Full Report
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw. What security teams need to know: React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-concept code available, accelerating exploitation timelines Legacy vulnerabilities resurface: CISA added 2018-2022 era flaws to its Known Exploited Vulnerabilities (KEV) catalog, highlighting persistent patch gaps Bottom line: December's surge reflects both new zero-days and renewed interest in legacy vulnerabilities. React2Shell alone demonstrates how quickly modern web frameworks can become global attack vectors. Quick Reference Table All 22 vulnerabilities below were actively exploited in December 2025. # Vulnerability RiskScore Affected Vendor/Product Vulnerability Type/Component Public PoC 1 CVE-2025-55182 99 Meta React Server Components CWE-502 (Deserialization of Untrusted Data) Yes 2 CVE-2025-66644 99 Array Networks ArrayOS AG CWE-78 (OS Command Injection) No 3 CVE-2025-48572 99 Google Android CWE-306 (Missing Authentication for Critical Function) No 4 CVE-2025-48633 99 Google Android Insufficient Information No 5 CVE-2025-59718 99 Fortinet Multiple Products CWE-347 (Improper Verification of Cryptographic Signature) Yes 6 CVE-2025-59719 99 Fortinet FortiWeb CWE-347 (Improper Verification of Cryptographic Signature) Yes 7 CVE-2025-62221 99 Microsoft Windows CWE-416 (Use After Free) No 8 CVE-2025-8110 99 Gogs CWE-22 (Path Traversal) Yes 9 CVE-2025-14174 99 Google Chromium CWE-787 (Out-of-bounds Write) Yes 10 CVE-2025-14611 99 Gladinet CentreStack and Triofox CWE-798 (Use of Hard-coded Credentials) Yes 11 CVE-2025-59374 99 ASUS Live Update CWE-506 (Embedded Malicious Code) No 12 CVE-2025-20393 99 Cisco Multiple Products CWE-20 (Improper Input Validation) Yes 13 CVE-2025-43529 99 Apple Multiple Products CWE-416 (Use After Free) No 14 CVE-2025-40602 99 SonicWall SMA1000 appliance CWE-250 (Execution with Unnecessary Privileges) No 15 CVE-2025-14733 99 WatchGuard Firebox CWE-787 (Out-of-bounds Write) No 16 CVE-2025-14847 99 MongoDB and MongoDB Server CWE-130 (Improper Handling of Length Parameter Inconsistency) Yes 17 CVE-2023-52163 99 Digiever DS-2105 Pro CWE-862 (Missing Authorization) No 18 CVE-2018-4063 99 Sierra Wireless AirLink ALEOS CWE-434 (Unrestricted Upload of File with Dangerous Type) No 19 CVE-2025-58360 99 OSGeo GeoServer CWE-611 (Improper Restriction of XML External Entity Reference) Yes 20 CVE-2025-6218 99 RARLAB WinRAR CWE-22 (Path Traversal) Yes 21 CVE-2022-37055 99 D-Link Routers CWE-120 (Classic Buffer Overflow) No 22 CVE-2021-26828 99 OpenPLC ScadaBR CWE-434 (Unrestricted Upload of File with Dangerous Type) Yes Table 1: List of vulnerabilities that were actively exploited in December based on Recorded Future data (Source: Recorded Future) Key Trends in December 2025 Affected Vendors Fortinet continued vulnerability concerns with two critical authentication bypass flaws Google faced three vulnerabilities across Android (2) and Chromium (1) platforms Microsoft dealt with a Windows kernel use-after-free vulnerability Meta experienced the month's most impactful vulnerability with React2Shell Additional affected vendors: Array Networks, Gogs, Gladinet, ASUS, Cisco, Apple, SonicWall, WatchGuard, MongoDB, Digiever, Sierra Wireless, OSGeo, RARLAB, D-Link, and OpenPLC Most Common Weakness Types CWE-22 – Path Traversal CWE-347 – Improper Verification of Cryptographic Signature CWE-416 – Use After Free CWE-434 – Unrestricted Upload of File with Dangerous Type CWE-787 – Out-of-bounds Write Threat Actor Activity React2Shell exploitation dominated December’s CVE activity: Threat actors observed to have exploited this vulnerability: China-nexus actors Earth Lamia and Jackpot Panda China-linked clusters UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595 North Korea-linked and financially motivated groups Observed payloads included EtherRAT, PeerBlight, CowTunnel, ZinFoq, Kaiji variants, Zndoor, RondoDox, MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, ANGRYREBEL.LINUX, and Weaxor ransomware (using a Cobalt Strike stager) Infrastructure connections to HiddenOrbit relay infrastructure and GobRAT relay component Additional activity: UAT-9686 exploited Cisco Secure Email Gateway (CVE-2025-20393), deploying AquaShell, AquaPurge, and AquaTunnel Unknown actors leveraged Gogs vulnerability (CVE-2025-8110) for Supershell malware deployment Priority Alert: Active Exploitation These vulnerabilities demand immediate attention due to confirmed widespread exploitation. CVE-2025-55182 | Meta React Server Components (React2Shell) Risk Score: 99 (Very Critical) | CISA KEV: Added December 5, 2025 Why this matters: Unauthenticated RCE affects React and Next.js, among the world's most popular web frameworks. Multiple threat actors are actively exploiting vulnerable instances with diverse malware payloads. Affected versions: React packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, and 19.2.0) Next.js: 15.x, 16.x, and Canary builds from 14.3.0-canary.77 Also affects: React Router, Waku, RedwoodSDK, Parcel, Vite RSC plugin Immediate actions: Upgrade React to 19.0.3, 19.1.4, or 19.2.3 immediately Update Next.js to 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5 Monitor for unusual multipart/form-data POST requests consistent with Next.js Server Actions / RSC endpoints Check logs for E{"digest" error patterns indicating exploitation attempts Review server processes for unexpected Node.js child processes Exposure: ~310,500 Next.js instances on Shodan (US, India, Germany, Japan, Australia) Figure 1: Vulnerability Intelligence Card® for CVE-2025-55182 (React2Shell) in Recorded Future (Source: Recorded Future) CVE-2025-20393 | Cisco Secure Email Gateway Risk Score: 99 (Very Critical) | Active exploitation by UAT-9686 Why this matters: Chinese threat actors are actively compromising email security infrastructure to establish persistent access and pivot into internal networks. Affected products: Cisco Secure Email Gateway and Secure Email and Web Manager running AsyncOS Immediate actions: Apply Cisco's security updates immediately Monitor Spam Quarantine web interface access logs Check for modifications to /data/web/euq_webui/htdocs/index.py Hunt for AquaShell, AquaPurge, and AquaTunnel indicators Review outbound connections to suspicious IPs Known C2 infrastructure: 172.233.67.176, 172.237.29.147, 38.54.56.95 (inactive)
Analysis Summary
As a vulnerability research specialist, I have summarized the top two actively exploited, high-impact flaws from December 2025, prioritizing actionable remediation steps based on the provided intelligence.
