December 2025 notable vulnerabilities and related headlines summary

Notable Media Headlines

 A summary of what the media has been reporting over the past month.

1. React2Shell Exploitation Hits Web & Frontend Services

The critical React2Shell vulnerability in React and Next.js is being actively exploited worldwide to deploy malware, backdoors (including EtherRAT), and ransomware campaigns. Exploitation has affected thousands of organizations, exposing source code and enabling remote code execution.

Affected Vendors/Products:

a) Meta – React Server Components (RSC) remote code execution (React2Shell  CVE-2025-55182). 

b) Node.js / Next.js – RCE and source code exposure.

c) AWS / Cloudflare – Hosting services targeted for React2Shell exploitation.

2. MongoDB Servers Under Active Memory Leak Exploits (“MongoBleed”)

Attackers are exploiting (CVE-2025-14847), known as MongoBleed, to leak sensitive data, including credentials, from exposed MongoDB instances. The vulnerability has been actively used across the U.S., China, EU, and organizations like Ubisoft.

Affected Vendors/Products:

a) MongoDB Server – memory leak allows sensitive data exfiltration.

b) Adobe ColdFusion – connected exploitation reported in attack campaigns.

c) Ubisoft Rainbow Six Siege Servers – indirectly affected by MongoDB exploitation.

3. Fortinet Infrastructure Under Persistent Attack

Multiple Fortinet vulnerabilities have been actively exploited to bypass authentication, escalate privileges, and compromise VPN/SSO infrastructure. Threat actors are targeting both FortiGate firewalls and FortiWeb web application firewalls.

Affected Vendors/Products:

a) Fortinet FortiGate – authentication bypass, 2FA bypass, SSO vulnerabilities (CVE-2025-59718).

b) Fortinet FortiWeb – admin takeover (CVE-2025-64446).

c) Fortinet FortiOS SSL VPN – old vulnerabilities still actively exploited.

4. WatchGuard Firewalls Targeted by Zero-Day Exploits

A critical CVE-2025-14733 RCE flaw in WatchGuard Firebox and Fireware OS has been widely exploited to gain administrative access and hijack VPN services, affecting over 125,000 exposed devices.

Affected Vendors/Products:

a) WatchGuard Firebox / Fireware OS – remote code execution and VPN compromise.

5. SonicWall SMA1000 Zero-Day Exploitation

Threat actors are actively exploiting CVE-2025-40602 in SonicWall SMA1000 appliances, enabling privilege escalation and remote control of exposed systems.

Affected Vendors/Products:

a) SonicWall SMA1000 – zero-day RCE actively exploited.

6. Microsoft & Windows Zero-Day Exploits in Enterprise & Desktop Systems

Microsoft’s Patch Tuesday 2025 updates revealed multiple actively exploited zero-days across Windows desktop and server environments. Exploits include privilege escalation, remote code execution, and LNK/Out-of-Bounds vulnerabilities.

Affected Vendors/Products:

a) Microsoft Windows Desktop & Server – Desktop Windows Manager OOB, Cloud Files Mini Filter, LNK vulnerabilities.

b) Microsoft Outlook – 0-click RCE exploitation.

c) Microsoft Patch Tuesday Updates – multiple zero-days patched mid-December 2025.

7. Google & Chromium Vulnerabilities Actively Exploited

Multiple Google Chrome/Chromium and Android vulnerabilities have been weaponized, including out-of-bounds memory access and Android framework 0-days. Exploits allow remote code execution, privilege escalation, and mobile device compromise.

Affected Vendors/Products:

a) Google Chrome / Chromium – CVE-2025-14174 exploits through ANGLE graphics.

b) Google Android – framework zero-click exploits (CVE-2025-48633, CVE-2025-48572).

8. Apple WebKit & iOS Zero-Day Exploitation

Apple devices, including iPhones and macOS endpoints, are being targeted by sophisticated zero-day attacks that exploit WebKit flaws to deploy spyware and escalate privileges.

Affected Vendors/Products:

a) Apple WebKit – actively exploited in iOS and macOS.

b) Apple iOS Devices – zero-click attacks, spyware deployment.

9. OpenPLC & Industrial Control Systems (ICS) Targeted

Industrial automation and ICS platforms continue to be exploited, with file upload and authentication bypass vulnerabilities affecting SCADA, workflow automation, and PLC systems.

