cybersecurity

Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones.

I’ve spent a fair bit of time investigating these decoders, first reporting CVE-2025-49415 in the Monkey’s Audio codec on Samsung devices. Based on this research, the team reviewed the Dolby Unified Decoder, and Ivan Fratric and I reported CVE-2025-54957. This vulnerability is likely in the 0-click attack surface of most Android devices in use today. In parallel, Seth Jenkins investigated a driver accessible from the sandbox the decoder runs in on a Pixel 9, and reported CVE-2025-36934.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Establishing trusted, time-stamped records of system states in distributed environments presents a significant challenge for maintaining accountability and security. Organizations often struggle to produce non-repudiable proof that a specific check was performed or that a system was in a particular state at a precise moment in time. SCANDALE is a libre software solution designed to address this challenge by providing a robust backend architecture for collecting data from distributed probes and storing immutable proofs of those checks. Its core components include a high-performance HTTP API with real-time capabilities, an agent-based backend built on the Smart Python Agent Development Environment (SPADE) for scalable probe management, and a dedicated service for cryptographic timestamping in compliance with RFC 3161. The platform’s primary contribution is its ability to transform operational measurements into cryptographically verifiable evidence, yielding a durable and non-repudiable audit trail.

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for December 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

A new section dedicated to detection rules is available.

The Month at a Glance

December 2025 was dominated by a massive surge in activity surrounding CVE-2025-55182 affecting Meta's react-server-dom-webpack. With 852 sightings, this critical vulnerability (referenced by contributors as "React2Shell") significantly outpaced all other vulnerabilities, highlighting a major focus on web application infrastructure exploitation.

Database and network security were also primary themes this month. MongoDB (CVE-2025-14847) ranked second in sightings and was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on December 29th. The networking sector remained volatile, with critical vulnerabilities in Cisco Secure Email, WatchGuard Fireware OS, Fortinet, and SonicWall appearing in both the top sightings and the CISA KEV list.

Despite the influx of 2025 vulnerabilities, "zombie" vulnerabilities continue to plague the internet. Legacy issues from 2015 (D-Link) and 2017 (Zyxel) persist in the Top 10, proving that unpatched IoT devices remain active attack vectors years after disclosure.

In the broader ecosystem, CISA added a wide variety of threats to their catalog, ranging from mobile operating systems (iOS, Android) and browsers (Chrome) to desktop utilities like WinRAR. Additionally, community contributors highlighted significant structural shifts, notably the End-of-Life status for the Linux 5.4 kernel and new cryptographic implementation flaws in GnuPG.

Evolution of published CVE in 2025

More information.

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2025-55182	852	Meta	react-server-dom-webpack	Critical (confidence: 0.9783)
CVE-2025-14847	204	MongoDB Inc.	MongoDB Server	High (confidence: 0.9538)
CVE-2025-20393	89	Cisco	Cisco Secure Email	Critical (confidence: 0.5137)
CVE-2015-2051	62	dlink	dir-645	High (confidence: 0.607)
CVE-2017-18368	62	zyxel	p660hn-t1a_v1	Critical (confidence: 0.9763)
CVE-2025-14733	60	WatchGuard	Fireware OS	Critical (confidence: 0.976)
CVE-2025-66516	57	Apache Software Foundation	Apache Tika core	High (confidence: 0.8155)
CVE-2018-10562	56	dasannetworks	gpon_router	Critical (confidence: 0.9815)
CVE-2025-40602	53	SonicWall	SMA1000	Medium (confidence: 0.9162)
CVE-2025-59718	53	Fortinet	FortiSwitchManager	Critical (confidence: 0.7339)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-14847	29/12/25	MongoDB Inc.	MongoDB Server	High (confidence: 0.9538)
CVE-2023-52163	22/12/25	digiever	ds-2105_pro	High (confidence: 0.9141)
CVE-2025-14733	19/12/25	WatchGuard	Fireware OS	Critical (confidence: 0.976)
CVE-2025-20393	17/12/25	Cisco	Cisco Secure Email	Critical (confidence: 0.5137)
CVE-2025-40602	17/12/25	SonicWall	SMA1000	Medium (confidence: 0.9162)
CVE-2025-59374	17/12/25	ASUS	live update	Critical (confidence: 0.7584)
CVE-2025-59718	16/12/25	Fortinet	FortiSwitchManager	Critical (confidence: 0.7339)
CVE-2025-43529	15/12/25	Apple	iOS and iPadOS	High (confidence: 0.9918)
CVE-2025-14611	15/12/25	Gladinet	CentreStack and TrioFox	High (confidence: 0.8669)
CVE-2025-14174	12/12/25	Google	Chrome	High (confidence: 0.8175)
CVE-2018-4063	12/12/25	sierrawireless	aleos	High (confidence: 0.7137)
CVE-2025-58360	11/12/25	geoserver	geoserver	High (confidence: 0.5288)
CVE-2025-62221	09/12/25	Microsoft	Windows 10 Version 1809	High (confidence: 0.9943)
CVE-2025-6218	09/12/25	RARLAB	WinRAR	High (confidence: 0.9977)
CVE-2025-66644	08/12/25	Array Networks	ArrayOS AG	High (confidence: 0.8361)
CVE-2022-37055	08/12/25	dlink	go-rt-ac750	Critical (confidence: 0.9698)
CVE-2025-55182	05/12/25	Meta	react-server-dom-webpack	Critical (confidence: 0.9783)
CVE-2021-26828	03/12/25	scadabr	scadabr	High (confidence: 0.7378)
CVE-2025-48633	02/12/25	Google	Android	High (confidence: 0.8796)
CVE-2025-48572	02/12/25	Google	Android	High (confidence: 0.9629)

