






















December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
Bottom line: December's surge reflects both new zero-days and renewed interest in legacy vulnerabilities. React2Shell alone demonstrates how quickly modern web frameworks can become global attack vectors.
All 22 vulnerabilities below were actively exploited in December 2025.
#
Vulnerability
Risk
Score
Affected Vendor/Product
Vulnerability Type/Component
Public PoC
1
99
Meta React Server Components
CWE-502 (Deserialization of Untrusted Data)
2
99
Array Networks ArrayOS AG
CWE-78 (OS Command Injection)
No
3
99
Google Android
CWE-306 (Missing Authentication for Critical Function)
No
4
99
Google Android
Insufficient Information
No
5
99
Fortinet Multiple Products
CWE-347 (Improper Verification of Cryptographic Signature)
6
99
Fortinet FortiWeb
CWE-347 (Improper Verification of Cryptographic Signature)
7
99
Microsoft Windows
CWE-416 (Use After Free)
No
8
99
Gogs
CWE-22 (Path Traversal)
9
99
Google Chromium
CWE-787 (Out-of-bounds Write)
10
99
Gladinet CentreStack and Triofox
CWE-798 (Use of Hard-coded Credentials)
11
99
ASUS Live Update
CWE-506 (Embedded Malicious Code)
No
12
99
Cisco Multiple Products
CWE-20 (Improper Input Validation)
13
99
Apple Multiple Products
CWE-416 (Use After Free)
No
14
99
SonicWall SMA1000 appliance
CWE-250 (Execution with Unnecessary Privileges)
No
15
99
WatchGuard Firebox
CWE-787 (Out-of-bounds Write)
No
16
99
MongoDB and MongoDB Server
CWE-130 (Improper Handling of Length Parameter Inconsistency)
17
99
Digiever DS-2105 Pro
CWE-862 (Missing Authorization)
No
18
99
Sierra Wireless AirLink ALEOS
CWE-434 (Unrestricted Upload of File with Dangerous Type)
No
19
99
OSGeo GeoServer
CWE-611 (Improper Restriction of XML External Entity Reference)
20
99
RARLAB WinRAR
CWE-22 (Path Traversal)
21
99
D-Link Routers
CWE-120 (Classic Buffer Overflow)
No
22
99
OpenPLC ScadaBR
CWE-434 (Unrestricted Upload of File with Dangerous Type)
Table 1: List of vulnerabilities that were actively exploited in December based on Recorded Future data (Source: Recorded Future)
React2Shell exploitation dominated December’s CVE activity:
Additional activity:
These vulnerabilities demand immediate attention due to confirmed widespread exploitation.
Risk Score: 99 (Very Critical) | CISA KEV: Added December 5, 2025
Why this matters: Unauthenticated RCE affects React and Next.js, among the world's most popular web frameworks. Multiple threat actors are actively exploiting vulnerable instances with diverse malware payloads.
Affected versions:
Immediate actions:
Exposure: ~310,500 Next.js instances on Shodan (US, India, Germany, Japan, Australia)
Risk Score: 99 (Very Critical) | Active exploitation by UAT-9686
Why this matters: Chinese threat actors are actively compromising email security infrastructure to establish persistent access and pivot into internal networks.
Affected products: Cisco Secure Email Gateway and Secure Email and Web Manager running AsyncOS
Immediate actions:
/data/web/euq_webui/htdocs/index.pyKnown C2 infrastructure: 172.233.67.176, 172.237.29.147, 38.54.56.95 (inactive)
Risk Score: 99 (Very Critical) | CISA KEV: Added December 16, 2025
Why this matters: Hard-coded cryptographic keys enable unauthenticated file reads, including sensitive configuration files. Active exploitation observed in the wild.
Affected versions: All versions before 16.12.10420.56791
Immediate actions:
React2Shell represents a fundamental flaw in React Server Components' Flight protocol implementation:
Analysis of exploitation activity from Insikt Group observations:
Why this matters: The combination of a popular framework, simple exploitation, and high impact created perfect conditions for mass compromise. Organizations must assume exposure if running vulnerable versions.
Insikt Group created a Nuclei template for safe detection, available to Recorded Future customers. The template identifies vulnerable instances without triggering exploitation.
Sophisticated espionage operation: Chinese threat actors demonstrated advanced tradecraft:
Why this matters: Email gateways represent critical infrastructure. Compromise enables interception of sensitive communications and lateral movement into protected networks.
Memory leak through protocol confusion: The vulnerability exploits mismatched length fields in Zlib-compressed headers:
Why this matters: Database servers often contain authentication tokens, API keys, and sensitive configuration in memory. Even read-only access can enable further attacks.
Recorded Future customers can access Nuclei templates for:
Note: All templates perform non-intrusive detection only.
Framework vulnerabilities go viral. React2Shell demonstrated how modern web frameworks can become global attack vectors within days of disclosure.
Legacy flaws find new life. The addition of 2018-2022 vulnerabilities to CISA's KEV catalog shows threat actors mining old CVEs for unpatched targets.
Nation-state actors accelerate timelines. Chinese and North Korean groups deployed sophisticated campaigns within hours of vulnerability disclosure.
Ready to see how Recorded Future can help your team track mass exploitation, prioritize framework updates, and detect emerging threats? Explore our demo center for live examples. Dive deeper with Insikt Group research for technical threat intelligence.
About Insikt Group®:
Recorded Future's Insikt Group® combines elite security researchers, data scientists, and intelligence analysts to deliver actionable threat intelligence. Our team tracks global vulnerability exploitation to help organizations stay ahead of emerging threats.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。