惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Full Disclosure
博客园 - 三生石上(FineUI控件)
MyScale Blog
MyScale Blog
Apple Machine Learning Research
Apple Machine Learning Research
L
LINUX DO - 最新话题
T
The Blog of Author Tim Ferriss
P
Proofpoint News Feed
宝玉的分享
宝玉的分享
小众软件
小众软件
Hugging Face - Blog
Hugging Face - Blog
GbyAI
GbyAI
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V
Visual Studio Blog
爱范儿
爱范儿
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园_首页
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
月光博客
月光博客
博客园 - 叶小钗
D
Docker
H
Hackread – Cybersecurity News, Data Breaches, AI and More
T
Tailwind CSS Blog
D
DataBreaches.Net
酷 壳 – CoolShell
酷 壳 – CoolShell
B
Blog RSS Feed
量子位
美团技术团队
Vercel News
Vercel News
Y
Y Combinator Blog
IT之家
IT之家
Martin Fowler
Martin Fowler
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
S
SegmentFault 最新的问题
腾讯CDC
Recent Announcements
Recent Announcements
Google DeepMind News
Google DeepMind News
罗磊的独立博客
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
The Register - Security
The Register - Security
博客园 - 司徒正美
N
Netflix TechBlog - Medium
S
Schneier on Security
博客园 - 聂微东
U
Unit 42
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
Latest news
Latest news

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI The Money Mule Solution: What Every Scam Has in Common From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET The $0 Transaction That Signaled a Nation-State Cyberattack China’s Zero-Day Pipeline: From Discovery to Deployment Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors The Bug That Won't Die: 10 Years of the Same Mistake The Hidden Cascade: Why Law Firm Breaches Destroy More than Data Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media AI Malware: Hype vs. Reality
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
2026-01-13 · via Recorded Future

December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.

What security teams need to know:

  • React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
  • China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
  • Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-concept code available, accelerating exploitation timelines
  • Legacy vulnerabilities resurface: CISA added 2018-2022 era flaws to its Known Exploited Vulnerabilities (KEV) catalog, highlighting persistent patch gaps

Bottom line: December's surge reflects both new zero-days and renewed interest in legacy vulnerabilities. React2Shell alone demonstrates how quickly modern web frameworks can become global attack vectors.

Quick Reference Table

All 22 vulnerabilities below were actively exploited in December 2025.

#

Vulnerability

Risk
Score

Affected Vendor/Product

Vulnerability Type/Component

Public PoC

1

99

Meta React Server Components

CWE-502 (Deserialization of Untrusted Data)

2

99

Array Networks ArrayOS AG

CWE-78 (OS Command Injection)

No

3

99

Google Android

CWE-306 (Missing Authentication for Critical Function)

No

4

99

Google Android

Insufficient Information

No

5

99

Fortinet Multiple Products

CWE-347 (Improper Verification of Cryptographic Signature)

6

99

Fortinet FortiWeb

CWE-347 (Improper Verification of Cryptographic Signature)

7

99

Microsoft Windows

CWE-416 (Use After Free)

No

8

99

Gogs

CWE-22 (Path Traversal)

9

99

Google Chromium

CWE-787 (Out-of-bounds Write)

10

99

Gladinet CentreStack and Triofox

CWE-798 (Use of Hard-coded Credentials)

11

99

ASUS Live Update

CWE-506 (Embedded Malicious Code)

No

12

99

Cisco Multiple Products

CWE-20 (Improper Input Validation)

13

99

Apple Multiple Products

CWE-416 (Use After Free)

No

14

99

SonicWall SMA1000 appliance

CWE-250 (Execution with Unnecessary Privileges)

No

15

99

WatchGuard Firebox

CWE-787 (Out-of-bounds Write)

No

16

99

MongoDB and MongoDB Server

CWE-130 (Improper Handling of Length Parameter Inconsistency)

17

99

Digiever DS-2105 Pro

CWE-862 (Missing Authorization)

