Patch Exploited Flaws in Apple Webkit, Google Chrome, React, GeoServer, and Sierra Products

On Sunday evening at the Difference Makers Awards, we were reminded of why we do the work we do. We honored people and companies who are committed to making the world a better place through compassion, community, and hard work. Dan Kaminsky was remembered and recognized with the DMA Lifetime Achievement award based on his embodiment of these principles and his tremendous contributions to the community. Dan is most widely known for his 2008 discovery of a major vulnerability in the Domain Name System, a critical component underpinning the entire internet, and then for his behind-the-scenes rallying of major DNS providers to work together to create a solution to fix DNS before the vulnerability was announced to the world. He was a cybersecurity researcher and frequent speaker at cybersecurity and hacker conferences, sharing his unbounded interests in all kinds of technology, focusing on making complex topics understandable, and ensuring the security of internet technologies to support human dignity. Dan’s research and presentations included such wide-ranging topics as networking, cryptography, linguistics, pattern analysis, browser attacks, leveraging technology to foster accessibility, and much more. -Ed Skoudis

If you missed it, watch the stream: https://www.youtube.com/live/2Lwch5NEkWs?si=Yj4oJg_CqMWYFmla

Apple released advisories on December 12, 2025, including fixes for two flaws reportedly "exploited in an extremely sophisticated attack against specific targeted individuals," both of which have been added to the US Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog. Both flaws affect WebKit in Apple products before iOS and iPadOS 18.7.3 and 26.2, and version 26.2 of macOS Tahoe, Safari for macOS, tvOS, watchOS, and visionOS. CVE-2025-43529 allows an attacker to carry out memory corruption and achieve arbitrary code execution using maliciously crafted web content, due to a use-after-free vulnerability. CISA notes that CVE-2025-43529 "could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing." CVE-2025-14174 allows a remote attacker to perform out of bounds memory access using a crafted HTML page due to a flaw in the Almost Native Graphics Layer Engine (ANGLE) graphics library, which is used in both WebKit and Google Chrome. Google also released a patch for this flaw on December 10, tracking the flaw as 466192044 before the CVE was issued, and crediting Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group with discovery. Microsoft Edge and Vivaldi browsers have also received fixes for CVE-2025-14174.

Three more vulnerabilities have been detected in React Server components. The first vulnerability, CVE-2025-55182, was disclosed with patches available on December 3, and was added to the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog on December 5. While this flaw initially had a mitigation deadline of December 26, CISA moved the deadline up two weeks to December 12 due to widespread reports of active exploitation. The additional vulnerabilities are CVE-2025-55184, a high-severity deserialization of untrusted data issue; CVE-2025-67779, a high-severity issue detected when it was determined that the fix for CVE-2025-55184 was incomplete; and CVE-2025-55183, a medium-severity vulnerability that could lead to information leaks.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity improper restriction of XML external entity reference vulnerability in GeoServer (CVE-2025-58360) to the Known Exploited Vulnerabilities (KEV) catalog. In November, GeoServer maintainers noted that "The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request." The flaw affects all versions of GeoServer up through 2.25.5 as well as versions 2.26.0 through 2.26.1. The vulnerability has been fixed in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. The Canadian Centre for Cyber Security has updated its advisory on the GeoServer vulnerability to note that an exploit for the flaw exists in the wild. The vulnerability has a mitigation due date of January 1, 2026 for US Federal Civilian Executive Branch agencies. Shodan has observed more than 14,000 exposed GeoServer instances. CISA has also added a high-severity unrestricted file upload vulnerability in Sierra Wireless AirLink ALEOS routers (CVE-2018-4063) to the KEV catalog. Cisco Talos reported the vulnerability to Sierra, which is based in Canada, in December 2018; the vulnerability was publicly disclosed in April 2019. Because the product has reached end-of-support, FCEBs are asked to discontinue its use or update to a supported version by January 2, 2026. Other recently added vulnerabilities include a hard-coded credentials issue in Gladinet CentreStack and Triofox (CVE-2025-14611), and two flaws covered in this issue of NewsBites: an out-of-bounds memory access flaw in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 (CVE-2025-14174), and a use-after-free vulnerability in WebKit affecting multiple Apple products (CVE-2025-43529).

MITRE has published its annual 25 Most Dangerous Software Vulnerabilities report. The list is compiled based on analysis of vulnerabilities present in more than 39,000 CVEs. Cross-site scripting (XSS) occupies the top spot on MITRE's 2025 list, followed by SQL injection and cross-site request forgery (CSRF), missing authorization, and out-of-bounds write. Other vulnerabilities appearing on the list include code injection, OS command injection, path traversal, out-of-bounds read, and use-after-free. MITRE has also published a methodology page to clarify how the list was compiled.

Microsoft has announced this it is deprecating the Rivest Cipher 4 (RC4) encryption cipher that Windows has supported since 2000 with the rollout of Active Directory. Despite the fact that the cipher's source code was leaked in 1994, RC4 remained in regular use for another two decades. While Microsoft Active Directory has been updated to support AES, "Windows servers have continued to respond to RC4-based authentication requests and return an RC4-based response" by default, making it easier for attackers to steal account credentials. By the middle of next year, Microsoft "will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption. RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it."

Jaguar Land Rover (JLR) has confirmed that the perpetrators of the August 2025 cyberattack stole personal data from the company's payroll system, affecting both current and former employees. JLR told The Telegraph, "From the ongoing forensic investigation, JLR believes that certain data related to current and former JLR employees, and contractors, was affected by the cyber incident. We remain in dialogue with the relevant regulators and we are in the process of contacting current and former employees and contractors as necessary." The breach has resulted in significant losses for the company, and is predicted to have repercussions on the UK economy overall.

Data security breaches at Prosper and 700Credit have compromised personal information belonging to roughly 19 million people. Prosper Marketplace, a peer-to-peer lending firm, detected a breach on September 1, 2025, and notified regulators; intruders had access to company systems between June and August 2025. The Prosper breach affected more than 13 million people, and the compromised data include general identification data as well as financial account, payment card, and tax data. 700Credit, a company that provides credit reports, ID verification, and related services to car dealerships, will begin notifying approximately 5.8 million people that their personal information, including basic identification information including Social Security numbers, was compromised. The 700Credit breach occurred through an integration where the intruder discovered an API that allowed access to customer information. The partner company did not inform 700Credit of the incident. Instead, 700Credit detected unusual activity on its systems in late October and launched an investigation.

Police in Seoul, South Korea are investigating a breach at online mega-retailer Coupang. The company suffered a breach in late June 2025 that compromised data belonging to 33.7 million customers. The incident was not detected until November 18 and was disclosed on December 1. The breach has been attributed to a former employee who had worked on an authentication management system and maintained access to an internal system following departure from the company. Police raided Coupang offices as part of their investigation, gathering digital forensic evidence, including documents, logs, system records, IP addresses, access credentials, and access history. While the breach has been attributed to the unnamed individual, Coupang could be held liable if the company is found to have been negligent.

France's Minister of the Interior, Laurent Nuñez, stated to French media outlet RTL that a cyberattack against the country's Ministry of the Interior took place overnight from December 11-12, 2025. The attacker accessed email servers and certain files, but Nuñez contends that there is no evidence of serious compromise; whether information was stolen has not yet been determined. The ministry is responding by enacting its standard protection procedures, and is working to strengthen security and tighten system access. The nature, scope, and origin of the attack remain under investigation. BleepingComputer notes that the Ministry of the Interior "supervises police forces and oversees internal security and immigration services."