ENISA

No new entry in December.

Top 10 Weaknesses of the Month

Detection rules

CVE-2025-55182

• ET WEB_SPECIFIC_APPS Waku RSC React2Shell Unsafe Flight Protocol Property Access [SURICATA]
• ET WEB_SPECIFIC_APPS Vite RSC React2Shell Unsafe Flight Protocol Property Access [SURICATA]
• ET WEB_SPECIFIC_APPS React Server Components React2Shell Unsafe Flight Protocol Property Access [SURICATA]

CVE-2015-2051

• ET EXPLOIT D-Link HNAP SOAPAction Command Injection [SURICATA]

CVE-2017-18368

• ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE [SURICATA]

CVE-2025-66516

• ET WEB_SPECIFIC_APPS Apache Tika XML External Entity Injection [SURICATA]

CVE-2023-52163

• ET WEB_SPECIFIC_APPS DigiEver DS-2105 Pro time_tzsetup.cgi ntp Parameter Command Injection Attempt [SURICATA]

CVE reserved, but partial information has already appeared on the public internet

Sightings detected between 2025-12-01 and 2025-12-31 that are associated with vulnerabilities without public records.

Vulnerability ID	Occurrences	Comment
CVE-2023-42344	11	OpenCMS Unauthenticated XXE Vulnerability
CVE-2025-14269	9	Credential caching in Headlamp with Helm enabled
CVE-2025-14282	6	dropbear: privilege escalation via unix domain socket forwardings
CVE-2025-14558	5	FreeBSD IPv6 Flaw Enables Remote Code Execution Attacks
CVE-2025-9820	2	gnutls 3.8.11 released with fix for CVE-2025-9820
CVE-2025-66387	2	QL Injection in Orkes Conductor
CVE-2025-65995	2	Apache Airflow: Disclosure of secrets to UI via kwargs

Insights from Contributors

• gpg.fail - multiple vulnerabilities in GnuPG
• React2Shell
• The LAST Linux 5.4.y release. It is now end-of-life and should not be > used by anyone, anymore.
• Apache Tika
• Security content of iOS 26.2 and iPadOS 26.2
• Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manage

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release

​University of Hawaii says a ransomware gang breached its Cancer Center in August 2025, stealing data of study participants, including documents from the 1990s containing Social Security numbers.

Founded in 1907, the University of Hawaii (UH) System now includes 3 universities and 7 community colleges, as well as 10 campuses and training and research centers across the Hawaiian Islands. Its Cancer Center is located in the Kakaʻako district of Honolulu and has over 300 faculty and staff, as well as an additional 200 affiliate members.

In a report to the state legislature, UH said the August 31 incident affected a single research project at the UH Cancer Center, without impacting clinical operations or patient care.

However, the extensive damage caused by encrypting the compromised systems delayed UH's restoration efforts and investigation into the attack's impact.

cross-posted from: https://mander.xyz/post/45241581

TL;DR:

• China-linked threat actor UAT-7290 has been active since at least 2022 in South Asia but is now also active in Europe
• It is focusing on intrusions against critical infrastructure entities in Southeast Europe
• UAT-7290 shares tactical and infrastructure overlaps with China-linked adversaries known as Stone Panda and RedFoxtrot (aka Nomad Panda)

...

