Positive trends related to public IP range from the year 2025
Fewer ICS systems, as well as fewer systems with outdated SSL versions, are exposed to the internet than before. The trend isn t quite clean for ISC, but SSL2 and SSL3 systems have been cut down by about half.
https://isc.sans.edu/diary/Positive%20trends%20related%20to%20public%20IP%20ranges%20from%20the%20year%202025/32584
Hewlett-Packard Enterprise OneView Software, Remote Code Execution
HPs OneView Software allows for unauthenticated code execution
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1
Trufflehog Detecting JWTs with Public Keys
Trufflehog added the ability to detect JWT tokens and validate them using public keys.
https://trufflesecurity.com/blog/trufflehog-now-detects-jwts-with-public-key-signatures-and-verifies-them-for-liveness

Maybe a Little Bit More Interesting React2Shell Exploit
Attackers are branching out to attack applications that initial exploits may have missed. The latest wave of attacks is going after less common endpoints and attempting to exploit applications that do not have Next.js exposed.
https://isc.sans.edu/diary/Maybe%20a%20Little%20Bit%20More%20Interesting%20React2Shell%20Exploit/32578
UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
Cisco s Security Email Gateway and Secure Email and Web Manager patch an already-exploited vulnerability.
https://blog.talosintelligence.com/uat-9686/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
SONICWALL SMA1000 APPLIANCE LOCAL PRIVILEGE ESCALATION VULNERABILITY
A local privilege escalation vulnerability, which SonicWall patched today, is already being exploited.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019
Google releases vulnerability details
Google updated last week s advisory by adding a CVE to the mystery vulnerability and adding a statement that it affects WebGPU. No new patch was released.
https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html

Beyond RC4 for Windows authentication
Microsoft outlined its transition plan to move away from RC4 for authentication and published guidance and tools to facilitate this change.
https://www.microsoft.com/en-us/windows-server/blog/2025/12/03/beyond-rc4-for-windows-authentication
FortiCloud SSO Login Vuln Exploited
Arctic Wolf observed exploit attempts against vulnerable FortiGate appliances.
https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/
FrePBX Vulnerability
Horizon3.ai identified three distinct vulnerabilities in FreePBX. In particular, the authentication by-pass issue should be of concern, but default FreePBX installs do not use the vulnerable web authentication feature.
https://horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/

More React2Shell Exploits CVE-2025-55182
Our honeypots continue to detect numerous React2Shell variants. Some using slightly modified exploits
https://isc.sans.edu/diary/More%20React2Shell%20Exploits%20CVE-2025-55182/32572
The Fragile Lock: Novel Bypasses For SAML Authentication
SAML is a tricky protocol to implement correctly, in particular if different XML parsers are used that may not always agree on how to parse a specific message
https://portswigger.net/research/the-fragile-lock
December Updates Causes issues with Microsoft Message Queuing
https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22h2#message-queuing--msmq--might-fail-with-the-december-2025-windows-security-update

Abusing DLLs EntryPoint for the Fun
DLLs will not just execute code when some of their functions are called, but also as they are loaded.
https://isc.sans.edu/diary/Abusing%20DLLs%20EntryPoint%20for%20the%20Fun/32562
Apple Patches Everything: December 2025 Edition
Apple released patches for all of its operating systems, fixing two already exploited vulnerabilities.
ClickFix Attacks Still Using the Finger
ClickFix Attacks Still Using the Finger
Two examples of ClickFix attacks abusing the finger protocol to load additional malware
Denial of Service and Source Code Exposure in React Server Components
Denial of Service and Source Code Exposure in React Server Components
After last week's critical patch, three more, but less critical, vulnerabilities were identified in React Server Components.
https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

