We late this week! I had a work Christmas Party Friday evening and then spent time with family for some early Christmas events which delayed getting this out... but better late than never!

React2Shell exploitation is accelerating with state-sponsored actors and commodity botnets both piling on, Google's eighth Chrome zero-day of the year got patched mid-week, and December Patch Tuesday brought a Windows privilege escalation flaw already under active attack. Meanwhile, WinRAR joined the CISA KEV catalog after multiple APT groups weaponized a path traversal bug for espionage campaigns. If you're not subscribed, you're missing the signal.

.\ React2Shell exploitation escalates — Cobalt Strike, cryptominers, and North Korean ties observed

The critical React Server Components vulnerability (CVE-2025-55182, CVSS 10.0) continues to see aggressive exploitation two weeks after disclosure. Palo Alto Unit 42 has observed post-exploitation activity including Cobalt Strike beacons, the Sliver framework, and connections to CL-STA-1015 — an initial access broker with suspected ties to China's Ministry of State Security. Trend Micro confirmed multiple campaigns deploying Mirai loaders, cryptominers, and SNOWLIGHT/VShell trojans. AWS updated its threat intel blog noting Earth Lamia and Jackpot Panda remain active. The CISA KEV deadline is December 26. Affected: React 19.0.0–19.2.0; Next.js 15.x/16.x using App Router.

.\ Source shelf: Unit 42 · Trend Micro · AWS Security

.\ Google patches eighth Chrome zero-day of 2025 — ANGLE memory corruption under active exploitation

Google released an emergency Chrome update on December 10 fixing an actively exploited vulnerability in ANGLE, Chrome's graphics abstraction layer. CVE-2025-14174 (CVSS 8.8) is an out-of-bounds memory access flaw that allows remote code execution via a crafted HTML page. Apple SEAR and Google TAG jointly reported the issue, suggesting targeted espionage use. CISA added it to the KEV catalog on December 12 with a remediation deadline of January 2, 2026. The bug also affects Safari/WebKit; Apple described attacks as "extremely sophisticated." Update Chrome to 143.0.7499.109/.110 immediately.

.\ Source shelf: Google Chrome Releases · CISA KEV · BleepingComputer

.\ WinRAR path traversal exploited by Russian and South Asian APTs — added to CISA KEV

CISA added CVE-2025-6218 (CVSS 7.8) to the KEV catalog on December 9 after confirming exploitation by at least three threat groups. The WinRAR path traversal flaw allows attackers to write files to arbitrary locations — including the Windows Startup folder — when victims open malicious archives. The Hacker News reports Gamaredon is using it alongside CVE-2025-8088 to deploy Pteranodon malware and a new wiper called GamaWiper against Ukrainian targets. Bitter APT (South Asia) and GOFFEE (Russia) have also weaponized the flaw. RARLAB patched it in WinRAR 7.12 back in June, but the lack of auto-update means many installations remain vulnerable. Deadline: December 30.

.\ Source shelf: CISA Alert · The Hacker News · RARLAB Advisory

.\ Patch Tuesday roundup

Microsoft's December update addresses 57 vulnerabilities including one actively exploited zero-day and two publicly disclosed flaws. CVE-2025-62221 (CVSS 7.8), a use-after-free in the Windows Cloud Files Mini Filter Driver, was exploited in the wild to gain SYSTEM privileges. CISA added it to the KEV catalog with a December 30 deadline. Two critical Office RCE bugs (CVE-2025-62554 and CVE-2025-62557) can be triggered via Preview Pane. Publicly disclosed: CVE-2025-54100 (PowerShell RCE) and CVE-2025-64671 (GitHub Copilot for JetBrains command injection). Adobe dropped 139 CVEs across Reader, ColdFusion, Experience Manager, Creative Cloud Desktop, and the DNG SDK — most are XSS in Experience Manager, but ColdFusion patches carry priority-1 deployment urgency.

.\ Source shelf: Microsoft MSRC · Krebs on Security · Zero Day Initiative

.\ Ivanti EPM critical XSS allows unauthenticated admin session hijack

Ivanti patched CVE-2025-10573 (CVSS 9.6), a stored cross-site scripting vulnerability that lets unauthenticated attackers inject malicious JavaScript into the Endpoint Manager admin dashboard. Rapid7, who discovered the flaw, explains that attackers submit poisoned device scan data via an unauthenticated API; when admins view the dashboard, the JavaScript executes and grants session control. Given EPM's role managing Windows, macOS, Linux, and IoT endpoints, compromise here means lateral movement across the enterprise. Censys reports hundreds of EPM instances exposed online. No exploitation reported yet, but Ivanti EPM has been repeatedly targeted this year. Upgrade to EPM 2024 SU4 SR1.

.\ Source shelf: Ivanti Advisory · Rapid7 · CSO Online

.\ Fortinet patches critical FortiCloud SSO authentication bypass flaws

Fortinet released fixes for CVE-2025-59718 and CVE-2025-59719 (CVSS 9.1/9.8), two authentication bypass vulnerabilities affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Attackers can craft malicious SAML messages to bypass FortiCloud SSO authentication — no credentials required. The catch: FortiCloud SSO is disabled by default but automatically enabled when administrators register devices to FortiCare via the GUI unless they explicitly toggle it off. This follows November's two FortiWeb zero-days (CVE-2025-64446 and CVE-2025-58034) which were added to CISA KEV after active exploitation. Disable FortiCloud SSO login until patched.

.\ Source shelf: Fortinet PSIRT · Arctic Wolf · BleepingComputer

.\ Also Notable

• Notepad++ v8.8.9 fixes actively exploited updater flaw — Attackers in China were hijacking WinGUp traffic to deliver malware; update immediately.
• Marquis Software breach exposes 788,000 across 74 banks — Akira ransomware gang likely responsible after exploiting a SonicWall firewall vulnerability.
• Adobe patches 139 CVEs including critical ColdFusion flaws — ColdFusion patches carry deployment priority 1; most Experience Manager bugs are XSS.

.\ Ops Bench

Review React/Next.js deployments across client environments. React2Shell exploitation is now widespread, with botnets and APTs both active. The CISA deadline (December 26) is approaching. Scan for React 19.0.0–19.2.0 and Next.js 15.x/16.x with App Router enabled. Wiz reports 39% of cloud environments contain vulnerable instances.

.\ Source shelf: Wiz Research · CISA KEV

Push December Patch Tuesday updates before holiday downtime. The Windows Cloud Files Mini Filter Driver zero-day (CVE-2025-62221) is under active exploitation. Critical Office flaws are Preview Pane-exploitable. With reduced staffing over the holidays, unpatched systems become easy targets.

.\ Source shelf: Microsoft MSRC · CrowdStrike Analysis

Audit WinRAR versions across endpoints. CVE-2025-6218 is being weaponized by multiple APT groups and WinRAR lacks auto-update. Many installations remain on vulnerable versions despite the June patch. CISA deadline is December 30.

.\ Source shelf: CISA Alert · The Hacker News

Until next week, folk!