Here is the technical report by Cisco Talos

Web archive link

A critical vulnerability (CVE-2026-21858) dubbed "Ni8mare" allows unauthenticated attackers to gain complete control over n8n workflow automation instances[^1]. The flaw, which received the highest CVSS score of 10.0, affects all versions prior to 1.121.0 and enables attackers to read files, bypass authentication, and execute arbitrary commands[^2].

The vulnerability stems from a Content-Type confusion in n8n's Form Webhook handling, where attackers can manipulate file paths to read sensitive system files and escalate privileges[^3]. Cyera Research Labs discovered approximately 100,000 exposed servers globally are at risk[^1].

Key timeline:

• November 9, 2025: Vulnerability reported to n8n
• November 18, 2025: Patched in version 1.121.0
• January 6, 2026: CVE assigned
• January 7, 2026: Public disclosure

Censys reports 26,512 exposed n8n hosts, with most located in the US (7,079), Germany (4,280), and France (2,655)[^4].

Required actions:

• Upgrade to version 1.121.0 or later
• Avoid exposing n8n to the internet
• Require authentication for all Forms
• Rotate stored credentials and API tokens[^2]

[^1]: Cyera Research Labs - Ni8mare - Unauthenticated Remote Code Execution in n8n [^2]: Aikido - n8n Critical Vulnerability Explained [^3]: The Hacker News - Critical n8n Vulnerability Allows Unauthenticated Attackers to Take Full Control [^4]: The Hacker News - Update section on Censys findings

A major cybersecurity breach has exposed dozens of global companies through stolen cloud credentials obtained via Infostealer malware infections. A threat actor known as "Zestix" (alias "Sentap") is selling access to approximately 50 global corporations' cloud services including Sharefile, Owncloud, and Nextcloud[^1].

The compromised data includes sensitive materials across multiple sectors:

• Defense: TF-X Fighter Jet and UAV blueprints from INTECRO ROBOTICS
• Infrastructure: LA Metro engineering schematics and security data from CRRC MA
• Aviation: 77GB of Iberia Airlines' A320/A321 aircraft maintenance data
• Healthcare: 2.3TB of Brazilian Military Police health records from Maida.health[^1]

Hudson Rock's investigation identified additional victims including Pickett, Sekisui House, IFLUSAC, K3G Solutions, GreenBills, and CiberC[^2]. The research indicates thousands more companies have exposed credentials circulating for these cloud services.

[^1]: LinkedIn - Dozens of Global Companies Hacked via Cloud Credentials from Infostealer Infections & More at Risk [^2]: Infostealers.com - Dozens of Global Companies Hacked via Cloud Credentials from Infostealer Infections & More at Risk

https://archive.ph/wxcBV

cross-posted from: https://lemmy.sdf.org/post/48582192

Archived

New data from Taiwan’s National Security Bureau (NSB) shows that China’s cyber army launched an average of 2.63 million intrusion attempts per day in 2025 against the island’s critical infrastructure across nine key sectors, including government agencies, energy, communications, transportation, emergency services and hospitals, water resources, finance, science and industrial parks, and food installations. The activity represents a 6% increase over 2024, while the average number of daily attacks in 2025 jumped 113% from 2023, with the energy and emergency rescue and hospital sectors seeing the sharpest year-on-year rise in cyberattacks linked to Chinese threat actors.

In its report titled ‘Analysis on China’s Cyber Threats to Taiwan’s Critical Infrastructure in 2025,’ the agency disclosed that China’s cyberattacks against Taiwan’s critical infrastructure organizations involve four major tactics, including attacks on hardware and software vulnerabilities, distributed denial-of-service (DDoS) attacks, social engineering attacks, and supply chain attacks. China has flexibly maneuvered these tactics to launch cyberattacks. The report also detailed that China’s cyber activity spans multiple critical sectors, with tactics tailored to each environment and objective.

[...]

The NSB identified that China’s cyberattacks have been conducted in conjunction with political and military coercive actions. In 2025, relevant hacking and intrusion operations against Taiwan demonstrated a certain extent of correlation with the joint combat readiness patrols carried out by the People’s Liberation Army.

Additionally, China would ramp up hacking activities during Taiwan’s major ceremonies, the issuance of important government statements, or overseas visits by high-level Taiwanese officials. Notably, the cyberattacks targeting Taiwan peaked in May of 2025, the first anniversary of President Lai Ching-te’s inauguration.