---
# Vulnerability: Meta React Server Components Deserialization Flaw (React2Shell)
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 99 (Very Critical)
- CWE: CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- Products: Meta React Server Components (React packages), Next.js, React Router, Waku, RedwoodSDK, Parcel, Vite RSC plugin.
- Versions:
- React packages: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack` versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
- Next.js: 15.x, 16.x, and Canary builds from 14.3.0-canary.77.
- Configurations: Affects Next.js instances utilizing Server Actions / RSC endpoints. Exposure identified on approximately 310,500 Next.js instances globally.
## Vulnerability Description
This vulnerability in Meta's React Server Components (React2Shell) allows for unauthenticated Remote Code Execution (RCE) through the deserialization of untrusted data. Attackers can manipulate data processed via React Server Components to execute arbitrary code on the server.
## Exploitation
- Status: Widespread exploitation in the wild globally. Actively exploited by multiple threat actors, including China-nexus groups (Earth Lamia, Jackpot Panda) and others deploying diverse malware (e.g., EtherRAT, Weaxor ransomware).
- Complexity: Low, given the critical nature and widespread application of the affected frameworks.
- Attack Vector: Network (Remote/Unauthenticated).
## Impact
- Confidentiality: High (Likely leads to full system compromise).
- Integrity: High (Code execution allows for complete system tampering).
- Availability: High (System takeover and service disruption).
## Remediation
### Patches
Immediate updates are required:
* **React:** Upgrade to 19.0.3, 19.1.4, or 19.2.3.
* **Next.js:** Upgrade to 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5.
### Workarounds
* Monitor server logs for unusual `multipart/form-data` POST requests targeting Server Actions / RSC endpoints.
* Inspect server processes for unexpected child processes spawned by Node.js.
* Check logs for exploitation patterns including the `{"digest"` error observed during attacks.
## Detection
- Indicators of Compromise (IoCs): Presence of malware payloads such as EtherRAT, PeerBlight, CowTunnel, or Cobalt Strike stagers originating from exploited React/Next.js servers. Connections to HiddenOrbit relay infrastructure.
- Detection Methods and Tools: Use Nuclei templates (available to Recorded Future customers) for safe, non-intrusive detection checks. Monitor web server access logs for abnormal POST activity to RSC endpoints.
## References
* Vendor Advisories: Refer to Meta/Next.js security bulletins for specific patching details. (Specific links not provided in the source text, rely on vendor advisories.)
---
# Vulnerability: Cisco Secure Email Gateway Command Injection
## CVE Details
- CVE ID: CVE-2025-20393
- CVSS Score: 99 (Very Critical)
- CWE: CWE-20 (Improper Input Validation)
## Affected Systems
- Products: Cisco Secure Email Gateway and Secure Email and Web Manager running AsyncOS.
- Versions: Specific versions are not detailed, but the advisory implies all currently running vulnerable versions of AsyncOS.
- Configurations: Applicable to devices utilizing the AsyncOS operating system for email management.
## Vulnerability Description
This flaw is an Improper Input Validation vulnerability leading to OS Command Injection within the Cisco Secure Email Gateway. Successful exploitation allows remote attackers to execute arbitrary operating system commands with the privileges available to the affected service.
## Exploitation
- Status: Actively exploited in the wild by the China-nexus threat actor UAT-9686 for espionage operations.
- Complexity: Low, indicated by active exploitation by TAs.
- Attack Vector: Network (Likely remote exploitation via exposed management interfaces).
## Impact
- Confidentiality: High (Allows access to internal network data).
- Integrity: High (OS command execution).
- Availability: High (System compromise).
## Remediation
### Patches
* Apply Cisco's latest security updates for Secure Email Gateway and Secure Email and Web Manager immediately.
### Workarounds
* Monitor logs related to the Spam Quarantine web interface access for suspicious activity.
* Specifically hunt for unauthorized modifications to the file `/data/web/euq_webui/htdocs/index.py`.
## Detection
- Indicators of Compromise (IoCs): Deployment of espionage tools linked to UAT-9686, specifically **AquaShell, AquaPurge, and AquaTunnel**.
- Known C2 IPs: Review outbound connections for traffic to 172.233.67.176, 172.237.29.147, and 38.54.56.95.
- Detection Methods and Tools: Review access logs associated with the quarantine web UI. Perform forensic analysis for post-exploitation tooling (AquaShell family).
## References
* Vendor Advisories: Cisco Security Advisory [Specific advisory number required for reference].