Hackers are actively exploiting critical software vulnerabilities this week, impacting smartphone users, web browsers, and file compression tools. Critical updates are urgently needed to address these threats.
In a significant development for cybersecurity, both Apple and Google have released security patches for zero-day vulnerabilities that were reportedly already being exploited in highly targeted attacks. These flaws, identified as CVE-2025-14174 and CVE-2025-43529 in Apple’s systems, and CVE-2025-14174 within Google’s Chrome browser, can be exploited through malicious web content to execute arbitrary code. The memory corruption and use-after-free bugs are believed to have been weaponized by commercial spyware vendors. This situation underscores the rapid pace at which vulnerabilities are being weaponized and the critical importance of timely software updates for everyday users.
Urgent Software Updates Address Actively Exploited Flaws
Apple has issued security updates across its entire ecosystem, including iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and the Safari web browser, in response to two zero-day vulnerabilities. These flaws have been described as a memory corruption issue (CVE-2025-14174) and a use-after-free bug (CVE-2025-43529). Exploitation of these vulnerabilities can occur through the use of specially crafted web content, leading to the execution of arbitrary code on affected devices. Google has also addressed CVE-2025-14174 within its Chrome browser, as it utilizes the same open-source Almost Native Graphics Layer Engine (ANGLE) library. While specific details about the exploitation methods remain undisclosed, evidence suggests a strong possibility that these vulnerabilities were leveraged by commercial spyware providers.
Significant Vulnerabilities and Exploits Emerge Across the Cyber Landscape
Security researchers have uncovered a concerning vulnerability within .NET applications, dubbed SOAPwn, which could enable attackers to achieve remote code execution (RCE) through unexpected behavior in HTTP client proxies. This flaw allows for arbitrary file writes, as .NET’s HTTP client proxies can interpret non-HTTP URLs, including file paths. This can lead to RCE via web shells or malicious PowerShell scripts. Attackers can exploit this by passing arbitrary URLs to SOAP API endpoints, potentially leaking NTLM challenges or achieving full code execution through webshell uploads or malicious script drops.
Additionally, a new vulnerability in Gladinet’s CentreStack and Triofox products is currently under active exploitation by unknown threat actors. This undisclosed flaw allows unauthorized access to the web.config file, which can then be used to execute arbitrary code. The underlying issue stems from a design failure in how cryptographic keys for encrypting access tokens are generated, making them static and exploitable. As of December 10, 2025, nine organizations have reportedly been affected by this vulnerability.
The popular file compression utility, WinRAR, is also facing an active exploitation campaign targeting a high-severity flaw, CVE-2025-6218. This path traversal vulnerability allows attackers to execute code within the context of the current user. Three distinct threat actors, tracked as GOFFEE, Bitter, and Gamaredon, are reportedly leveraging this exploit. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating its remediation for Federal Civilian Executive Branch (FCEB) agencies by December 30, 2025.
The exploitation of a recently disclosed critical vulnerability in React, known as React2Shell (CVE-2025-55182), has surged significantly. Threat actors are targeting unpatched systems with this flaw to deploy various types of malware. Wiz reported a rapid wave of opportunistic exploitation following its public disclosure. Google observed a China-nexus espionage cluster, UNC6600, utilizing React2Shell to deploy MINOCAT, a tunneling utility. Other exploitation efforts include the deployment of the SNOWLIGHT downloader by UNC6586, the COMPOOD backdoor by UNC6588, an updated HISONIC backdoor by UNC6603, and ANGRYREBEL.LINUX by UNC6595, all attributed to China-nexus activity. These campaigns highlight the risks associated with unpatched React and Next.js systems.
Meanwhile, a Hamas-affiliated cyber threat group known as WIRTE (also known as Ashen Lepus) has been conducting espionage against government and diplomatic entities in the Middle East since 2018. The group has expanded its targeting to include Oman and Morocco, while continuously evolving its capabilities. Their modus operandi involves spear-phishing emails that deliver malicious attachments containing a modular malware suite called AshTag. This malware is embedded within command-and-control (C2) web pages in Base64-encoded format. Palo Alto Networks Unit 42 noted that Ashen Lepus remained active throughout the Israel-Hamas conflict and even after the October 2025 Gaza ceasefire, deploying new malware variants and engaging in hands-on activity within victim environments. It is assessed that the group may operate from outside Gaza, given its sustained activity.