Using AI Gemma 3 Locally with a Single CPU
Installing AI models on modes hardware is possible and can be useful to experiment with these models on premise
https://isc.sans.edu/diary/Using%20AI%20Gemma%203%20Locally%20with%20a%20Single%20CPU%20/32556
Mystery Google Chrome 0-Day Vulnerability
Google released an update for Google Chrome fixing a vulnerability that is already being exploited, but has not CVE number assigned to it yet
https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html
SOAPwn: Pwning NET Framework Applications Through HTTP Client Proxies And WSDL
Watchtwr identified a common vulnerability in SOAP implementations using .Net
https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/

Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection)
We observed HTTP requests with our honeypot that may be indicative of a new version of an exploit against an older vulnerability. Help us figure out what is going on.
https://isc.sans.edu/diary/Possible%20exploit%20variant%20for%20CVE-2024-9042%20%28Kubernetes%20OS%20Command%20Injection%29/32554
React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182
Wiz has a writeup with more background on the React2Shell vulnerability and current attacks
https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive
Notepad++ Update Hijacking
Notepad++ s vulnerable update process was exploited
https://notepad-plus-plus.org/news/v889-released/
New macOS PackageKit Privilege Escalation
A PoC was released for a new privilege escalation vulnerability in macOS. Currently, there is no patch.
https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html

Microsoft Patch Tuesday
Microsoft released its regular monthly patch on Tuesday, addressing 57 flaws.
https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20December%202025/32550
Adobe Patches
Adobe patched five products. The remote code execution in ColdFusion, as well as the code execution issue in Acrobat, will very likely see exploits soon.
https://helpx.adobe.com/security.html
Ivanti Endpoint Manager Patches
Ivanti patched four vulnerabilities in End Point Manager.
https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024?language=en_US
Fortinet FortiCloud SSO Vulnerability
Due to a cryptographic vulnerability, Forinet s FortiCloud SSO authentication is bypassable.
https://fortiguard.fortinet.com/psirt/FG-IR-25-647
ruby-saml vulnerability
Ruby fixed a vulnerability in ruby-saml. The issue is due to an incomplete patch for another vulnerability a few months ago.
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3

nanoKVM Vulnerabilities
The nanoKVM device updates firmware insecurely; however, the microphone that the authors of the advisory referred to as undocumented may actually be documented in the underlying hardware description.
https://www.tomshardware.com/tech-industry/cyber-security/researcher-finds-undocumented-microphone-and-major-security-flaws-in-sipeed-nanokvm
Ghostframe Phishing Kit
The Ghostframe phishing kit uses iFrames and random subdomains to evade detection
https://blog.barracuda.com/2025/12/04/threat-spotlight-ghostframe-phishing-kit
WatchGuard Advisory
WatchGuard released an update for its Firebox appliance, fixing ten vulnerabilities. Five of these are rated as High.
https://www.watchguard.com/wgrd-psirt/advisories

AutoIT3 Compiled Scripts Dropping Shellcodes
Malicious AutoIT3 scripts are usign the FileInstall function to include additional scripts at compile time that are dropped as temporary files during execution.
https://isc.sans.edu/diary/AutoIT3%20Compiled%20Scripts%20Dropping%20Shellcodes/32542
React2Shell Update
The race is on to patch vulnerable systems. Various groups are aggressively scanning the internet with different exploit variants. Some attempt to bypass WAFs.
https://blog.cloudflare.com/5-december-2025-outage/
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
Apache Tika XXE Flaw
Apache s Tika library patched a XXE flaw.
https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

Nation-State Attack or Compromised Government? [Guest Diary]
An IP address associated with the Indonesian Government attacked one of our interns' honeypots.
https://isc.sans.edu/diary/Nation-State%20Attack%20or%20Compromised%20Government%3F%20%5BGuest%20Diary%5D/32536
React Update
Working exploits for the React vulnerability patched yesterday are not widely available
Array Networks Array AG Vulnerablity
A recently patched vulnerability in Array Networks Array AG VPN gateways is actively exploited.
https://www.jpcert.or.jp/at/2025/at250024.html