No

18

99

Sierra Wireless AirLink ALEOS

CWE-434 (Unrestricted Upload of File with Dangerous Type)

No

19

99

OSGeo GeoServer

CWE-611 (Improper Restriction of XML External Entity Reference)

20

99

RARLAB WinRAR

CWE-22 (Path Traversal)

21

99

D-Link Routers

CWE-120 (Classic Buffer Overflow)

No

22

99

OpenPLC ScadaBR

CWE-434 (Unrestricted Upload of File with Dangerous Type)

Table 1: List of vulnerabilities that were actively exploited in December based on Recorded Future data (Source: Recorded Future)

Affected Vendors

  • Fortinet continued vulnerability concerns with two critical authentication bypass flaws
  • Google faced three vulnerabilities across Android (2) and Chromium (1) platforms
  • Microsoft dealt with a Windows kernel use-after-free vulnerability
  • Meta experienced the month's most impactful vulnerability with React2Shell
  • Additional affected vendors: Array Networks, Gogs, Gladinet, ASUS, Cisco, Apple, SonicWall, WatchGuard, MongoDB, Digiever, Sierra Wireless, OSGeo, RARLAB, D-Link, and OpenPLC

Most Common Weakness Types

  • CWE-22 – Path Traversal
  • CWE-347 – Improper Verification of Cryptographic Signature
  • CWE-416 – Use After Free
  • CWE-434 – Unrestricted Upload of File with Dangerous Type
  • CWE-787 – Out-of-bounds Write

Threat Actor Activity

React2Shell exploitation dominated December’s CVE activity:

  • Threat actors observed to have exploited this vulnerability:
    • China-nexus actors Earth Lamia and Jackpot Panda
    • China-linked clusters UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595
    • North Korea-linked and financially motivated groups
  • Observed payloads included EtherRAT, PeerBlight, CowTunnel, ZinFoq, Kaiji variants, Zndoor, RondoDox, MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, ANGRYREBEL.LINUX, and Weaxor ransomware (using a Cobalt Strike stager)
  • Infrastructure connections to HiddenOrbit relay infrastructure and GobRAT relay component

Additional activity:

  • UAT-9686 exploited Cisco Secure Email Gateway (CVE-2025-20393), deploying AquaShell, AquaPurge, and AquaTunnel
  • Unknown actors leveraged Gogs vulnerability (CVE-2025-8110) for Supershell malware deployment

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed widespread exploitation.

CVE-2025-55182 | Meta React Server Components (React2Shell)

Risk Score: 99 (Very Critical) | CISA KEV: Added December 5, 2025

Why this matters: Unauthenticated RCE affects React and Next.js, among the world's most popular web frameworks. Multiple threat actors are actively exploiting vulnerable instances with diverse malware payloads.

Affected versions:

  • React packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)
  • Next.js: 15.x, 16.x, and Canary builds from 14.3.0-canary.77
  • Also affects: React Router, Waku, RedwoodSDK, Parcel, Vite RSC plugin

Immediate actions:

  • Upgrade React to 19.0.3, 19.1.4, or 19.2.3 immediately
  • Update Next.js to 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5
  • Monitor for unusual multipart/form-data POST requests consistent with Next.js Server Actions / RSC endpoints
  • Check logs for E{"digest" error patterns indicating exploitation attempts
  • Review server processes for unexpected Node.js child processes

Exposure: ~310,500 Next.js instances on Shodan (US, India, Germany, Japan, Australia)

CVE-2025-20393 | Cisco Secure Email Gateway

Risk Score: 99 (Very Critical) | Active exploitation by UAT-9686

Why this matters: Chinese threat actors are actively compromising email security infrastructure to establish persistent access and pivot into internal networks.