Trending Common Vulnerabilities and Exposures (CVEs)
The speed at which threat actors can exploit new vulnerabilities is a constant concern for cybersecurity professionals. A single unpatched flaw can lead to a significant breach. This week’s most critical security flaws include:
CVE-2025-43529 and CVE-2025-14174 (Apple), CVE-2025-14174 (Google Chrome), CVE-2025-55182, CVE-2025-55183, CVE-2025-55184 (React), CVE-2025-8110 (Gogs), CVE-2025-62221 (Microsoft Windows), CVE-2025-59718, CVE-2025-59719 (Fortinet), CVE-2025-10573 (Ivanti Endpoint Manager), CVE-2025-42880, CVE-2025-55754, CVE-2025-42928 (SAP), CVE-2025-9612, CVE-2025-9613, CVE-2025-9614 (PCI Express Integrity and Data Encryption protocol), CVE-2025-27019, CVE-2025-27020 (Infinera MTC-9), CVE-2025-65883 (Genexis Platinum P4410 router), CVE-2025-64126, CVE-2025-64127, CVE-2025-64128 (Zenitel TCIV-3+), CVE-2025-66570 (cpp-httplib), CVE-2025-63216 (Itel DAB Gateway), CVE-2025-63224 (Itel DAB Encoder), CVE-2025-13390 (WP Directory Kit plugin), CVE-2025-65108 (md-to-pdf), CVE-2025-58083 (General Industrial Controls Lynx+ Gateway), CVE-2025-66489 (Cal.com), CVE-2025-12195, CVE-2025-12196, CVE-2025-11838, CVE-2025-12026 (WatchGuard), CVE-2025-64113 (Emby Server), CVE-2025-66567 (ruby-saml), CVE-2025-24857 (Universal Boot Loader), CVE-2025-13607 (D-Link DCS-F5614-L1, Sparsh Securitech, Securus CCTV), CVE-2025-13184 (TOTOLINK AX1800), CVE-2025-65106 (LangChain), CVE-2025-67635 (Jenkins), CVE-2025-12716, CVE-2025-8405, CVE-2025-12029, CVE-2025-12562 (GitLab CE/EE), and CVE-2025-64775 (Apache Struts 2).
Developments in the Global Cybersecurity Arena
The U.K. Information Commissioner’s Office (ICO) has imposed a £1.2 million fine on LastPass’s British subsidiary for a 2022 data breach. This breach allowed attackers to access personal information of its customers, including encrypted password vaults. The attack involved compromising a developer’s MacBook Pro to access corporate development environments and exfiltrate data. Subsequently, attackers exploited a Plex Media Server vulnerability (CVE-2020-5741) to install a keylogger and steal the developer’s master password, leading to a breach of the cloud storage environment. The ICO determined that LastPass failed to implement adequate technical and security measures.
The threat actor APT-C-60 has been observed continuing its cyber attacks targeting Japan, delivering the SpyGlace malware through spear-phishing emails impersonating job seekers. Attacks conducted between June and August 2025 involved malicious VHDX files directly attached to emails. Clicking an LNK file within the VHDX executed a malicious script via Git, with malware components downloaded from GitHub, marking a shift from previous use of Bitbucket.
A new variation of the ClickFix attack, named ConsentFix, has been identified. This technique tricks users into copy-pasting text containing their OAuth material into an attacker-controlled web page. Push Security observed this technique targeting Microsoft business accounts, involving fake Cloudflare Turnstile challenges and localhost URLs to steal OAuth authorization codes for Microsoft accounts. This attack vector operates entirely within the browser context, making detection more challenging.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and MITRE Corporation have released the 2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. This list identifies critical vulnerabilities frequently exploited by adversaries, compiled from 39,080 CVEs published this year. The top weaknesses include cross-site scripting, SQL Injection, Cross-Site Request Forgery (CSRF), missing authorization, and out-of-bounds write.
