Weekly Threat Landscape Digest – Week 49

1. Critical RCE Vulnerability in React Server Components – CVE-2025-55182

Severity: Critical (CVSS 10.0)
Category: Remote Code Execution
Affected Ecosystem:
React Server Components (RSC), Next.js, React Router (unstable RSC APIs), Waku, Vite RSC plugin, Parcel RSC, Turbopack RSC, Redwood SDK

Summary
A critical unauthenticated RCE vulnerability in React Server Components allows attackers to trigger arbitrary server-side code execution by sending malicious serialized HTTP payloads to React Server Function endpoints.
The issue stems from unsafe deserialization logic in how React decodes server function requests.

Affected Versions

• react-server-dom-webpack: 19.0, 19.1.0, 19.1.1, 19.2.0
• react-server-dom-parcel: 19.0, 19.1.0, 19.1.1, 19.2.0
• react-server-dom-turbopack: 19.0, 19.1.0, 19.1.1, 19.2.0

Fixed Versions

• 19.0.1, 19.1.2, 19.2.1 for all react-server-dom-* packages

Impact / Risk

• Complete server takeover via unauthenticated RCE
• Potential compromise of Next.js / RSC-based production apps
• Risk of supply-chain abuse in CI/CD components (Vite, Parcel, Turbopack)
• Cloud workload compromise with lateral movement possibilities

Technical Highlights

• Vulnerability rooted in payload decoding of React Server Functions
• Attackers can craft HTTP requests that bypass validation
• Leads to remote execution of server logic with full privilege

Recommended Actions

• Upgrade to patched versions immediately (19.0.1 / 19.1.2 / 19.2.1)
• Update Next.js, Waku, Redwood, Vite RSC, Parcel RSC, Turbopack
• Restrict public exposure of RSC endpoints where possible
• Enable WAF filtering for serialized/binary POST bodies
• Review logs for unusual RSC invocation patterns

Reference

• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

2. Google Chrome – Security Updates Released

Google has released new security updates for the Chrome browser addressing multiple vulnerabilities across Windows, macOS, Linux, Android, and iOS. These flaws may allow attackers to execute arbitrary code, access sensitive data, bypass security features, or cause browser instability.

Key Vulnerabilities (Important CVEs)

High Severity (most impactful):

• CVE-2025-13630 – Type confusion in V8
• CVE-2025-13631 – Inappropriate implementation in Google Updater
• CVE-2025-13632 – Inappropriate implementation in DevTools
• CVE-2025-13633 – Use-after-free in Digital Credentials

Medium / Low Issues Noted:

• Inappropriate implementations across Downloads, Split View, WebRTC, and Passwords
• Use-after-free in Media Stream
• Bad cast and race condition issues in Chrome components

Impact

• Arbitrary code execution
• Exposure of sensitive information
• Security feature bypass
• Browser crashes or instability

Updated Versions

• Desktop Stable: Chrome 143.0.7499.40/41 (Windows/macOS), 143.0.7499.40 (Linux)
• Extended Stable: Chrome 142.0.7499.226 (Windows/macOS)
• Android: Chrome 143.0.7499.52
• iOS: Chrome 143.0.7499.92

Recommended Action

Update Chrome on all devices to the latest available version to ensure protection against these vulnerabilities.

References

• https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/

3. Actively Exploited Zero-Days in Android Devices

Google has released the latest Android Security Bulletin, addressing 107 security vulnerabilities across the Android Framework, System, Kernel, and components from Arm, MediaTek, Qualcomm, Imagination Technologies, and Unison.

Two vulnerabilities (CVE-2025-48633 and CVE-2025-48572) have been confirmed as exploited in the wild, making them high-priority threats for Android users and enterprise mobile fleets.

Actively Exploited Zero-Day Vulnerabilities

• CVE-2025-48633 – Information disclosure in Framework
• CVE-2025-48572 – Elevation of privilege in Framework

Other Notable High-Impact Issues

• CVE-2025-48631 – Critical Remote DoS in Framework

Critical Kernel Elevation-of-Privilege Vulnerabilities

• CVE-2025-48623 – pKVM
• CVE-2025-48624 – IOMMU
• CVE-2025-48637 – pKVM
• CVE-2025-48638 – pKVM

Impact

• Zero-days may already be under limited, targeted exploitation
• Could result in privilege escalation or unauthorized data access
• Broader set of vulnerabilities exposes devices to DoS, EoP, and information disclosure

Recommended Actions

• Install the latest Android update with 2025-12-05 patch level
• Avoid sideloading applications; rely on trusted sources only
• Ensure Google Play Protect is enabled for continuous scanning

Reference

• https://source.android.com/docs/security/bulletin/2025-12-01

4. DoS Vulnerability in Apache Struts (CVE-2025-64775)

A newly disclosed vulnerability in Apache Struts 2 allows attackers to trigger a Denial-of-Service (DoS) condition by exploiting a file leak during multipart/form-data upload processing. The flaw affects both maintained and end-of-life versions of Struts.

