Time to Patch: React2Shell Mitigation Deadline is now December 12; Microsoft Patch Tuesday; Fortinet, Ivanti, SAP, and Adobe Advisories

The US Cybersecurity and Infrastructure Security Agency (CISA) has shortened the deadline for Federal Executive Branch Civilian Agencies to mitigate the React2Shell vulnerability (CVE-2025-55182) to Friday, December 12 due to the severity of the vulnerability (CVSS 10.0), the scope of the tool's use across the internet, and multiple reports of exploitation. Initially, the mitigation deadline was set to be December 26. Researchers have observed both criminal groups and state-sponsored threat actors actively exploiting the flaw. Meta React Server Components are estimated to be embedded in 50 million websites. Attacks have targeted organizations in North and South America, Asia, and the Middle East. CISA has asked that federal agencies "check for signs of potential compromise on all internet accessible REACT instances after applying mitigations."

Microsoft's last Patch Tuesday of 2025 includes fixes for 57 CVEs across the company's products, one of which is marked "Exploitation Detected." The exploited zero-day (CVE-2025-62221, CVSS score 7.8) allows an authorized attacker to locally elevate privileges to SYSTEM level by exploiting a use-after-free flaw in Windows Cloud Files Mini Filter Driver, a core Windows component also used by OneDrive, Google Drive, and iCloud. No further details about the exploitation have been provided. Three of the flaws in the advisory are rated critical: Two allow remote code execution (RCE) in Microsoft Office due to type confusion (CVE-2025-62554) and a use-after-free flaw (CVE-2025-62557), and the third allows RCE in Outlook due to a use-after-free flaw (CVE-2025-62557). Two vulnerabilities are marked as publicly disclosed but not known to be exploited, both allowing RCE due to "improper neutralization of special elements": one in PowerShell (CVE-2025-54100), and one in GitHub Copilot for Jetbrains (CVE-2025-64671). Five flaws are marked "Exploitation More Likely," which according to Kev Breen, senior director of threat research at Immersive, may be because the components in question "have historically been exploited in the wild or have enough technical detail on previous CVEs that it would be easier for threat actors to weaponize." The remaining flaws stem from elevation of privilege, remote code execution, information disclosure, denial of service, and spoofing. Microsoft has also released the KB5071546 Windows 10 extended security update for users in the ESU program or who run Windows 10 Enterprise LTSC.

Fortinet, Ivanti, and SAP have released security advisories for their products, each including patches for critical vulnerabilities. An unauthenticated attacker can bypass *FortiCloud* SSO login authentication by using a crafted SAML response message, due to an improper verification of cryptographic signature vulnerability tracked as CVE-2025-59719 for FortiWeb and CVE-2025-59718 for Fortinet FortiOS, FortiProxy, and FortiSwitchManager, both carrying CVSS score 9.8. Fortinet notes that while FortiCloud SSO login is not enabled by factory default, registering the device to FortiCare from the GUI enables login via FortiCloud SSO unless the administrator disables a toggle that is on by default. Users should turn off the FortiCloud login feature and update to fixed versions indicated in the advisory. Ivanti's advisory discloses four flaws affecting *Ivanti Endpoint Manager* (EPM) 2024 SU4 and before, including CVE-2025-10573, CVSS score 9.6, which allows a remote unauthenticated attacker to exploit a stored cross-site scripting (XSS) vulnerability to execute arbitrary JavaScript in the context of an administrator session. The other three flaws are rated high severity, and could lead to remote code execution or arbitrary files written outside the intended directory due to improper control of dynamically managed code resources (CVE-2025-13659), path traversal (CVE-2025-13661), and improper verification of cryptographic signatures (CVE-2025-13662). Beyond the update, Ivanti urges users to not expose their EPM to the internet, to only connect to trusted servers, and to only import trusted configuration files. *SAP*'s advisory discloses 14 vulnerabilities, three of which are critical, covering a variety of their products. CVE-2025-42880, CVSS score 9.9, allows an unauthenticated attacker to grain full control of a system by inserting malicious code when calling a remote-enabled function module in SAP Solution Manager. CVE-2025-55754, CVSS score 9.6, allows an attacker to trick an administrator into running an attacker-controlled command by manipulating the console and clipboard with ANSI escape sequences injected using a specially crafted URL, due to improper neutralization of escape, meta, or control sequences in Apache Tomcat. CVE-2025-42928, CVSS 9.1, allows a high-privileged attacker to achieve remote code execution using specially crafted input to SAP jConnect, due to a deserialization vulnerability. SAP recommends users visit their support portal to apply patches.