Affected products: Cisco Secure Email Gateway and Secure Email and Web Manager running AsyncOS

Immediate actions:

  • Apply Cisco's security updates immediately
  • Monitor Spam Quarantine web interface access logs
  • Check for modifications to /data/web/euq_webui/htdocs/index.py
  • Hunt for AquaShell, AquaPurge, and AquaTunnel indicators
  • Review outbound connections to suspicious IPs

Known C2 infrastructure: 172.233.67.176, 172.237.29.147, 38.54.56.95 (inactive)

CVE-2025-14611 | Gladinet CentreStack/Triofox

Risk Score: 99 (Very Critical) | CISA KEV: Added December 16, 2025

Why this matters: Hard-coded cryptographic keys enable unauthenticated file reads, including sensitive configuration files. Active exploitation observed in the wild.

Affected versions: All versions before 16.12.10420.56791

Immediate actions:

  • Upgrade to version 16.12.10420.56791 or later
  • Audit file access logs for unauthorized reads
  • Review Access Tickets for year 9999 timestamps
  • Check for web.config exfiltration attempts
  • Rotate all stored credentials and API keys

Technical Deep Dive: Exploitation Analysis

React2Shell Exploitation (CVE-2025-55182)

React2Shell represents a fundamental flaw in React Server Components' Flight protocol implementation:

  • Insecure deserialization – Server accepts malformed Flight payloads without validation
  • Protocol confusion – Attacker-controlled data influences server-side execution
  • Unauthenticated access – No authentication required for RSC endpoints
  • Wide impact – Affects the entire React ecosystem using Server Components

Analysis of exploitation activity from Insikt Group observations:

  • Payloads delivered via wget to download secondary stages
  • Active malware hosts serving RondoDox
  • Operators using public PoCs with minimal modifications

Why this matters: The combination of a popular framework, simple exploitation, and high impact created perfect conditions for mass compromise. Organizations must assume exposure if running vulnerable versions.

Insikt Group created a Nuclei template for safe detection, available to Recorded Future customers. The template identifies vulnerable instances without triggering exploitation.

UAT-9686 Cisco Campaign (CVE-2025-20393)

Sophisticated espionage operation: Chinese threat actors demonstrated advanced tradecraft:

  • Initial access via Spam Quarantine interface exploitation
  • Persistence through Python backdoor embedded in legitimate UI files
  • Log manipulation with AquaPurge to remove forensic evidence
  • Tunneling via AquaTunnel and Chisel for internal pivoting

Why this matters: Email gateways represent critical infrastructure. Compromise enables interception of sensitive communications and lateral movement into protected networks.

MongoBleed Information Disclosure (CVE-2025-14847)

Memory leak through protocol confusion: The vulnerability exploits mismatched length fields in Zlib-compressed headers:

  • Attacker sends crafted BSON documents with falsified lengths
  • MongoDB's parser reads beyond intended boundaries
  • Uninitialized heap memory exposed in error messages
  • Potential for credential and key material exposure

Why this matters: Database servers often contain authentication tokens, API keys, and sensitive configuration in memory. Even read-only access can enable further attacks.

Nuclei Templates from Insikt Group®

Recorded Future customers can access Nuclei templates for:

  • CVE-2025-55182 (React2Shell) - Safe deserialization check without exploitation

Note: All templates perform non-intrusive detection only.

Recorded Future Product Integrations

December 2025 Summary

Framework vulnerabilities go viral. React2Shell demonstrated how modern web frameworks can become global attack vectors within days of disclosure.

Legacy flaws find new life. The addition of 2018-2022 vulnerabilities to CISA's KEV catalog shows threat actors mining old CVEs for unpatched targets.

Nation-state actors accelerate timelines. Chinese and North Korean groups deployed sophisticated campaigns within hours of vulnerability disclosure.

Take Action

Ready to see how Recorded Future can help your team track mass exploitation, prioritize framework updates, and detect emerging threats? Explore our demo center for live examples. Dive deeper with Insikt Group research for technical threat intelligence.

About Insikt Group®:

Recorded Future's Insikt Group® combines elite security researchers, data scientists, and intelligence analysts to deliver actionable threat intelligence. Our team tracks global vulnerability exploitation to help organizations stay ahead of emerging threats.