The issue occurs when improperly handled multipart requests cause unbounded file accumulation on disk, leading to resource exhaustion and service disruption.

Crafted multipart HTTP requests are sufficient for exploitation, making this a significant risk for any public-facing Struts application handling file uploads or form submissions.

Key Details

• CVE-2025-64775 – DoS via file leak during multipart processing
• Affected versions:
  • Struts 2.0.0–2.3.37 (EOL)
  • Struts 2.5.0–2.5.33 (EOL)
  • Struts 6.0.0–6.7.0
  • Struts 7.0.0–7.0.3

Impact

• Disk exhaustion
• Service downtime
• High risk for upload-heavy or externally exposed applications

Recommended Action

• Upgrade immediately to Struts 6.8.0 or Struts 7.1.1 to mitigate the issue.
• Review public-facing upload endpoints for abnormal multipart request activity.

Reference

• https://cwiki.apache.org/confluence/display/WW/S2-068

5. Security Updates Released for ASUS Router Firmware

ASUS has released new firmware updates addressing multiple vulnerabilities across router firmware versions 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102. The issues range from Medium to Critical and may allow unauthorized access, remote exploitation, or service disruption, depending on the specific CVE.

ASUS urges all users to upgrade immediately.
Users of End-of-Life (EOL) router models must apply configuration-level mitigations, as these devices will not receive firmware patches.

Key Vulnerabilities (Important CVEs)

• CVE-2025-59365 – Medium
• CVE-2025-59366 – Critical
• CVE-2025-59368 – Medium
• CVE-2025-59369 – Medium
• CVE-2025-59370 – High
• CVE-2025-59371 – High
• CVE-2025-59372 – Medium
• CVE-2025-12003 – High

Affected Firmware Versions

• 3.0.0.4_386 series
• 3.0.0.4_388 series
• 3.0.0.6_102 series

Impact

• Unauthorized access
• High-impact availability compromise
• Potential remote exploitation of router services

Recommended Action

• Upgrade immediately to the latest October 2025 firmware release.
• For EOL devices, apply recommended configuration hardening steps from ASUS.

Reference

• https://www.asus.com/security-advisory/

6. Critical RCE Vulnerability in Sneeit Framework WordPress Plugin (CVE-2025-6389)

A critical unauthenticated Remote Code Execution (RCE) vulnerability has been discovered in the Sneeit Framework, a WordPress plugin used by multiple premium themes (e.g., FlatNews). The flaw is actively exploited in the wild, with attackers targeting vulnerable sites.

The vulnerability exists in the sneeit_articles_pagination_callback() function, where user input is passed directly into call_user_func(), allowing attackers to execute arbitrary PHP code without authentication.

Key Details

• CVE-2025-6389 – Critical RCE (CVSS 9.8)
• Affected versions: 8.3 and earlier
• Fixed in: 8.4 and later
• Exploitation confirmed in active automated attacks

Impact

Attackers can fully compromise vulnerable WordPress sites, including:

• Uploading webshells
• Creating rogue admin accounts
• Editing theme/plugin files
• Full site takeover
• Pivoting into the hosting environment

Recommended Actions

• Update to Sneeit Framework 8.4 or later immediately
• Review access logs and scan for signs of compromise
• Harden WordPress configurations and restrict file-editing capabilities
• Maintain regular backups and test restoration procedures
• Follow secure coding and plugin management best practices

Reference

• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sneeit-framework/sneeit-framework-83-unauthenticated-remote-code-execution-in-sneeit-articles-pagination-callback

7. Critical RCE Vulnerability in Advanced Custom Fields: Extended Plugin (CVE-2025-13486)

A critical unauthenticated Remote Code Execution (RCE) vulnerability has been discovered in the Advanced Custom Fields: Extended WordPress plugin. The flaw allows attackers to execute arbitrary code on affected websites, leading to complete site compromise.