Adobe has released five security bulletins comprising 138 vulnerabilities in its products. Adobe fixed 117 flaws in Adobe Experience Manager (AEM), two of which are critical severity: both CVE-2025-64537 and CVE-2025-64539 are DOM-based cross-site scripting (XSS) vulnerabilities that allow an attacker to achieve arbitrary code execution and session takeover by injecting malicious scripts into a web page, which executes the scripts in the browser when visited by a user. Seven of the twelve flaws fixed in Adobe ColdFusion are rated critical, and "could lead to arbitrary file system write, arbitrary file system read, arbitrary code execution, security feature bypass, and priviledge [sic] escalation." Four flaws were addressed in Adobe DNG Software Development Kit (SDK), three of which are critical: an integer overflow or wraparound (CVE-2025-64783) that could lead to arbitrary code execution, and a heap-based buffer overflow (CVE-2025-64784) and out-of-bounds read (CVE-2025-64893) that could each lead to memory exposure. Two of the four fixed flaws in Adobe Acrobat and Reader are critical: an untrusted search path (CVE-2025-64785) and an out-of-bounds read (CVE-2025-64899), both potentially leading to arbitrary code execution. The single flaw addressed in the Adobe Creative Cloud Desktop Application is rated "important," and involves creation of a temporary file in a directory with incorrect permissions (CVE-2025-64896), possibly leading to application denial-of-service.

The Holiday Hack Challenge offers hands-on, real-world challenges designed to teach and improve your security skills. Explore topics like Quantum computing, defanging IoCs, using SUDO, port discovery, forensic analysis, basic networking, and much more!

Sharpen your skills fast with 15+ bite-sized challenges that take just minutes to solve, Build confidence, earn fast victories, and keep that holiday hacking vibe going strong.

Google has updated the Chrome stable channel for desktop to versions 143.0.7499.109/.110 for Windows/Mac and 143.0.7499.109 for Linux; the updated browsers will roll out over the next few days and weeks. The update addresses three security issues: a medium severity use-after-free vulnerability in Password manager (CVE-2025-14372), a medium severity inappropriate implementation vulnerability in Toolbar (CVE-2025-14373), and a high-severity vulnerability that is currently undescribed and has no assigned CVE. The high-severity vulnerability, which Google has designated as "under coordination," is being actively exploited in the wild. Information in a GitHub commit for the associated Chromium bug ID (466192044) suggests the vulnerability may be a buffer overflow issue in the ANGLE Metal renderer. This is the eighth zero-day vulnerability Google has patched in Chrome this calendar year.

Wiz researchers have detected an unpatched, actively-exploited path traversal vulnerability in Gogs that "allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution (RCE)." The vulnerability (CVE-2025-8110) is a bypass of a vulnerability patched a year ago (CVE-2024-55947). Gogs, a self-hosted Git service, has not yet patched the vulnerability. The Wiz researchers initially detected the vulnerability on July 10, 2025 and have identified more than 700 compromised public-facing Gogs instances. They write, "All infected instances shared the same pattern: 8-character random owner/repo names created within the same short time window (July 10th). This suggests that a single actor, or perhaps a group of actors all using the same tooling, are responsible for all infections." A second wave of attacks began in early November. Wiz recommends Gogs maintainers disable open registration if their instances do not require it; limit internet exposure by using a VPN or an IP address allow-list; and "look for the creation of repositories with random 8-character names or unexpected usage of the PutContents API." The Wiz write-up also includes indicators of compromise.

