This Month in Security: December 2025 - React2Shell, AppleOS Zero-Day, Copilot Injection, and more

"Show me the way of hacking" by Alexandre Dulaunoy is licensed under CC BY-SA 2.0.

December 2025 closed out the year with a chaotic mix of critical infrastructure attacks and widespread supply chain vulnerabilities. The discovery of “React2Shell”, a critical severity flaw in a core web development library, caused teams to scramble to patch before the end of the year. Simultaneously, state sponsored actors targeted virtualization platforms with new malware, and a major ransomware attack struck a European national water agency, underscoring the persistent threat to essential services. 

‍

Critical Zero-Day Exploits

• React2Shell (CVE-2025-55182): Early in the month, a critical remote code execution (RCE) vulnerability dubbed "React2Shell" was disclosed in React Server Components. Rated CVSS 10.0, the flaw allows unauthenticated attackers to execute arbitrary code on servers running affected versions of React and Next.js. Exploitation began within hours of disclosure, targeting cloud environments and leading CISA to immediately add it to its Known Exploited Vulnerabilities (KEV) catalog (Qualys).
• "The Fragile Lock" SAML Bypass: PortSwigger Research disclosed "The Fragile Lock," a novel class of attacks against SAML implementations. Researcher Zakhar Fedotkin demonstrated how parser inconsistencies in widely used libraries (such as Ruby-SAML and SimpleSAMLphp) can be exploited to bypass XML signature verification. By reusing any content signed by an Identity Provider (even public metadata or error messages), attackers can forge valid assertions, leading to full account takeover (PortSwigger).
• Windows Cloud Files Zero-Day (CVE-2025-62221): Microsoft's December Patch Tuesday addressed an actively exploited zero-day in the Windows Cloud Files Mini Filter Driver. This privilege escalation flaw allows attackers with local access to gain SYSTEM privileges. The driver is a core component present even if cloud storage apps like OneDrive are not actively used making this vulnerability particularly dangerous (BleepingComputer).
• Apple WebKit Zero-Day (CVE-2025-43529): A critical use-after-free vulnerability in Apple's WebKit engine was discovered to be actively exploited. The flaw impacts iPhones, iPads, and macOS devices, potentially allowing attackers to execute code by social engineering a user to visit a malicious webpage (GBHackers).
• GitHub Copilot Command Injection (CVE-2025-64671): A command injection vulnerability was patched in the GitHub Copilot plugin for JetBrains IDEs. This flaw could allow someone to execute malicious commands on a developer's machine by manipulating the AI's "auto-approve" settings, effectively turning the coding assistant into a backdoor (CrowdStrike).

‍

Notable Threats and Incidents

• Romanian Water Agency Ransomware: The Romanian National Administration "Apele Române" suffered a massive ransomware attack that compromised approximately 1,000 systems. Attackers used Windows' BitLocker to encrypt files, demanding a ransom to restore access. While email and internal systems were paralyzed, the agency confirmed that critical water management infrastructure remained operational due to manual backups (The Record).
• 700Credit API Breach: A massive breach at 700Credit, a major provider of credit and identity verification for auto dealers, exposed the data of over 5.6 million people. Attackers exploited an unsecured API to access sensitive consumer information, which remained undetected for months (SWK Technologies).
• Nissan Data Breach: Nissan Motor Corporation confirmed a data breach affecting 21,000 customers after unauthorized access was detected on Red Hat servers managed by a third-party contractor. The exposed data included customer names and contact details, highlighting continued risks in the automotive supply chain (CyberSecurity News).
• "BRICKSTORM" Malware Campaign: CISA and the NSA issued a joint warning about a Chinese state-sponsored campaign using "BRICKSTORM" malware. The actors are targeting VMware vSphere and Windows systems to steal virtual machine snapshots and maintain persistent access to critical networks (Xage Security).

‍

Policy and Framework Updates

• New AI Executive Order: The United States Government signed a new Executive Order on AI, which aims to simplify regulations but has sparked debate. The order potentially preempts state-level AI safety laws that mandate bias audits or pre-deployment testing, favoring a "pro-innovation" approach that critics argue could reduce liability for AI developers (Kiteworks).
• NIST & CISA Identity Report: The agencies released a draft Interagency Report (IR 8597) focusing on protecting identity tokens from theft and forgery. This guidance comes in response to recent high-profile cloud breaches where attackers forged authentication tokens to bypass MFA (CISA).

Patches and Vulnerabilities

• Microsoft Patch Tuesday: Microsoft released fixes for 57 vulnerabilities.
  
  • Critical: Beyond the cloud files zero-day, two critical RCE bugs in Microsoft Office (CVE-2025-62554 and CVE-2025-62557) were patched. Both can be triggered via the Outlook Preview Pane, making them high-priority fixes.
  • PowerShell Injection: A publicly disclosed flaw in PowerShell (CVE-2025-54100) was fixed, which allowed command injection via Invoke-WebRequest. (BleepingComputer)
• Fortinet Authentication Bypass: CISA added CVE-2025-59718 to its KEV catalog. This critical vulnerability allows attackers to bypass authentication on FortiOS and FortiProxy appliances, granting potential control over network perimeters (Dark Reading).

Key Takeaways for Staying Secure

• Patch React2Shell: If you use React or Next.js, verify and update your version as soon as possible. The vulnerability is easy to exploit and grants full server control.
• Audit SAML Implementations: "The Fragile Lock" findings highlight deep logical flaws in SAML libraries. Ensure any SAML based authentication (especially using Ruby-SAML or SimpleSAMLphp) is patched to the latest versions and consider disabling unused features.
• Virtualization Security: The BRICKSTORM campaign targets the hypervisor layer. Ensure VMware vSphere environments are patched and segmented, and monitor for unauthorized snapshot exports.
• Review API Security: The 700Credit breach was caused by a flawed API. Regularly test APIs for broken object level authorization (BOLA) and ensure they verify ownership before returning sensitive data.
• Office & Preview Pane Risks: With critical "Preview Pane" exploits back in the mix, ensure Office is updated and consider disabling the preview pane for high-risk users until patches are applied. 
• Review Your Security Posture: When needed, reach out to a trusted provider to review your security posture, like Cloud Security Partners. 

‍

About the Author

‍

Jordan Darrah is a Security Consultant at Cloud Security Partners. Jordan's interest in IT started when she was working as a menswear fashion designer and bridal seamstress. Since then, she has built a diverse technical background spanning hardware repair, systems administration, regulatory compliance, and penetration testing.

‍

Currently, Jordan specializes in application and cloud security assessments, where she evaluates system vulnerabilities and conducts penetration tests. Jordan holds multiple industry certifications, including CISSP, eJPT, and CompTIA PenTest+. She also runs an OSCP study group and maintains a blog where she breaks down concepts and tools for new security professionals.

‍