The issue resides in the prepare_form() function, which processes user-supplied data and forwards it directly into call_user_func_array(), enabling arbitrary function execution without authentication.

Key Details

• CVE-2025-13486 – Critical RCE (CVSS 9.8)
• Vulnerable versions: 0.9.0.5 – 0.9.1.1
• Patched in: 0.9.2 and later
• Exploitation allows attackers to:
  • Execute malicious scripts
  • Deploy webshells
  • Create unauthorized admin accounts
  • Fully take over WordPress sites

Impact

• Full compromise of affected websites
• Potential for lateral movement inside hosting environments
• Ability to persist via rogue admin accounts or modified files

Recommended Actions

• Update to Advanced Custom Fields: Extended 0.9.2+ immediately
• Review site for unauthorized users, suspicious PHP files, or modified plugins/themes
• Maintain backups and enable continuous monitoring
• Deploy a Web Application Firewall (WAF) for additional protection

Reference

• https://nvd.nist.gov/vuln/detail/CVE-2025-13486

8. Zero-Day Stored XSS Vulnerabilities in IBM QRadar SIEM (CVE-2025-36170 & CVE-2025-36138)

IBM QRadar SIEM has been found vulnerable to stored cross-site scripting (XSS) flaws that allow authenticated users to inject malicious JavaScript into the QRadar Web UI. These vulnerabilities may lead to script execution, UI manipulation, or potential credential theft.

Both vulnerabilities are considered zero-day issues and require immediate attention, especially in environments where multiple analysts or administrators access the platform.

Key Details

• CVE-2025-36170 – Stored XSS
• CVE-2025-36138 – Stored XSS
• Affected versions: IBM QRadar SIEM 7.5 – 7.5.0 UP13 IF02
• Fixed in: QRadar 7.5.0 UP14 or later

Impact

Successful exploitation may allow authenticated users to:

• Execute unauthorized JavaScript within the QRadar UI
• Alter dashboards or application behavior
• Capture user sessions or credentials
• Manipulate workflows within the SIEM console

Recommended Actions

• Apply IBM’s update QRadar 7.5.0 UP14+ immediately
• Restrict access to QRadar to trusted administrators
• Monitor for abnormal dashboard behavior or script injection attempts
• Review audit logs for suspicious user activity

Reference

• https://www.ibm.com/support/pages/security-bulletin-ibm-qradar-siem-affected-crosssite-scripting-cve-2025-36170-cve-2025-36138

9. Critical Vulnerabilities in Zenitel TCIV-3+ Devices

Multiple severe vulnerabilities have been identified in Zenitel TCIV-3+ IP intercom devices, including OS command injection, out-of-bounds write, and cross-site scripting. These flaws are remotely exploitable with low attack complexity, potentially allowing attackers to run arbitrary code or disrupt device functionality.

Key Vulnerabilities

• CVE-2025-64126 – Command injection (CVSS 10.0)
• CVE-2025-64127 – Improper sanitization enabling command execution (CVSS 10.0)
• CVE-2025-64128 – Input validation flaw enabling crafted command injection (CVSS 10.0)
• CVE-2025-64130 – Reflected XSS in input processing (CVSS 9.3)
• CVE-2025-64129 – Out-of-bounds write causing crashes or unexpected behavior (CVSS 7.0)

Impact

• Remote command execution
• Unauthorized system actions
• Device instability or complete service disruption
• Potential compromise of broader intercom or security systems

Affected Versions

• TCIV-3+ devices running versions prior to 9.3.3.0

Fixed Version

• 9.3.3.0 and later

Recommended Actions

• Update all affected devices to version 9.3.3.0+
• Avoid exposing devices directly to the internet
• Apply network segmentation and firewall restrictions
• Use secure remote access controls
• Regularly review device settings and conduct security assessments

Reference

• https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

10. Critical Vulnerabilities in HPE Virtualized TeMIP Platform

Hewlett Packard Enterprise (HPE) has disclosed several vulnerabilities in the Virtualized Telecommunication Management Information Platform (vTeMIP), including two critical flaws within its embedded sqlite3 module. These issues could allow attackers to execute remote code, corrupt memory, cause denial-of-service conditions, or access sensitive data.

