December 13, 2025

Hello all,

As if the growing menace of the React2Shell vulnerability undergoing massive ramp-up of active attack and exploitation wasn’t enough, this past week was Patch Tuesday for the likes of Adobe, Microsoft and SAP. But wait there was more! Apple, Apache, Fortinet, Google, Ivanti and WatchGuard all had items come up that require attention. CISA was quite active with warnings, many of which we’ve listed in the main body of the RedDotSecurity.news newsletter, along with lots more news items that caught our attention.

Headline NEWS:

• Adobe Acrobat and Reader had vulnerabilities plugged that if left unpatched can allow remote code execution and bypass security controls. In addition to the former, Adobe Cold Fusion, Adobe Experience Manager, Adobe DNG SDK, and Adobe Creative Cloud Desktop all received security updates. If you use any of these, check for updates quickly.
• Apache Tika had a new patch issued for a max-severity defect in the tika-core. An earlier patch addressed a flaw in tika-parser-pdf-module. However, as is often the case with these types of patches, someone found that there was more to fix. If this is in use anywhere in your environment, patch it immediately to the latest updated version.
• Fortinet can’t go a month without a massive release of updates for most of their products it seems. The list of items is extensive; it would be simpler to just check for updates for FortiAnything this month and patch immediately. Check the article links in the full RedDotSecurity.news for details.
• Google Chrome and Chromium browsers in general received multiple security fixes this past week. The most serious defect is still officially somewhat under wraps, but researchers postulate that it is in the Almost Native Graphics Layer Engine (ANGLE) library and is most likely a buffer overflow defect that can result in remote code execution in the worst case. Underscoring how severe this one is, CISA has ordered all federal agencies to update to the latest chromium versions by January second.
• Ivanti Endpoint Manager (EPM) has a remote code execution vulnerability that can be exploited by unauthenticated threat actors. This should be a less severe issue since a product that manages your endpoints should only be accessible from inside your firewalled network. At least that’s what you’d think. Unfortunately, Shadowserver has identified hundreds of these Endpoint Managers that are in fact accessible from the Internet. Sigh. You can’t fix stupid. Come of people, don’t publicly expose things that are intended to be internal!
• Microsoft Patch Tuesday was not as large as was expected, maybe they mercifully released less knowing that this week was patch-heavy enough. In all there were 56 security fixes across a wide range of their products. There were three critical vulnerabilities in the mix with one of them being a zero-day in the Windows Cloud Files Mini Filter Driver. This final patch release for 2025 brings Microsoft’s grand total to 1,129 vulnerabilities addressed this year, which is almost 12% higher than last year. You’d think that two years after starting their Secure Future Initiative the flaws and defects should be decreasing. I guess not. Maybe next year?
• React2Shell popped onto the world’s radar on December 3rd. This past week, massive probing and exploitation attempts were detected by Wiz against Next.js applications and other workloads such as Docker, Kubernetes, and managed cloud services. You can’t sit and wait on this vulnerability; immediate action is required. As reported by Cloudflare, “A single, specially crafted HTTP request is sufficient; there is no authentication requirement, user interaction, or elevated permissions involved”. Threat actors are rapidly compromising vulnerable systems with Command and Control (C2) servers, backdoors, reverse proxy implants, botnets, monitoring tools, exfiltrating information, and are installing crypto miners. In our Vulnerabilities and Exploits section of the RedDotSecurity.news link to a an article about a scanner by Next.js that can be helpful in detecting the defect.
• SAP (Systems, Applications, and Products in Data Processing) has released patches for 14 vulnerabilities, three of which are critical. Multiple Apache Tomcat defects were fixed in SAP’s Commerce Cloud that is used by retailers for online stores and such. If you use SAP products, please check for updates and apply any that pertain to your environment as soon as possible.
• WatchGuard released nearly a dozen updates this month to address vulnerabilities in their Firebox firewalls. Threat actors love firewall holes. Plug them fast.

