React and Next.js Critical RCE Flaw; Two Android Zero-Days Fixed in December Bulletin; Windows LNK Flaw Addressed

On November 29, 2025, researcher Lachlan Davidson disclosed a critical vulnerability affecting React Server Components (RSC) before versions 19.0.1, 19.1.2, and 19.2.1. CVE-2025-55182, CVSS score 10.0, allows an unauthenticated remote attacker to achieve code execution when React deserializes a malicious HTTP request at a Server Endpoint. Wiz researchers estimate that 39 percent of cloud environments contain vulnerable React instances, noting that the vulnerable configuration is the default configuration. Wiz emphasizes to security teams that the only definitive mitigation is to upgrade React and dependencies, including RSC-enabled frameworks. Notably, the Next.js development framework is downstream of the protocol involved, and so inherits the flaw; however, a separate enumeration for impact on Next.js (CVE-2025-66478) has been rejected as a duplicate of the React flaw. Users must update Next.js to releases 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog.

Google’s Android Security Bulletin for December 2025 includes fixes for more than 100 vulnerabilities, including a pair of actively exploited flaws in Android Framework. Both vulnerabilities, a privilege escalation issue (CVE-2025-48572) and an information disclosure flaw (CVE-2025-48633) have been added to the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog despite neither having a NIST NVD entry yet; both have mitigation deadlines of December 23 for US Federal Civilian Executive Branch agencies. The Android bulletin rates both vulnerabilities as high severity. In all, the bulletin addresses seven vulnerabilities with a critical rating: one in Android Framework, four in Android Kernel, and two in Qualcomm components.

Following seven years of widespread exploitation and a March 2025 report from Trend Zero Day Initiative (ZDI), Microsoft has patched a high-severity flaw in Windows shortcut files (.LNK) without releasing an advisory. Tracked previously as ZDI-CAN-25373 and now as CVE-2025-9491, the flaw allows an attacker to achieve remote code execution by hiding malicious command-line arguments in a shortcut's target, using whitespace characters to completely prevent the code from displaying within the 260-character limit of the Properties field. ZDI observed "nearly 1,000" samples of these malicious files in campaigns from as early as 2017, including abuse by state-sponsored hacking groups targeting "governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies" primarily in the United States, as well as in Canada, Russia, South Korea, Vietnam, and Brazil; ZDI's analysis suggests nearly 70% of the campaigns focused on information theft and espionage. While Microsoft previously had not considered the UI manipulation to be a security issue requiring a patch, ACROS Security's 0patch project reports that Windows releases since June 2025 have been gradually implementing a change that removes the character limit for the Properties field. Citing a report by Arctic Wolf on malicious .LNK exploitation in cyber espionage by Chinese-affiliated threat actors targeting "European diplomatic entities in Hungary, Belgium, and additional European nations during September and October 2025," 0patch has released an alternative defensive micropatch that identifies and shortens suspiciously long targets in any programmatically created .LNK files opened by Windows Explorer.

New in Holiday Hack Challenge: Skip the storyline and jump straight into the challenges. CTF mode lets you focus on solving technical puzzles, testing your skills, and competing your way to the top.

https://www.sans.org/cyber-ranges/holiday-hack-challenge

Marquis, a company whose software handles customer data for over 700 financial institutions, has disclosed a ransomware attack and data breach that took place on August 14, 2025. The company engaged cybersecurity experts through legal counsel, notified law enforcement, and began an investigation upon determining that suspicious activity on its network was the result of a ransomware attack. The investigation, which ended in October 2025, "revealed that an unauthorized third party accessed Marquis’ network through its SonicWall firewall ... and may have acquired certain files from its systems." SecurityWeek estimates across Marquis's breach notifications that as many as three-quarters of a million individuals may be affected; Marquis states in its notification to Maine residents that compromised information may include "names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, financial account information without security or access codes, and dates of birth." A financial institution's filing with the New Hampshire Attorney General specifies that Marquis will keep its firewalls patched and up to date, rotate passwords, delete unused accounts, implement MFA, increase logging retention, apply a lock-out policy for excessive failed VPN logins, apply geo-IP filtering, and apply firewall policies to block known botnet command and control (C2) connections. Marquis is offering complimentary identity protection services to those affected. BleepingComputer notes that a now-deleted credit union filing indicated that Marquis paid a ransom shortly after the attack.