Key Vulnerabilities

• CVE-2025-3277 – Critical (CVSS 9.8)
• CVE-2025-6965 – Critical (CVSS 9.8)
• CVE-2022-21227 – High (CVSS 7.5)

Impact

Successful exploitation may lead to:

• Remote code execution
• Memory corruption
• Service disruption / Denial of Service
• Potential compromise of sensitive telecom management data

Affected Product

• HPE TeMIP 8.5.0

Patch / Resolution

Administrators must apply HPE’s updated software packages immediately:

• TEMIPTPP850-00003
• TEMIPSTM850-00004
• TEMIPTFR850-00014

Recommended Actions

• Apply all HPE-provided patches without delay
• Follow HPE’s update guidance for vTeMIP 8.5.0 and higher
• Review system logs for abnormal behavior post-patching
• Restrict access to management interfaces where possible

Reference

• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04976en_us&docLocale=en_US

11. Security Updates for NVIDIA TAO and Triton Inference Server

NVIDIA has released updates addressing multiple high-severity vulnerabilities impacting NVIDIA TAO and NVIDIA Triton Inference Server, which may allow attackers to escalate privileges, tamper with data, cause denial-of-service, or access sensitive information.

Key Vulnerabilities

1. CVE-2025-33208 – NVIDIA TAO
   • Uncontrolled search path vulnerability
   • May allow loading of malicious resources
   • Impact: Privilege escalation, information disclosure, data tampering, denial of service
2. CVE-2025-33211 – NVIDIA Triton Server for Linux
   • Improper validation of input quantities
   • Impact: Denial of service
3. CVE-2025-33201 – NVIDIA Triton Inference Server
   • Improper handling of exceptional conditions when processing large payloads
   • Impact: Denial of service

Affected & Fixed Versions

Impact

• Privilege escalation
• Sensitive data exposure
• Data manipulation
• Application or service disruption

Recommended Actions

• Update NVIDIA TAO to 6.25.9
• Update Triton Inference Server to r25.10
• Ensure systems consuming AI/ML inference workloads are patched promptly
• Monitor for abnormal GPU or inference pipeline activity

References

• https://nvidia.custhelp.com/app/answers/detail/a_id/5730
• https://nvidia.custhelp.com/app/answers/detail/a_id/5734

12. High-Severity XXE Vulnerability in GeoServer WMS (CVE-2025-58360)

A high-severity XML External Entity (XXE) vulnerability has been identified in GeoServer, affecting both Docker and Maven distributions. The flaw allows unauthenticated attackers to send crafted XML payloads to the WMS GetMap endpoint (/geoserver/wms), leading to sensitive file disclosure, SSRF, or Denial of Service.

Key Details

• CVE-2025-58360 – XXE vulnerability (CVSS 8.2 High)
• Affected versions:
  • 2.25.0–2.25.5, 2.26.0–2.26.1
  • Docker images and Maven packages (gs-web-app, gs-wms)
• Root cause: Insufficient sanitization of XML input in the GetMap operation, allowing external entity injection.

Impact

• Arbitrary file disclosure
• Server-Side Request Forgery (SSRF)
• Denial of Service (DoS)
• Potential compromise of geospatial servers handling sensitive datasets

Patched Versions

• 2.25.6
• 2.26.2 / 2.26.3
• 2.27.0

Recommended Actions

• Upgrade GeoServer to one of the patched versions immediately
• Restrict access to WMS endpoints where possible
• Implement strict XML parsing controls and input filtering
• Review logs for suspicious GetMap requests or external entity references

Reference

• https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525

13. High-Severity Buffer Overflow Vulnerability in Rockwell Arena Simulation (CVE-2025-11918)

Rockwell Automation has released updates addressing a stack-based buffer overflow vulnerability in Arena Simulation. The flaw can be exploited by opening a maliciously crafted DOE file, allowing a local attacker to execute arbitrary code on the affected system.

Key Details

• CVE-2025-11918 – Stack-Based Buffer Overflow (CWE-121)
• CVSS v4 Score: 7.1 (High)
• Vulnerability arises during parsing of DOE files
• Exploitation can result in arbitrary code execution and potential system compromise

Impact

• Local code execution
• Loss of system integrity
• Possible pivoting for further malicious activity

Affected Versions

• Arena Simulation 16.20.10 and earlier

Fixed Version

• 16.20.11 and later

Recommended Actions

• Update to Arena Simulation 16.20.11+ immediately
• Avoid opening untrusted DOE files
• Restrict access to systems running Arena Simulation
• Implement endpoint protection and network segmentation

Reference

• https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-02

14. Multiple Vulnerabilities in Synology BeeStation Leading to Full System Compromise

Multiple vulnerabilities in Synology BeeStation allow unauthenticated remote attackers to chain exploits and achieve full device takeover with root privileges. A public proof-of-concept (PoC) is available, significantly increasing exploitation risk.