Affected Vendors/Products:

a) OpenPLC / ScadaBR – file upload and control bypass vulnerabilities.

b) n8n Workflow Automation – critical RCE (CVE-2025-68613) across 103,000+ instances.

c) OSGeo GeoServer – XXE and RCE attacks.

d) FreePBX / ScreenConnect – configuration and RCE vulnerabilities impacting industrial automation setups.

10. Consumer Software & CMS Platforms Exploited

Attackers continue to target widely used consumer and CMS software, including WordPress plugins, WinRAR, Zoom, and other endpoints, to gain admin access, execute code, and deploy ransomware.

Affected Vendors/Products:

a) WordPress Plugins (Elementor, King Addons, Sneeit) – RCE and admin takeover.

b) WinRAR – CVE-2025-6218 remote code execution.

c) Zoom Rooms (Windows & macOS) – privilege escalation and data leakage.

d) 7-Zip, K7 Antivirus, Emby Server – privilege escalation and RCE attacks.

11. Network Edge Devices Under APT & Botnet Pressure

Russian and China-linked APT groups, as well as emerging botnets, are exploiting misconfigurations, firmware flaws, and authentication bypass vulnerabilities to target network edge devices and routers.

Affected Vendors/Products:

a) Cisco Secure Email / Contact Center / AsyncOS – 0-day RCE and backdoors.

b) Array Networks AG Gateway – actively exploited in attacks.

c) Sierra Wireless / Palo Alto / Fortinet / WatchGuard – misconfiguration and SSO attacks.

d) TBK DVRs & IoT Devices – exploited by Mirai “Broadside” botnet.

For the latest CVE headlines and advisories news,  visit our Search and Insight page 

Priority CVEs from CISA Known to be Actively Exploited

CVEs identified by CISA which were actively exploited by threat actors during November . These include:

1. Microsoft:   Microsoft Windows Use After Free Vulnerability (CVE-2025-62221)

2. Google : Google Chromium Out of Bounds Memory Access Vulnerability (CVE-2025-14174)

3. Apple : Apple Multiple Products Use-After-Free WebKit Vulnerability (CVE-2025-43529)

4. Meta : Meta React Server Components Remote Code Execution Vulnerability (CVE-2025-55182)

5. MongoDB : MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability (CVE-2025-14847)

6. Cisco : Cisco Multiple Products Improper Input Validation Vulnerability (CVE-2025-20393)

7. Fortinet : Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability (CVE-2025-59718)

8. WatchGuard : WatchGuard Firebox Out of Bounds Write Vulnerability (CVE-2025-14733)

9. ASUS : ASUS Live Update Embedded Malicious Code Vulnerability (CVE-2025-59374)

10. SonicWall : SonicWall SMA1000 Missing Authorization Vulnerability (CVE-2025-40602)

11. Gladinet : Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability (CVE-2025-14611)

12. RARLAB : RARLAB WinRAR Path Traversal Vulnerability (CVE-2025-6218)

13. D-Link : D-Link Routers Buffer Overflow Vulnerability (CVE-2022-37055)

14. Array Networks : Array Networks ArrayOS AG OS Command Injection Vulnerability (CVE-2025-66644)

15. OpenPLC : OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2021-26828)

16. Android : Android Framework Information Disclosure Vulnerability (CVE-2025-48633) Android Framework Privilege Escalation Vulnerability (CVE-2025-48572)

17. Sierra Wireless : Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2018-4063)

18. Digiever : Digiever DS-2105 Pro Missing Authorization Vulnerability (CVE-2023-52163) 

Priority CVEs Known to be Used in Ransomware Campaigns

The following CVE(s) listed are marked as *known* to be associated with ransomware campaigns.

1. Meta : Meta React Server Components Remote Code Execution Vulnerability (CVE-2025-55182)

Author: Hackerstorm.com

References:

https://www.cisa.gov/news-events/news

https://nvd.nist.gov

https://www.ncsc.gov.uk/section/keep-up-to-date/reports-advisories

https://cert.europa.eu/publications/security-advisories/2024

https://cert.europa.eu/publications/threat-intelligence/cb24-03

https://www.jpcert.or.jp/english/at/2024.html

https://auscert.org.au/bulletins

https://www.csa.gov.sg/alerts-advisories/security-bulletins