[...]

The Taiwanese agency mentioned that the top five Chinese hacker groups included BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886, launched cyber operations against Taiwan’s CI, focusing on five primary sectors, including energy, healthcare, communications and transmission, administration and agencies, and technology.

[...]

cross-posted from: https://lemmy.sdf.org/post/48458463

Archived

A top cybersecurity figure says China’s Salt Typhoon hacking campaign has almost certainly burrowed into Australia’s critical infrastructure in one of the most effective long-term espionage campaigns ever seen.

Alastair MacGibbon, chief strategy officer at CyberCX and a former cybersecurity adviser to then-prime minister Malcolm Turnbull, said Salt Typhoon’s operation has probably compromised multiple sectors across Australia and New Zealand and remains undetected.

[...]

Salt Typhoon – named by Microsoft using its convention for Chinese state-linked threat groups - is a hacking operation that has been active since at least 2019. Rather than deploying ransomware or seeking quick financial pay-offs like criminal hackers, Salt Typhoon is focused on long-term espionage: quietly infiltrating telecommunications networks, stealing data, and maintaining persistent access that could be weaponised during future conflicts.

[...]

What makes Salt Typhoon particularly alarming is its exploitation of “lawful intercept” capabilities – surveillance systems that telecommunications companies are legally required to maintain for law enforcement and intelligence agencies.

“By targeting US telco networks, Salt Typhoon has enabled China’s Ministry of State Security to take over the lawful intercept capabilities that governments compel telcos to have,” MacGibbon said. “This means that the MSS can see and listen to highly sensitive interception and surveillance data meant for law enforcement and security agencies.”

MacGibbon said one of the most concerning aspects for security professionals was how difficult such state-backed campaigns were to identify.

[...]

Unlike ransomware gangs, nation-state actors employ so-called “living off the land” techniques that exploit legitimate, built-in tools within a victim’s own systems rather than deploying malware that might trigger security alerts.

“These stealthy techniques can bypass traditional security tripwires and are much harder to detect,” MacGibbon said. CyberCX’s most recent threat report found that espionage incidents take on average about 400 days to detect, compared to just over three weeks for financially motivated attacks perpetrated by cybercriminals.

For businesses, the stakes extend beyond espionage. Jake Hense, a research analyst at American Century, noted that cybersecurity had become fundamental to assessing whether a business can survive long-term, a factor the US Securities and Exchange Commission now requires companies to address in their disclosures.

“A sustainable business must be able to address risks, including cyberthreats that could significantly impact its ability to conduct day-to-day business,” Hense said.

[...]

Lieutenant General Susan Coyle, who leads Defence’s cyber and space operations, told the same summit that Australia was effectively already fighting in cyberspace.

“I would be naive to get up here and tell you that we’re not in conflict in the cyber domain now,” Coyle said. “Our ships will not sail, our planes will not fly, and our missiles will miss targets if we don’t get the cyber domain right.”

MacGibbon said Five Eyes agencies were “very alive to the risk” and regularly publishing joint advisories with practical guidance for critical infrastructure organisations, including reviewing network device logs for unexpected activity and employing robust change management processes.

[...]

Koi Security researchers warned that the NPM package ‘Lotusbail’, a WhatsApp Web API library and fork of ‘Baileys’, has been stealing users’ credentials and data.

The package has been available for six months and has had over 56,000 downloads. Lotusbail supports sending and receiving WhatsApp messages, wrapping the legitimate WebSocket client so all messages pass through it first, enabling the malicious capture of information.

The Lotusbail npm package works as a fully functional WhatsApp API, making it hard to detect because it is based on the legitimate Baileys library. It wraps WhatsApp’s WebSocket client, intercepting credentials, messages, contacts, and media while continuing normal operations.

cross-posted from: https://lemmy.radio/post/10939156

Dear colleagues,

In short, the atomic ensemble time scale at our Boulder campus has failed due to a prolonged utility power outage. One impact is that the Boulder Internet Time Services no longer have an accurate time reference. At time of writing the Boulder servers are still available due a standby power generator, but I will attempt to disable them to avoid disseminating incorrect time.

The affected servers are:

• time-a-b.nist.gov
• time-b-b.nist.gov
• time-c-b.nist.gov
• time-d-b.nist.gov
• time-e-b.nist.gov
• ntp-b.nist.gov (authenticated NTP)

No time to repair estimate is available until we regain staff access and power. Efforts are currently focused on obtaining an alternate source of power so the hydrogen maser clocks survive beyond their battery backups.