The exploit chain uses CRLF injection → authentication bypass → SQL injection to escalate from information disclosure to remote code execution and persistent root access.

Key Vulnerabilities

1. CVE-2024-50629 – CRLF Injection (CVSS 5.3)

• Occurs in the redirect_url parameter.
• Enables injection of arbitrary HTTP headers.
• Used to leak sensitive internal files (e.g., usernames), forming the initial attack foothold.

2. CVE-2024-50630 – Improper Authentication (CVSS 7.5)

• Logic flaw in syncd daemon.
• Request without password is treated as a trusted local source.
• Grants a valid token using the leaked username — bypassing authentication.

3. CVE-2024-50631 – SQL Injection (CVSS 7.5)

• Vulnerability in update_settings allows SQLite manipulation.
• Attackers can write arbitrary files via ATTACH DATABASE.
• Malicious cron jobs can be created in /etc/cron.d/, enabling root-level remote code execution.

Impact

Successful exploitation enables:

• Full system compromise with root access
• Execution of arbitrary commands
• Persistent access via cron jobs
• Data exfiltration or modification
• Deployment of malicious payloads
• Complete control of BeeStation services

Affected Versions

• DSM: < 7.2.2-72806-1
• BSM: < 1.1-65374
• Synology Drive Server: < 3.5.1-26102

Fixed Versions

• DSM 7.2.2 → 7.2.2-72806-1 or above
• DSM 7.2.1 → 7.2.1-69057-6 or above
• DSM 7.2 → 7.2-64570-4 or above
• DSM 7.1 → 7.1.1-42962-7 or above
• DSM 6.2 → 6.2.4-25556-8 or above
• Synology Drive Server → update to fixed versions per DSM release

Recommended Actions

• Apply all Synology patches immediately
• Remove internet exposure for DSM/BeeStation where possible
• Review logs for suspicious cron entries or authentication anomalies
• Reset credentials and tokens if compromise is suspected
• Enable multi-layered access control and network segmentation

References

• https://www.synology.com/en-us/security/advisory/Synology_SA_24_20
• https://www.synology.com/en-us/security/advisory/Synology_SA_24_21
• https://kiddo-pwn.github.io/blog/2025-11-30/writing-sync-popping-cron

15. Steganography-Based ClickFix Campaign Delivering LummaC2 / Rhadamanthys Malware

Researchers uncovered a sophisticated malware campaign using ClickFix social-engineering prompts to trick victims into manually executing malicious commands through the Windows Run dialog. The campaign employs a multi-stage infection chain involving MSHTA, PowerShell loaders, reflective .NET execution, and a unique steganographic technique that hides shellcode inside PNG images. Final payloads include LummaC2 and Rhadamanthys information-stealing malware. A surge in activity was observed between October–November 2025.

Attack Workflow

1. Initial Access – ClickFix Lures
   Victims are redirected to fake:

• Human verification pages, or
• Full-screen fake Windows Update pages

Users are instructed to press Win+R → Ctrl+V → Enter, executing a malicious MSHTA command copied to clipboard.

2. MSHTA Loader
   The HTA file fetches obfuscated scripts that launch an in-memory PowerShell downloader.
3. PowerShell Stage

• Decrypts and reflectively loads a .NET assembly
• Executes next-stage loader entirely in memory

4. Steganographic .NET Loader
   A PNG image inside the assembly contains encrypted shellcode hidden via pixel-channel manipulation:

• Shellcode encoded in red channel
• Extracted using custom logic: (255 – redValue) ^ 0x72
• Strongly evades signature-based detection

5. Process Injection Stage
   The loader dynamically compiles C# injection code and injects shellcode into explorer.exe using:

• VirtualAllocEx
• WriteProcessMemory
• CreateRemoteThread

6. Final Payload – Donut-Packed Shellcode
   Delivers:

• LummaC2 (earlier lures)
• Rhadamanthys (recent campaigns)

Capabilities include credential theft, browser data exfiltration, system profiling, and C2 communications.