IBM has patched 19 critical flaws announced in bulletins from December 9 to December 11, 2025, with over 150 total bulletins released in that time. The critical-severity flaws affect IBM Security Guardium; IBM Maximo Application Suite; IBM Instana Observability; Db2 for Linux, Unix, and Windows; IBM Storage Defender; IBM i; and IBM Business Automation Manager Open Editions. As SecurityWeek notes, "most of [the vulnerabilities] were in third-party dependencies," including flaws in third-party components of Storage Defender's Data Protect, Apache Tomcat server implementation by IBM Guardium Data Protection, and the Django web framework within Edge Data Collector. Users should check IBM's security bulletin page, which is searchable by product name and CVE; the entries can also be reordered by severity.

The US Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity and intelligence agencies in the US and in countries around the world have published an advisory warning that several groups of Russian-backed cyber threat actors are launching attacks against critical infrastructure operators globally. The report describes tactics, techniques, and procedures (TTPs) used by the threat actors to disrupt operations at organizations in the food, water, and energy sectors. The advisory notes that "These groups have limited capabilities, frequently misunderstanding the processes they aim to disrupt. Their apparent low level of technical knowledge results in haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate actual impact. Despite these limitations, the authoring organizations have observed these groups willfully cause actual harm to vulnerable critical infrastructure." The advisory recommends that operational technology (OT) owners and operators take the following steps to mitigate the threats: "Reduce exposure of operational technology (OT) assets to the public-facing internet. Adopt mature asset management processes, including mapping data flows and access points. Ensure that OT assets are using robust authentication procedures."

Gartner has published a research report available to its clients, titled "Cybersecurity Must Block AI Browsers for Now," whose abstract contends that while agentic browsers may offer future potential for automation and novel interaction, "CISOs must block all AI browsers in the foreseeable future to minimize risk exposure." The Register's Simon Sharwood reports that one concern raised with AI browsers, such as Perplexity's Comet and OpenAI's ChatGPT Atlas, is the risk posed by unknown security measures in the cloud-based AI back end handling "sensitive user data – such as active web content, browsing history, and open tabs" associated with use of an AI sidebar. Gartner's analysts recommend that organizations conduct a risk assessment of any browser's back-end AI and "educate users that anything they are viewing could potentially be sent to the AI service back end to ensure they do not have highly sensitive data active on the browser tab while using the AI browser’s sidebar to summarize or perform other autonomous actions." The autonomous agentic capabilities of these browsers also pose unique security risks as a consequence of their own inherent vulnerabilities, such as "indirect prompt-injection-induced rogue agent actions, inaccurate reasoning-driven erroneous agent actions, and further loss and abuse of credentials if the AI browser is deceived into autonomously navigating to a phishing website." Gartner notes the utility of AI browsers for "mandatory, repetitive, or less interesting" tasks, which includes the possibility that employees may avoid mandatory cybersecurity training by handing it off to the browser. The report also mentions the risk of agents making unwanted purchases through internal procurement tools or filling forms with incorrect information. While Gartner offers mitigations such as denying agents access to email and restricting browser data retention settings, the research concludes that the current risks merit completely blocking AI browsers.

A US federal grand jury has indicted Danielle Hillmer on charges of government fraud, wire fraud, and obstructing federal audits for allegedly misleading government agencies about the company's compliance with Federal Risk and Authorization Management Program (FedRAMP) and Department of Defense Risk Management Framework security controls. According to the Department of Justice, Hillmer is "former senior manager at a Virginia-based government contractor." While the specific company is not indicated in DoJ documents, during the time period of the alleged deception, Hillmer was employed at Accenture Federal Services, which provided cloud computing services to at least half a dozen US federal agencies, including the Department of State, the Department of Veterans Affairs, and the Army.

The Pierce County Library System (PCLS) in Washington state has begun notifying more than 340,000 that their personal data were compromised in an April 2025 data security breach. According to PCLS's incident notice, intruders had access to their computer network between April 15 and 21, 2025, during which time they exfiltrated data belonging to library patrons, current and former employees, and employees’ family members. The compromised data include Social Security numbers, passport numbers, driver's license numbers, financial account and payment card information, and health insurance and medical information. In a filing with the Maine Attorney General’s Office, PCLS said they will be notifying affected individuals in writing. PCLS is offering affected individuals a year of credit monitoring and identity theft protection services.