In Ransomware, Malware, and Vulnerabilities News:

• SEO Poisoned Ads and Malicious Advertisements are an ever-increasing scourge in internet searches and AI suggestions. We have a few articles this week that tackle this topic. Unfortunately, there are no easy answers since threat actors are opportunistic scum, and larger threat groups have lots of money to purchase top billing on search engines via shell and shill companies. As always Caveat Emptor, or buyer beware.

In Other News Events of Note and Interest:

• SpaceX Vending Machine in Iowa intrigues me. Apparently, you can walk up to a machine in the Jordan Creek Town Center shopping mall food court in Wes Des Moines, Iowa and walk out with a brand new shiny Starlink setup for a discounted price of $89, and if you activate within a week, you get a $100 service credit if you subscribe. Intriguing indeed.

Musings:

Christmas is a mere 11 days away. Are you ready? Threat Actors are. They have ramped up their call centers, tuned up their AI phishing engines, custom tailored their look-alike shopping sites with too-good-to-be-true deals, and ensured accessibility of their MiTM credit card order-takers. They’re counting on getting a very merry bonus this year. Shop at what you are certain is a legitimate site, not what you found via poisoned web search or saw via the latest unbelievable 97% off advertisement seen on Facebook because you merely thought about that product a couple of days ago. There are indeed seasonal deals to be had, but you must be vigilant so you don’t become a holiday crime statistic.

Keep the shields up!

Viscount Jan Broucinek
Red Dot Security News

Headline NEWS

• Adobe Acrobat Reader Vulnerabilities let Attackers Execute Arbitrary Code and Bypass Security
• Apache Issues Max-Severity Tika CVE After Patch Miss
• Apple fixes two zero-day flaws exploited in ‘sophisticated’ attacks
• Maximum-Severity Vulnerability in Apache Tika Could Lead to XML External Entity Injection Attack
• FortiOS, FortiWeb, and FortiProxy Vulnerability Lets Attackers Bypass FortiCloud SSO Authentication
• FortiSandbox OS command injection Vulnerability Let Attackers execute Malicious code
• Google Chrome patched to fix multiple vulnerabilities – update now
• Chrome Targeted by Active In-the-Wild Exploit Tied to Undisclosed High-Severity Flaw
• CISA Warns of Google Chromium 0-Day Vulnerability Exploited in Attacks
• Ivanti warns of critical Endpoint Manager code execution flaw
• Microsoft Patch Tuesday, December 2025 Edition
• Microsoft Patch Tuesday December 2025
• Microsoft Releases December 2025 Patch Tuesday Updates
• Windows Cloud Files Mini Filter Driver 0-Day Vulnerability Exploited in the Wild to Escalate Privileges
• React2Shell Exploitation Escalates into Large-Scale Global Attacks, Forcing Emergency Mitigation
• SAP fixes three critical vulnerabilities across multiple products
• WatchGuard released patches for multiple vulnerabilities 