Japanese retailer Askul has partially resumed online sales following an October 19 ransomware attack. The attack rendered Askul unable to accept orders or ship merchandise. Several days after the initial attack, Askul said the issue resided in the company's Warehouse Management System, meaning the company's logistics systems were not operational. On October 30, Askul revealed that the attack had compromised customer data. Shortly after that announcement, Askul began accepting limited orders via fax; the company offered a reduced inventory and would sell only to certain customers, which included those in the healthcare sector. On December 3, Askul announced it had restored the Warehouse Management System with an expanded inventory, but only for B2B orders; consumers are still unable to order online from Askul. The company has told investors that it needs "additional time ... "to assess the extent of the damage and related matters" before completing its quarterly results report.

On Wednesday, December 4, 2025, India's Communications Ministry issued a press release reversing the government’s original mandate for a non-removable cybersecurity app, Sanchar Saathi, to be pre-installed on all smartphones. The original order was issued on Monday, December 1, and directed smartphone manufacturers to comply within 90 days, installing Sanchar Saathi on all models in the supply chain and pushing it to current devices as a software update. The mandate garnered criticism as it raised concerns over privacy, security, liability, and exclusivity, including pushback from digital rights groups, think tanks, and the manufacturers themselves. The press release cites the ongoing success and "increasing acceptance" of the app, with 14 million current users and 6,000 new users in the preceding 24 hours, as the reason "not to make the pre-installation mandatory for mobile manufacturers."

The US Federal Trade Commission (FTC) has reached a proposed settlement with Illuminate Education over the edtech company's security failures. In December 2021, an intruder accessed the company's systems, which were hosted by a third-party cloud provider, using credentials belonging to a former Illuminate employee who had left the company more than three years earlier. The intruder accessed and exfiltrated data belonging to more than 190 million students. The stolen information included email and physical addresses, dates of birth, academic records, and health data. According to the FTC, Illuminate waited two years to notify affected school districts. In addition, the FTC alleged that Illuminate misrepresented the level of security it provided for the information with which it was entrusted. According to the terms of the proposed settlement, Illuminate will be required to scrub from its systems all data it no longer needs to retain, adhere to a publicly available data retention schedule, develop and implement a comprehensive data security program, and notify the FTC if and when it reports data breaches to other entities.

The US Cybersecurity and Infrastructure Security Agency and the Australian Signals Directorate together with other cyber-related agencies in Canada, Germany, the Netherlands, New Zealand, the UK, and the US have published a joint guidance document laying out principles for securely integrating artificial intelligence in Operational Technology (OT). The document notes that "despite the many benefits, integrating AI into operational technology (OT) environments that manage essential public services also introduces significant risks—such as OT process models drifting over time or safety-process bypasses—that owners and operators must carefully manage to ensure the availability and reliability of critical infrastructure." The guidance lays out four principles: understand AI; consider AI use in the OT domain; establish AI governance and assurance frameworks; and embed oversight and failsafe practices into AI and AI-enabled OT systems. The guidance "focuses on machine learning, large language model-based AI, and AI agents because of the complex security considerations and challenges they pose, but the guidance also applies to systems augmented with traditional statistical modeling and logic-based automation."

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) released 14 Industrial Control System (ICS) advisories. The advisories cover vulnerabilities in Industrial Video & Control Longwatch; Iskra iHUB and iHUB Lite; Mirion Medical EC2 Software NMIS BioDose; Mitsubishi Electric CNC Series (Update A), MELSEC iQ-R Series/iQ-F Series (Update C), and GX Works2; MAXHUB Pivot; Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace and iSTAR; Sunbird DCIM dcTrack and Power IQ; SolisCloud Monitoring Platform; Advantech iView; Consilium Safety CS5000 Fire Panel (Update A); and Johnson Controls FX Server, FX80 and FX90 (Update A). At least one of the vulnerabilities, a critical missing authentication for critical function issue (CVE-2025-13510) in Iskra iHUB and iHUB Lite, does not currently have a fix; CISA advises "users [to] take defensive measures to minimize the risk of exploitation of this vulnerability, such as: minimiz[ing] network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet; locat[ing] control system networks and remote devices behind firewalls and isolating them from business networks; and when remote access is required, us[ing] more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices."