WEEKLY TOP TEN: December 15, 2025, 16:00 GMT
- Comcast Vendor Breach Claim
Attackers claiming to be Space Bears alleged they accessed Comcast data by compromising vendor Quasar Inc. The claim remains unverified, but the intrusion pattern mirrors common supply-chain attacks: target a smaller partner, then pivot into the larger enterprise’s data environment. These events expose persistent weaknesses in vendor access controls, token permissions, and shared-resource governance. Even without confirmation, organizations that rely on third-party integrations should consider whether privileged vendor accounts, SSO scopes, and shared file repositories may be overextended or unmonitored. - Vitas Healthcare Data Exposure
Vitas Healthcare confirmed a breach affecting more than 300,000 individuals. The incident likely involves exposure of administrative, personal, or patient-connected information. Large healthcare networks carry systemic risk because a single intrusion can span HR systems, billing workflows, scheduling software, and patient services. Attackers increasingly target organizations with wide datasets and older system integrations. Defenders should evaluate identity governance, implement strict logging for sensitive datasets, and prioritize alerts for unexpected data movement, especially from privileged accounts. - Microsoft Patches Three Zero-Days
Microsoft released December updates addressing 57 vulnerabilities, including three zero-days—one actively exploited. The monthly cycle once again demonstrated the narrow gap between public disclosure and attacker adoption. Systems tied to identity, Office components, and Windows kernel-level operations should receive accelerated patching. The update cadence reinforces how quickly adversaries reverse-engineer patches to produce working exploits. Enterprises that rely on delayed rollout windows face measurable exposure, especially on widely distributed endpoints and remote worker fleets. - SAP Releases Critical Fixes
SAP issued critical patches across several core enterprise components in its December security notes. These systems often anchor financials, HR, procurement, and supply-chain operations, so vulnerabilities here can carry implications beyond data loss—risking business-process manipulation or operational downtime. Organizations frequently fall behind on SAP patching due to testing dependencies that attackers exploit. Administrators should restrict access to SAP management interfaces, enforce MFA on privileged accounts, and monitor high-impact transactions until patches are fully deployed. - Windows RasMan Zero-Day Exploited
Ransomware groups are exploiting a Windows RasMan zero-day to escalate privileges and move laterally through enterprise networks. RasMan sits at the heart of remote network connectivity, making it a valuable entry point for attackers targeting VPN-connected hosts. Typical campaigns combine the zero-day with credential theft and remote execution tooling prior to data theft or encryption. Organizations should apply available mitigations immediately, review remote-access authentication logs, and investigate unusual service configurations or DLL loads. - CentreStack Exploited in Mass Attacks
A vulnerability chain in CentreStack file-sharing servers is being exploited at scale. Attackers can steal data, create new admin users, and pivot deeper into internal environments. Because CentreStack integrates with local file servers, compromise can rapidly escalate into organization-wide exposure. Systems directly exposed to the internet are especially vulnerable. Defenders should migrate management interfaces behind VPN/SSO, enforce MFA, and monitor unusual file-volume spikes or newly created privileged accounts. - Chrome Zero-Day Triggers Emergency Update
Google issued an emergency Chrome update fixing its eighth exploited zero-day this year. Browser compromises remain a direct path to corporate data via stolen cookies, tokens, and authentication sessions. Attackers combine zero-days with phishing lures that imitate browser-update prompts, exploiting users during patch delays. Organizations should enforce automatic updates, ensure high-risk user groups (admins, developers, finance staff) patch quickly, and monitor identity platforms for suspicious token replays. - EtherRAT Uses React2Shell Exploit
A malware campaign tied to EtherRAT operators leveraged React2Shell vulnerabilities to infect Linux systems. Infrastructure patterns suggest alignment with North Korean-affiliated threat actors. After exploiting the web vulnerability, attackers installed persistence mechanisms, harvested credentials, and established covert C2 channels. Defenders should pair application patching with host-level forensics to check for unauthorized accounts, malicious systemd services, cron entries, and outbound traffic to suspicious endpoints. - IAB Abuses EDR Components
An initial access broker known as Storm-0249 was observed abusing EDR-linked components to execute malware covertly. By blending malicious activity into trusted utilities and defensive tooling, attackers lower detection probabilities. This technique is part of a broader shift toward “living off the defender,” where adversaries weaponize legitimate binaries and agent processes. Effective detection relies on behavioral analytics: anomalous process chains, EDR tampering, and agent activity outside maintenance windows. - React Server Components Vulnerabilities
Researchers disclosed vulnerabilities in React Server Components (RSC) that can trigger DoS attacks and expose source code. Exposed source code often reveals internal endpoints, logic flows, or hardcoded secrets that attackers can weaponize. DoS conditions add operational pressure, creating openings for broader attacks. Organizations should patch affected frameworks promptly, rotate any previously embedded secrets, and monitor for abnormal request patterns targeting RSC routes.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.