Ransomware, Malware, and Vulnerabilities News

• Good News, Government News, and Interesting
• CISA Adds Critical React2Shell Vulnerability to KEV Catalog Following Active Exploitation
• CISA: Pro-Russia Hactivists Target US Critical Infrastructure
• CISA Warns of WinRAR 0-Day RCE Vulnerability Exploited in Attacks
• CISA Warns of D-Link Routers Buffer Overflow Vulnerability Exploited in Attacks
• CISA orders feds to patch actively exploited Geoserver flaw
• CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks
• US Posts $10 Million Bounty for Iranian Hackers
• US charges former Accenture employee with misleading feds on cloud platform’s security
• Bipartisan health care cybersecurity legislation returns to address a cornucopia of issues
• National cybercrime network operating for 14 years dismantled in Indonesia
• North Korea-linked Actors Exploit React2Shell to Deploy New EtherRAT Malware
• Holiday cargo thefts surge 65% as organized criminals use cyber tools to hijack
• Organizations can now buy cyber insurance that covers deepfakes
• Vulnerabilities and Exploits
• Top 20 Most Exploited Vulnerabilities of 2025
• Next.js Released a Scanner to Detect and Update Apps Impacted by React2Shell Vulnerability
• Next.js Security Update: December 11, 2025
• React2Shell Security Bulletin
• Researchers track dozens of organizations affected by React2Shell compromises tied to China’s MSS
• React2Shell Exploitation Delivers Crypto Miners and New Malware Across Multiple Sectors
• New React RSC Vulnerabilities Enable DoS and Source Code Exposure
• Denial of Service Vulnerability in React Server Components · Advisory
• Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT
• Researcher finds Chinese KVM has undocumented microphone, communicates with China-based servers
• UK intelligence warns AI ‘prompt injection’ attacks might never go away
• 700+ self-hosted Git instances battered in 0-day attacks
• Active Attacks Exploit Gladinet’s Hard-Coded Keys for Unauthorized Access and Code Execution
• Scientists discovered a major security vulnerability in WhatsApp
• NASA spacecraft were vulnerable to hacking for 3 years and nobody knew. AI found and fixed the flaw in 4 days
• Critical flaws found in AI development tools are dubbed an ‘IDEsaster’ — data theft and remote code execution possible
• Google Adds Layered Defenses to Chrome to Block Indirect Prompt Injection Threats
• Hackers Can Leverage Delivery Receipts on WhatsApp and Signal to Extract User Private Information
• Update Notepad++ now to fix a dangerous security vulnerability
• Microsoft Teams to warn of suspicious traffic with external domains
• Microsoft won’t fix .NET RCE bug affecting enterprise apps
• Windows Defender Firewall Service Vulnerability Let Attackers Disclose Sensitive Data
• Microsoft Outlook Vulnerability Let Attackers Execute Malicious Code Remotely
• Phishing, Malware, and similar
• TangleCrypt: a sophisticated but buggy malware packer
• New JSCEAL Infostealer Malware Attacking Windows Systems to Steal Login Credentials
• Google ads for shared ChatGPT, Grok guides push macOS infostealer malware
• New DroidLock malware locks Android devices and demands a ransom
• Researchers spot 700 percent increase in hypervisor attacks
• Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure
• New GhostFrame Super Stealthy Phishing Kit Attacks Millions of Users Worldwide
• Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation
• Microsoft Teams and QuickAssist Exploited in New Vishing Attack to Spread .NET Malware
• Threat Actors Poison SEO to Spread Fake Microsoft Teams Installer
• Over 70 Domains Used in Months-Long Phishing Spree Against US Universities
• Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacks
• Malicious VSCode Marketplace extensions hid trojan in fake PNG file
• New ConsentFix attack hijacks Microsoft accounts via Azure CLI
• NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems
• New Spiderman Phishing Kit Lets Attackers Create Malicious Bank Login Pages in Few Clicks
• Fake Windows update pushes malware in new ClickFix attack
• New BlackForce Phishing Kit Lets Attackers Steal Credentials Using MitB Attacks and Bypass MFA
• GhostPenguin Backdoor With Zero-Detection Attacking Linux Servers Uncovered Using AI-Automated Tools
• Security flaws in Freedom Chat app exposed users’ phone numbers and PINs
• Breaches, Leaks, and Ransomware
• Petco’s security lapse affected customers’ SSNs, driver’s licenses, and more
• Ransomware gangs turn to Shanya EXE packer to hide EDR killers
• Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading
• FinCEN says ransomware gangs extorted over $2.1B from 2022 to 2024
• Makop Ransomware Exploits RDP Systems with AV Killer and Other Exploits
• Barts Health NHS Confirms Cl0p Ransomware Behind Data Breach
• Over 300,000 Individuals Impacted by Vitas Hospice Data Breach
• Pierce County Library Data Breach Impacts 340,000
• Ransomware Payments Surpassed $4.5 Billion: US Treasury
• Ransomware IAB abuses EDR for stealthy malware execution
• Over 10,000 Docker Hub images found leaking credentials, auth keys
• Coupang data breach traced to ex-employee who retained system access
• Russian hackers debut simple ransomware service
• 16TB of corporate intelligence data exposed in one of the largest lead-generation dataset leaks
• 01flip: Multi-Platform Ransomware Written in Rust
• ChatGPT users’ data exposed in OpenAI breach via Mixpanel partner
• Home Depot exposed access to internal systems for a year, says researcher 