Reports suggest that two members of the Salt Typhoon group, Yu Yang and Qiu Daibing, participated in a 2012 Cisco Networking Academy Cup. Yu and Qiu are co-owners of Beijing Huanyu Tianqiong, a company alleged to be a front for Salt Typhoon activities. SentinelOne found that Yu and Qiu represented Southwest Petroleum University in the competition. This incident raises concerns about the potential for training initiatives to inadvertently bolster foreign offensive research capabilities.
Two security flaws have been disclosed in the privacy-focused messaging app Freedom Chat. These vulnerabilities could allow attackers to guess registered users’ phone numbers and expose user-set PINs. The issues, discovered by Eric Daigle, have been addressed by Freedom Chat as of December 7, 2025. All user PINs have been reset to enhance account security.
Free unofficial patches are now available for a new Windows zero-day vulnerability affecting the Remote Access Connection Manager (RasMan) service. Discovered by 0patch, this flaw could allow unprivileged attackers to cause a denial-of-service (DoS) condition. While not yet assigned a CVE identifier and with no evidence of active abuse, it impacts all Windows versions.
U.S. prosecutors have charged a Ukrainian national, Victoria Eduardovna Dubranova, for her alleged role in cyberattacks targeting critical infrastructure globally on behalf of Russian state-backed hacktivist groups, including NoName057(16) and CyberArmyofRussia_Reborn (CARR). These groups have conducted numerous DDoS attacks and are accused of tampering with U.S. public water systems and causing an ammonia leak. Dubranova has pleaded not guilty.
APT36, also known as Transparent Tribe, has been observed conducting a new phishing campaign against Indian government entities. This campaign delivers tailored malware designed to compromise Linux-based BOSS operating environments prevalent in these networks. The intrusion begins with spear-phishing emails leading to weaponized Linux shortcut files that execute malicious components in the background.
A threat cluster referred to as Operation Hanoi Thief has targeted Vietnamese IT departments and HR recruiters with phishing emails containing fake resumes. These emails are designed to deliver malware known as LOTUSHARVEST. The ZIP files contain a Windows shortcut (LNK) file that executes a payload, displays a decoy PDF, and uses DLL side-loading to load the LOTUSHARVEST DLL, which then harvests data from web browsers.
Microsoft has introduced a new security feature in PowerShell 5.1 to warn users about executing web content. The Invoke-WebRequest command will now prompt users before potentially risky actions, advising the use of the safer -UseBasicParsing parameter. Additionally, Microsoft is rolling out a new Baseline Security Mode across its services to automatically configure apps with minimum security requirements.
The U.S. government is preparing to require foreign travelers to provide five years of social media history prior to entry. This requirement will encompass details about social media accounts, email addresses, and phone numbers used over the past five years, and will apply to travelers from all countries.
An active adversary-in-the-middle (AitM) phishing campaign is targeting users of Microsoft 365 and Okta, aiming to hijack the single sign-on (SSO) flow and bypass multi-factor authentication (MFA) methods that are not phishing-resistant. The campaign hijacks the authentication flow to a second-stage phishing page that acts as a proxy to legitimate Okta tenants, capturing credentials and session tokens.
A large-scale phishing campaign is using Calendly-themed lures, disguised as fake job opportunities, to steal Google Workspace and Facebook business account credentials. These emails impersonate major brands and deliver phishing links under the guise of Calendly appointment booking. The campaign targets accounts responsible for managing digital ads, suggesting intentions for malvertising and other attacks.
Threat actors are leveraging digital calendar subscription infrastructure to deliver malicious content. Security risks arise from third-party calendar subscriptions hosted on expired or hijacked domains, which can be exploited for large-scale social engineering. Malicious calendar files containing harmful URLs or attachments can be added directly to users’ schedules, potentially affecting millions of iOS and macOS devices.
A new ransomware group named The Gentlemen has emerged, employing tactics such as Group Policy Objects (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD) in its double extortion attacks. The group has targeted industries including manufacturing, construction, healthcare, and insurance across 17 countries since its emergence around July 2025.