More details follow.

Due to prolonged high wind gusts there have been a combination of utility power line damage and preemptive utility shutdowns (in the interest of wildfire prevention) in the Boulder, CO area. NIST's campus lost utility power Wednesday (Dec. 17 2025) around 22:23 UTC. At time of writing utility power is still off to the campus. Facility operators anticipated needing to shutdown the heat-exchange infrastructure providing air cooling to many parts of the building, including some internal networking closets. As a result, many of these too were preemptively shutdown with the result that our group lacks much of the monitoring and control capabilities we ordinarily have. Also, the site has been closed to all but emergency personnel Thursday and Friday, and at time of writing remains closed.

At initial power loss, there was no immediate impact to the NIST atomic time scale or distribution services because the projects are afforded standby power generators. However, we now have strong evidence one of the crucial generators has failed. In the downstream path is the primary signal distribution chain, including to the Boulder Internet Time Service. Another campus building houses additional clocks backed up by a different power generator; if these survive it will allow us to re-align the primary time scale when site stability returns without making use of external clocks or reference signals.

Best wishes, -Jeff Sherman

cross-posted from: https://scribe.disroot.org/post/6219559

Archived link

China-linked hackers have been using misconfigured Cisco security products to deploy backdoors on target networks for at least the past several weeks.

The hacker group, which Cisco tracks as UAT-9686, has been taking advantage of an insecure setting in Cisco’s AsyncOS software, which powers the company’s email and web security devices and virtual platforms, Cisco said in a ... security advisory.

...

Just in time for the end of the year, we’re happy to share our final release before the holidays: Vulnerability-Lookup 2.20.0 🎄

What's New

GCVE (Global CVE Allocation System): Relationships

We’ve updated the bundled Vulnogram interface to better support the GCVE ecosystem. Vulnerability-Lookup now allows you to define and manage relationships between vulnerabilities, in line with the GCVE BCP-05 specification.

Commit: 2f39bf8

This is a first step toward implementing full GCVE BCP-05 compliance.

Displaying relationships of a vulnerability

https://vulnerability.circl.lu/vuln/GCVE-1-2025-0032

In this case, opposes indicates that the GNA does not agree with the status or validity of the referenced vulnerability. This can be used when a GCVE published by another GNA is considered not to be a vulnerability for the product in question (e.g., the behavior is expected, or the scenario describes a discouraged or unsupported configuration).

Editing relationships with the Vulnogram UI

Sightings Visualization

Understanding how vulnerabilities are observed in the wild just got easier. We’ve added a new Heat Map to visualize vulnerability sightings over time, featuring built-in filters for dates and sighting types.

Commit: 56a66e0

Examples

https://vulnerability.circl.lu/vuln/CVE-2025-61757#sightings

https://vulnerability.circl.lu/vuln/CVE-2018-13379#sightings

Sighting correlations

https://vulnerability.circl.lu/vuln/CVE-2025-59718#sightingsCorrelations

Changes

• Authentication: Allowed password recovery triggers based on case-insensitive usernames. #290
• Vulnerability Disclosure: A guidance message is now displayed to unauthenticated users when attempting to submit a new disclosure. (90787db)
• Product API: product.find_vulnerabilities now returns more comprehensive results. (a31f6c3)

https://vulnerability.circl.lu/vuln/GCVE-1-2025-0041

Fixes

• Data Ingestion: Fixed an issue to ignore temporary files in ossf/malicious-packages. (6bc93b1)
• Website: Fixed the routing path used to delete vulnerability disclosures. (e2ecb2a)
• Website: Updated vulnerability ID requirements to be optional for disclosures. (5bd5353)

Changelog

For the full list of changes, check the GitHub release:
v2.20.0 Release Notes

Thank you to all our contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories in real-time by following us on Mastodon:
@vulnerability_lookup

Spectre V1 mitigations in the Linux kernel are coming for RISC-V with newer RISC-V core designs being vulnerable to Spectre Variant One style attacks.

Spectre V1 as a reminder is the variant for Bounds Check Bypass with CPU speculative execution in conditional branches. The Linux kernel RISC-V code hasn't seen Spectre V1 protections since earlier more basic RISC-V core designs have been immune to Variant One and other Spectre vulnerabilities. But newer more complex RISC-V core designs are bringing some of the same challenges exhibited on x86_64 and AArch64 architectures.