Major Zero-Day Exploitation and Supply Chain Threats in December 2025
Multiple critical zero-day vulnerabilities affecting Windows, Chrome, Apple devices, and popular enterprise software were actively exploited in December 2025, with attackers rapidly weaponizing newly disclosed flaws. Notable incidents included the exploitation of the React2Shell vulnerability in React 19, which was leveraged by a range of threat actors—from Chinese state-sponsored groups to North Korean-linked campaigns—deploying malware such as EtherRAT, PeerBlight, and BPFDoor. Emergency patches were released by vendors including Google and Apple, while Microsoft addressed an actively exploited Windows zero-day in its Patch Tuesday updates. The MITRE Top 25 Most Dangerous Software Weaknesses list for 2025 highlighted persistent coding errors that continue to be targeted by adversaries, emphasizing the need for secure development practices.
Supply chain attacks also surged, with threat actors increasingly targeting GitHub Actions to compromise software development workflows. High-profile incidents such as the exploitation of Gogs and other open-source platforms underscored the risks inherent in collaborative coding environments. Security researchers and agencies like CISA responded by adding new vulnerabilities to their Known Exploited Vulnerabilities catalogs and urging organizations to prioritize patching and adopt a shared responsibility model for securing code repositories. The rapid pace of exploitation and the diversity of attack vectors reinforced the importance of agility, visibility, and proactive defense in enterprise cybersecurity strategies.
Timeline
Dec 14, 2025
CISA adds multiple software flaws to the KEV catalog
The US Cybersecurity and Infrastructure Security Agency added exploited vulnerabilities affecting products including Ivanti EPM, Microsoft Windows, WinRAR, Sierra Wireless AirLink ALEOS, OSGeo GeoServer, and Meta React Server Components to its Known Exploited Vulnerabilities catalog. The additions signaled active risk and the need for urgent remediation.
Dec 14, 2025
Google and Apple issue emergency updates after targeted attacks
Google and Apple released emergency security updates in response to targeted attacks exploiting vulnerabilities in their products. The updates were reported alongside active exploitation of Chrome and Apple zero-days.
Dec 14, 2025
Oracle EBS zero-day exploited in Barts Health NHS breach
The Cl0p ransomware group exploited an Oracle E-Business Suite zero-day to breach Barts Health NHS. The incident was highlighted as a notable example of active zero-day exploitation against a major healthcare target.
Dec 12, 2025
Black Hat Europe researchers present 2025 GitHub Actions attack findings
At Black Hat Europe, Wiz researchers Amitai Cohen and Rami McCarthy presented findings on the increase in GitHub Actions supply chain attacks and called for a shared-responsibility model for open-source security. Their presentation drew on GitHub threat intelligence and aimed to raise awareness of underreported CI/CD risks.
Dec 12, 2025
FBI warns of virtual kidnapping scams using altered social media photos
The FBI issued a warning about virtual kidnapping scams in which criminals manipulate victims' social media photos to make extortion attempts more convincing. The alert highlighted the growing use of AI-assisted deception in fraud schemes.
Dec 12, 2025
Spiderman phishing kit targets European banks
A phishing kit known as Spiderman emerged targeting European banks with advanced credential theft techniques. Reporting described it as part of a broader wave of increasingly sophisticated phishing operations in late 2025.
Dec 12, 2025
Attackers use AI platforms and poisoned search to spread malware
Threat actors were reported using platforms such as ChatGPT and Grok, along with poisoned search results, to distribute malware including AMOS Stealer. The activity reflected a broader trend of abusing trusted AI services for social engineering and malware delivery.
Dec 12, 2025
Researchers report GeminiJack zero-click data exfiltration flaw
A vulnerability dubbed GeminiJack in Google Gemini Enterprise was reported as enabling zero-click data exfiltration through prompt injection. The issue underscored the security risks of AI assistants with broad access to enterprise data.
Dec 12, 2025
Gogs zero-day CVE-2025-8110 is disclosed and exploited
A remote code execution zero-day in Gogs, tracked as CVE-2025-8110, was publicly reported as under active exploitation. The flaw was listed among several high-priority vulnerabilities being weaponized in December 2025.
Dec 12, 2025
Threat actors begin exploiting React2Shell within hours
Multiple threat actors, including Chinese state-linked and North Korea-linked operators, began exploiting React2Shell shortly after disclosure. The activity led to malware delivery campaigns involving tools such as EtherRAT and PeerBlight and left more than 165,000 IPs exposed according to one report.
Dec 12, 2025
Researchers disclose React2Shell RCE in React 19/Next.js
A critical remote code execution flaw dubbed React2Shell, tracked as CVE-2025-55182, was disclosed in React 19 and React/Next.js server components. Reporting described the bug as severe and rapidly weaponized after disclosure.
Dec 12, 2025
Coupang data breach leads to CEO resignation
A major data breach at South Korean retailer Coupang resulted in the resignation of the company's CEO. The reporting frames the resignation as a significant consequence of the breach, though no further incident date is provided.
Jan 1, 2025
Supply chain attacks on GitHub Actions rise during 2025
Throughout 2025, attackers increasingly abused misconfigured GitHub Actions workflows to compromise open-source software and expose secrets such as access keys and tokens. Reported incidents affected projects including Ultralytics, Singularity, Shibaud/Shai-Hulud, and tj-actions/changed-files, with one attack reportedly impacting Coinbase and nearly 70,000 customers.