Infrastructure Notes

Active infrastructure observed:

• First-stage IP: 141.98.80[.]175
• Secondary domains:
  • securitysettings[.]live
  • xoiiasdpsdoasdpojas[.]com
• Lure pages include /r-pannel/stats.php logging mechanism
  Despite takedowns under Operation Endgame, active lure sites persist.

Recommended Actions

• Block or restrict mshta.exe and PowerShell usage
• Detect anomalous Win+R activity and clipboard-based execution patterns
• Monitor for reflective .NET loading and in-memory execution
• Train users to recognize fake Windows Update and verification pages
• Use EDR and network segmentation to detect process injection and lateral movement

Reference

https://www.huntress.com/blog/clickfix-malware-buried-in-images

16. Critical XXE Vulnerability in Apache Tika (CVE-2025-66516, CVSS 10.0)

A newly disclosed critical XXE vulnerability in Apache Tika allows attackers to execute XML External Entity (XXE) injection via crafted XFA content embedded inside PDF files. Tracked as CVE-2025-66516 (CVSS 10.0), this flaw enables attackers to read arbitrary server files, access internal resources, or potentially achieve remote code execution depending on the environment.

The issue impacts multiple Apache Tika components, expanding the scope beyond earlier CVE-2025-54988.

Affected Packages

• tika-core: 1.13 → 3.2.1
  ✔ Patched in 3.2.2
• tika-parser-pdf-module: 2.0.0 → 3.2.1
  ✔ Patched in 3.2.2
• tika-parsers: 1.13 → 1.28.5
  ✔ Patched in 2.0.0

Key Insights

• Although previously linked to the PDF parser module, the actual root cause resides in tika-core.
• Users who updated only the PDF parsing module remain vulnerable unless tika-core ≥ 3.2.2 is installed.
• Legacy 1.x releases were also impacted because PDF parsing was handled by tika-parsers in that branch.

Impact

Successful XXE exploitation may allow:

• Access to sensitive server files
• Internal network scanning / SSRF-like behavior
• Possible remote code execution in certain environments

Recommended Actions

• Upgrade immediately to patched versions (tika-core 3.2.2+, module updates as listed).
• Review applications parsing untrusted PDFs, as they pose the highest risk.
• Monitor for suspicious file-access patterns or XML parsing anomalies.

Reference

https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html

17. Solana Phishing Attacks Enabling Unauthorized Account Ownership Transfer

A new wave of high-impact Solana phishing attacks is allowing threat actors to silently reassign wallet ownership without stealing private keys. The attack has already resulted in losses exceeding USD 3 million, with an additional USD 2 million locked and inaccessible to victims.

Unlike traditional crypto theft, the stolen funds remain visible in the victim’s wallet but can no longer be moved, as the attacker becomes the new owner at the protocol level.

How the Attack Works

Solana’s unique account model permits ownership reassignment through a built-in instruction called “assign.” Attackers craft phishing transactions that appear harmless — showing no balance change — and trick users into signing them.

Key mechanisms:

• Wallet UI deception: Wallets show the current balance, so users feel safe approving the transaction.
• Harmless-looking transactions: Attackers insert ownership-changing instructions that don’t modify token balances.
• Owner field modification: Solana allows an account’s Owner field to be reassigned if the transaction includes the proper instruction.
• Once signed, the attacker becomes the new owner of the account.
• Victims cannot:
  • Transfer funds
  • Revoke approvals
  • Interact with DeFi platforms

SlowMist researchers confirmed that attackers used the assign instruction to take over accounts during phishing operations.

Why This Works on Solana

• Solana accounts rely on an Owner field, which dictates which program or signer is authorized.
• The assign instruction allows changing that owner — a feature intended for system-level operations.
• Attackers use them in transaction bundles, hidden behind legitimate-looking dApps or malicious websites.
• Program-derived addresses (PDAs) also complicate detection because some accounts legitimately change ownership.

Impact

• Complete and silent takeover of user wallets
• Funds remain “visible but frozen”
• DeFi positions become unmanageable
• Reassignment often irreversible
• Users unaware until they attempt a transaction

Recommended Actions

• Verify all transaction sources before approving—especially those from links, DMs, or pop-ups.
• Reject any signature request you do not fully understand.
• Use multiple wallets:
  • A low-value wallet for daily activity
  • A cold wallet for high-value assets
• Never approve transactions from unfamiliar websites claiming:
  • “Account verification required”
  • “Airdrop eligibility check”
  • “Security update needed”

Reference

https://cybersecuritynews.com/beware-of-solana-phishing-attacks/