WhiteHat NG is Nigeria's leading CERT-style Information Sharing and Analysis Center (ISAC). Founded in 2019, it serves as a people's Computer Emergency Response Team, providing cybersecurity advisories, vulnerability disclosure services, and threat intelligence to protect Nigerian cyberspace. WhiteHat NG publishes security advisories about vulnerabilities and threats affecting Nigerian organizations and citizens.

How do I report a security vulnerability to WhiteHat NG?

You can report security vulnerabilities through WhiteHat NG's Vulnerability Disclosure Program (VDP) at whitehat.ng/vdp/report. The platform accepts reports about vulnerabilities in Nigerian digital infrastructure, government systems, and private sector applications. All reports are handled confidentially by trained security professionals who coordinate responsible disclosure with affected organizations.

What types of security advisories does WhiteHat NG publish?

WhiteHat NG publishes four severity levels of security advisories: Critical (immediate action required), High (significant risk), Medium (moderate risk), and Low (minimal risk). Advisories cover topics including software vulnerabilities, malware campaigns, phishing attacks, data breaches, and emerging cyber threats affecting Nigeria. All advisories are available via web and RSS feed at whitehat.ng/advisories.

Is WhiteHat NG affiliated with the Nigerian government?

WhiteHat NG operates as an independent, community-driven cybersecurity organization. While it collaborates with government agencies and private sector partners on security matters, it maintains independence to serve as a trusted neutral party for vulnerability disclosure and security coordination. This independence allows WhiteHat NG to advocate for both security researchers and affected organizations.

How can organizations partner with WhiteHat NG?

Organizations can partner with WhiteHat NG through several programs: becoming an information sharing partner for threat intelligence, participating in the Vulnerability Disclosure Program as a receiving organization, sponsoring cybersecurity awareness initiatives, or contributing to advisory development. Contact partnerships@whitehat.ng or visit the About page for more information on collaboration opportunities.

Active Campaign & Recon for CVE-2025-55182 (React2Shell) Vuln

We are issuing this advisory to highlight a critical security incident involving the exploitation of a known vulnerability, CVE-2025-55182, which has been observed in our ecosystem. This vulnerability pertains to React, a widely used library for modern web application development.
Vulnerability Details
• CVE Identifier: CVE-2025-55182
• Severity: Critical
• CVSS Score: 10.0 (Maximum Rating)
• Type: Unauthenticated Remote Code Execution (RCE)

Root Cause

The root cause of the incident is the exploitation of CVE-2025-55182, a critical unauthenticated remote code execution vulnerability. This flaw allows remote attackers to execute arbitrary code on affected servers through malicious HTTP requests. The high CVSS rating of 10.0 underscores the severe risk this vulnerability poses to the integrity and security of our systems.

Implications

Successful exploitation of this vulnerability can lead to:
• Unauthorized access to sensitive data.
• Compromise of server integrity.
• Potential for further attacks on internal systems.

Link to Recent Breach in Nigeria

The recent breach in Nigeria, where the threat actor claimed to have compromised 900,000 customer accounts and over 3,000 employee records, highlights the critical nature of addressing known vulnerabilities like CVE-2025-55182. Our investigation revealed that the threat actor's proof of concept focused on extracting sensitive financial records, including personally identifiable information (PII) such as BVN, passport IDs, home addresses, account numbers, and financial records of the organization's leadership.

Key Findings from the Breach

Data Compromise: The breach involved the extraction of staff records, including email addresses, home addresses, titles, branches, staff IDs, and departments, totaling 3,010 records.
Customer Data Claims: Although the threat actor claimed to have access to 900,000 customer account records, our review found no evidence supporting this claim in the samples provided.
Technical Compromise Evidence: The threat actor showcased attempts at API endpoint enumeration and revealed technical details about the Kubernetes environment, indicating potential exploitation pathways.
Access to Temeno Wrapper: The actor gained access to the Temeno Wrapper, allowing retrieval of sensitive endpoints, which facilitated the extraction of PII and financial records of organization’s leadership. This access could potentially extend to all customers.

Recommended Actions

Immediate Patching: Ensure that all instances of React are updated to the latest version that addresses CVE-2025-55182.
Security Audits: Conduct thorough security audits of all applications utilizing React to identify any additional vulnerabilities.
Monitoring and Detection: Implement enhanced monitoring for unusual HTTP requests that may indicate exploitation attempts.
Incident Response: Review and strengthen incident response protocols to address potential future exploitations of known vulnerabilities.
Conclusion
This incident serves as a critical reminder of the importance of promptly addressing known vulnerabilities like CVE-2025-55182. The recent breach underscores the potential consequences of inaction, including unauthorized access to sensitive customer data. We urge all teams to take immediate action to mitigate risks and ensure the security of all applications.

Indicator of Compromise

Attacker’s Public IP (206.217.216.145) Private IP (10.44.182.146)
Tools – Metasploit, Sliver C2, Ligolo
Active C2: mtls://152.32.180.243:443
http://206.217.216.145/
https://app.any.run/tasks/9da78759-1fe6-43cd-876d-2e306b97c0da/