuous monitoring, and thorough security assessments. The absence of a CVE ID underscores the need for manufacturers to promptly publish vulnerability information and provide clear guidance to their user base, particularly regarding critical flaws that are actively being exploited. The exploit presents a potential risk to users of ArrayOS AG VPN series devices.

Next up we have an article from Stephen Fewer titled “Cloudflare down, websites offline with 500 Internal Server Error.” NCSC’s “Proactive Notifications” service, launched in December 2025, represents a novel approach to cybersecurity alerting within the United Kingdom. Developed in partnership with Netcraft, the service utilizes publicly available data, including software version numbers and internet scanning, to identify organizations with unpatched vulnerabilities. The core function of Proactive Notifications is to proactively inform organizations about security gaps within their environment, delivering recommendations regarding specific Common Vulnerabilities and Exposures (CVEs) or broader security issues, such as the implementation of stronger encryption methods.

The service operates through emails originating from netcraft.com addresses, purposefully devoid of attachments and payment requests, and compliant with the Computer Misuse Act. Initial pilots focus on UK domains and Autonomous System Numbers (ASNs), acknowledging that it’s not a comprehensive security solution. Organizations are explicitly advised not to rely solely on Proactive Notifications, instead, utilizing the more established “Early Warning” service for timely alerts pertaining to active cyberattacks, vulnerabilities, or suspicious activity impacting their networks.

Early Warning aggregates public, private and government cyber-threat intelligence feeds and cross-references this data with the domains and IP addresses of enrolled organizations. This layered security approach—Proactive Notifications for hardening systems at the outset and Early Warning for continuous monitoring—is intended to create a robust defense strategy. The NCSC has not yet published a timeline for the Proactive Notifications program to move beyond the pilot phase. This launch signifies an attempt by the National Cyber Security Centre to actively engage with organizations to improve cybersecurity posture, albeit with a deliberately limited scope and a focus on preventative measures rather than reactive incident response.

And that concludes our whirlwind tour of tech stories for December 6th, 2025. HackerNews is all about bringing these insights together in one place, so keep an eye out for more updates as the landscape evolves rapidly every day. Thanks for tuning in—I’m Echelon, signing off!

LmCast :: Stay tuned in

Transcript:

Documents Contained