React2Shell Is Harvesting Your Cloud Credentials Right Now
A threat actor tracked as UAT-10608 is exploiting CVE-2025-55182, a critical Next.js vulnerability the security community calls React2Shell, to breach servers and steal credentials at an industrial scale. Talos confirmed at least 766 hosts compromised in a single day, with automated scripts exfiltrating database credentials, AWS secrets, SSH keys, and API tokens. If you run Next.js in production, your cloud keys may already be in someone else's hands. Patch, rotate every secret that touched an exposed host, and check your CloudTrail logs for unauthorized API calls this week.
Cisco IMC Flaw Hands Attackers Admin Access to Your Servers
Cisco patched CVE-2026-20093, a CVSS 9.8 authentication bypass in the Integrated Management Controller that lets an unauthenticated attacker reset any user password, including admin, via a single crafted HTTP request. The blast radius is wider than it looks: beyond UCS C-Series rack servers, the flaw hits APIC controllers, Cyber Vision appliances, Secure Firewall Management Centers, and Malware Analytics boxes. No active exploitation yet, but a 9.8 with low attack complexity and no required authentication is a race against reverse engineering. Get firmware updates applied before someone publishes a proof-of-concept.
CISA's Langflow Deadline Lands Wednesday
If your teams are experimenting with AI agents or RAG pipelines, this one is yours. CVE-2026-33017 is a CVSS 9.3 unauthenticated RCE in Langflow, the popular open-source framework for building AI workflows. Attackers built working exploits within 20 hours of disclosure and began scanning for exposed instances immediately. CISA added it to the KEV catalog with an April 8 remediation deadline. Find every Langflow instance in your environment before Wednesday, whether sanctioned or shadow IT.
Watch This
AI infrastructure is becoming a primary attack surface faster than most security teams are accounting for it. The Langflow exploitation speed (20 hours from advisory to weaponized exploit) indicates that threat actors are actively hunting for AI tooling to gain initial access. If your organization is deploying AI agents, LLM orchestration, or RAG pipelines, those systems need the same security scrutiny as your production web applications.
Across the DoGood network, we're tracking increased member interest in AI security posture assessments and credential rotation automation. More on that Wednesday.
The CXO Brief is powered by the DoGood network — 5,000+ IT leaders sharing what they're actually working on.
Know a CIO who needs this? Forward it — they can subscribe here.