Prioritize CVE Patching

When a CVE is announced, it means that a security flaw has been identified in software or hardware. Attackers, like Jack the Miner in our story, get notified of these vulnerabilities as well, and they often exploit them quickly to infiltrate systems.

This is the case with the recent React2Shell vulnerability (CVE-2025-55182) that allows remote code execution on a server running a vulnerable version of React. Once the CVE was disclosed, attackers started running crypto miners on compromised servers within hours.

In a talk at Cloud Native Freiburg in December 2025, Docker Captain Jonas Scholz explains, the companies that patched their software within 24 hours were all safe from exploitation, while those who delayed patching for 72 hours were all compromised on a certain hosting provider.

To protect your systems from such attacks, be sure to react quickly when a CVE is disclosed.

Exercise

1. Research shows that still a large percentage of Java applications use vulnerable version of Log4j, even though Log4Shell (CVE-2021-44228) was disclosed in December 2021. Check if your applications are using vulnerable versions of Log4j and update them immediately. How about React2Shell (CVE-2025-55182)? Check with Docker Scout and see if you have any critical vulnerabilities in your container images.

   $ docker scout cves <image>