Other News Events of Note and Interest

• Cool Tool: Ventoy 1.1.08 Adds Support for FreeBSD 15.0
• Mozilla Thunderbird 146 is rolling out: Here’s what’s new
• Autofocus glasses shift focus based on eye movement
• Keep Your Accounts and Identity Safe With This Cybersecurity Checklist
• Judge rules Google must limit its search, AI app default contracts on devices to one year
• X terminates European Commission ad account after €120M fine
• SpaceX Quietly Installs Starlink Vending Machine in Iowa
• Social-Media Ban Imposes Brave New World on Australian Teens
• AI, LLM’s, and Skynet
• Block all AI browsers for the foreseeable future: Gartner
• 2025: The State of Generative AI in the Enterprise
• Donating the Model Context Protocol and establishing the Agentic AI Foundation
• Adobe Photoshop, Express, Acrobat available for free on ChatGPT
• Trump signs order blocking states from enforcing own AI rules
• Trump Promises Executive Order to Block State AI Regulations
• Google’s AI Deletes User’s Entire Hard Drive, Issues Groveling Apology: “I Cannot Express How Sorry I Am”
• Google launches managed MCP servers that let AI agents simply plug into its tools
• Google Chrome adds new security layer for Gemini AI agentic browsing
• Sam Altman’s Sprint to Correct OpenAI’s Direction and Fend Off Google
• Broadcom reveals its mystery $10 billion customer is Anthropic
• New cybersecurity guidance paves the way for AI in critical infrastructure
• Why security needs to become an integral part of AI development
• Struggling to Keep Up With Microsoft’s Copilot Changes? Let’s Break It Down
• Windows Insiders get a glimpse of Redmond’s agentic future
• Who needs coding? LLM hackers have a way with words
• Johns Hopkins Study Challenges Billion-Dollar AI Models
• Cloudflare says it has fended off 416 billion AI bot scrape requests in five months
• Publishers say no to AI scrapers, block bots at server level
• Microsoft Executive Vows to Halt AI Work If It Imperils Humanity
• OpenAI releases GPT-5.2 after “code red” Google threat alert
• Microsoft
• Microsoft AI Releases VibeVoice-Realtime: A Lightweight Real‑Time Text-to-Speech Model Supporting Streaming Text Input and Robust Long-Form Speech Generation
• Microsoft 365 Copilot to Enable Anthropic Models by Default: What Compliance Leads Need to Know
• German state replaces Microsoft with open source, saves millions each year
• Released: December 2025 Exchange Server Security Updates
• Windows is rolling out the ability to handle all app updates from just your OS, but with limited support right now
• Windows 11 update solves AMD GPU issues in several games
• Microsoft to Bundle Security Copilot in M365 Enterprise License
• Windows on Arm runs more apps and games with new Prism update
• Microsoft releases Windows 10 KB5071546 extended security update
• Windows 11 KB5072033 & KB5071417 cumulative updates released
• Windows 11 KB5072033 and KB5071417 December 2025 Patch Tuesday out
• Microsoft fixes Windows Explorer white flashes in dark mode
• Windows PowerShell now warns when running Invoke-WebRequest scripts
• WebView2 is the future of an important Windows 11 component
• Microsoft Teams: 12 New Features Released in Dec 2025
• Microsoft Teams Will Soon Let You Customize Enter Key Behavior & Forward Multiple Messages
• Teams for macOS gets native screen sharing experience
• Microsoft bounty program now includes any flaw impacting its services
• Windows Admin Center 2511 is now available with High Availability and major fixes
• Microsoft Baseline Security Mode Brings Secure-by-Default Protection to Microsoft 365
• Microsoft has updated Media Creation Tool for Windows 11 USB installations
• New Outlook won’t launch on Windows 11 for some users, but there’s a fix if you ever run into the issue