Dec 31, 2023
Ransomware payments hit a record $4.5 billion in 2023
Security reporting in December 2025 cited 2023 as a record year for ransomware payments, totaling $4.5 billion. The figure was presented as context for the growing scale of cybercrime and extortion activity.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Sources
Related Stories
Critical Vulnerabilities and Exploitation Trends in 2025
Security researchers highlighted several high-impact vulnerabilities that shaped the threat landscape in 2025, including unauthenticated remote code execution flaws in widely used platforms such as React Server Components (CVE-2025-55182), SAP NetWeaver (CVE-2025-31324), PAN-OS (CVE-2025-0108), Cisco IOS XE (CVE-2025-20188), and Erlang/OTP SSH (CVE-2025-32433). These vulnerabilities were notable for their rapid exploitation following public disclosure, with attackers leveraging unauthenticated access and broad software reach to maximize impact. The year saw a shift in attacker focus, with perimeter devices and enterprise software becoming primary entry points, and defenders were forced to respond quickly as the window between disclosure and exploitation narrowed. In December 2025, Microsoft released one of its lightest Patch Tuesday updates, addressing 56 new CVEs. Despite the lower volume, security experts emphasized the importance of prioritizing vulnerabilities that were already exploited, publicly disclosed, or rated as critical with a high likelihood of exploitation. The analysis provided actionable intelligence for defenders, including technology-specific threat insights and resources for mitigating risk. The convergence of these trends underscored the need for rapid vulnerability management and highlighted recurring blind spots in enterprise defense strategies.
1 months ago
Cybersecurity Predictions and Trend Roundups for 2026
Multiple outlets published early-2026 **trend and prediction** pieces describing how the threat landscape may evolve, emphasizing increased attacker scale and compressed exploit timelines. Cisco Talos forecast continued use of **infostealers**, phishing, and proxy actors conducting destructive/extortion activity amid geopolitical tension, and warned that more autonomous **AI agents** with broad internal access could drive breaches through poor governance and excessive permissions. runZero similarly predicted that 2026 will be shaped less by novel attacker capability and more by expanding exposure—especially as **OT/edge environments** become more internet-reachable through IT/cloud management—while AI accelerates the volume of low-quality exploit attempts and operational “noise.” Dark Reading also highlighted ecosystem-level shifts that complicate risk prioritization, reporting that **2025 CVE volume hit a record 48,177** and that changes in CVE issuance (e.g., increased reporting from WordPress-focused CNAs) are a major driver of the surge rather than a clear indicator of increased underlying risk. Separately, several items in the set are not predictions but point-in-time reporting on specific threats and vulnerabilities. Cisco Talos reported **UAT-8837**, assessed with medium confidence as a **China-nexus** actor, targeting North American **critical infrastructure** since at least 2025, using exploitation of vulnerable servers or compromised credentials for initial access and then deploying tools such as *Earthworm*, *SharpHound*, *DWAgent*, and *Certipy* for credential/AD discovery and persistence; Talos linked the actor’s infrastructure/TTPs to exploitation of **Sitecore ViewState deserialization zero-day `CVE-2025-53690`**. The Hacker News bulletin included a disclosure of **Redis `CVE-2025-62507` (CVSS 8.8)**, described as a stack-based buffer overflow in the `XACKDEL` command path that could enable **unauthenticated RCE** in default configurations, and noted thousands of exposed servers. Darktrace described rapid in-the-wild exploitation of **React/Next.js “React2Shell” `CVE-2025-55812`**, observing opportunistic scanning and follow-on activity (including payload delivery and cryptomining) shortly after public PoC release, with notable impact observed in cloud-hosted environments and the finance sector; Dark Reading also cited Cyble data indicating increased targeting and sales of compromised access affecting **retail and services** organizations in Australia and New Zealand.
1 months ago
Critical Vulnerabilities Exploited in 2025, Including React Native CLI Metro Dev Server RCE
Attackers in 2025 rapidly exploited both new and longstanding vulnerabilities, with mass scanning and weaponization occurring within hours of disclosure. The most targeted weaknesses included deserialization flaws, memory corruption in edge devices, and privilege escalation bugs, with some vulnerabilities—such as those in React Server Components and Microsoft WSUS—being compared to Log4Shell in terms of scale and impact. The Top 25 exploited vulnerabilities of the year highlighted systemic failures in patch management and asset visibility, as attackers leveraged both recent and decade-old flaws to gain initial access, deploy webshells, and compromise CI/CD pipelines. Among the most critical issues was CVE-2025-11953, a remote code execution vulnerability in the React Native Community CLI’s Metro development server. This flaw, caused by unsanitized user input in the `@react-native-community/cli-server-api` package, allowed unauthenticated attackers to execute arbitrary OS commands via exposed HTTP endpoints. The vulnerability posed significant supply chain risks to mobile app development environments, enabling attackers to compromise developer workstations, steal credentials, and potentially pivot into corporate networks. Multiple national CERTs and security vendors issued urgent alerts and mitigation guidance due to the high exploitability and widespread exposure of this vulnerability.
1 months ago