Weekly Exploit Roundup

Generated 2025-12-16T08:00:15.600941+00:00 (UTC)

1. Metasploit Wrap-Up 12/12/2025
   Source: Rapid7 Cybersecurity Blog | Published: 2025-12-12T20:38:50+00:00 | Score: 27.019
   React2shell Module As you may have heard, on December 3, 2025, the React team announced a critical Remote Code Execution (RCE) vulnerability in servers using the React Server Components (RSC) Flight protocol. The vulnerability, tracked as CVE-2025-55182 , carries a CVSS score of 10.0 and is informally known as "React2Shell". It allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted multipart requests with "proto", "constructor", or "prototype" as module names. We're happy to announce that community contributor vognik submitted an exploit module for React2Shell which landed earlier this week and is included in this week's release. MSSQL Improvements Over the past couple of weeks Metasploit has made a couple of key improvements to the framework’s MSSQL attack capabilities. The first ( PR 20637 ) is a new NTLM relay module, auxiliary/server/relay/smb_to_mssql , which enables users to start a malicious SMB server that will relay
2. Patch Tuesday – December 2025
   Source: Rapid7 Cybersecurity Blog | Published: 2025-12-10T07:50:42+00:00 | Score: 26.81
   Microsoft is publishing a relatively light 54 new vulnerabilities this December 2025 Patch Tuesday , which is significantly lower than we have come to expect over the past couple of years. Today’s list includes two publicly disclosed remote code vulnerabilities, and a single exploited-in-the-wild vulnerability. Three critical remote code execution (RCE) vulnerabilities are also patched today; Microsoft currently assesses those as less likely or even unlikely to see exploitation. During December, Microsoft has already patched 14 browser vulnerabilities and more than 80 vulnerabilities in open source products, which are not included in the Patch Tuesday count above. Windows Cloud Files minifilter: zero-day EoP Microsoft has evidence that attackers are already making full use of CVE-2025-62221 , a zero-day local elevation of privilege (EoP) vulnerability in the Windows Cloud Files Mini Filter Driver leading to SYSTEM privileges. File system filter drivers, aka minifilters , attach to the
3. CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks
   Source: The Hacker News | Published: 2025-12-13T12:33:00+00:00 | Score: 22.092
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw impacting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.
   CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that could be exploited to achieve remote code
4. Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
   Source: Threat Intelligence | Published: 2025-12-12T14:00:00+00:00 | Score: 20.821
   Written by: Aragorn Tseng, Robert Weiner, Casey Charrier, Zander Work, Genevieve Stark, Austin Larsen Introduction On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups. GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by Huntress . These observed campaigns highlight the risk posed to organizations using unpatched versions of React and Next.js. This post details the observed exploitation chains and post-compromise behaviors and provides inte
5. Microsoft Issues Security Fixes for 56 Flaws, Including Active Exploit and Two Zero-Days
   Source: The Hacker News | Published: 2025-12-10T08:50:00+00:00 | Score: 20.339
   Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild.
   Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code
6. Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attacks
   Source: The Hacker News | Published: 2025-12-11T10:30:00+00:00 | Score: 20.103
   A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances accessible over the internet, according to new findings from Wiz.
   The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update API of the Go-based self-hosted Git service. A fix for the issue is said to be currently in the
7. Active Attacks Exploit Gladinet's Hard-Coded Keys for Unauthorized Access and Code Execution
   Source: The Hacker News | Published: 2025-12-11T05:56:00+00:00 | Score: 17.967
   Huntress is warning of a new actively exploited vulnerability in Gladinet's CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far.
   "Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialization and remote code execution," security researcher Bryan Masters said.
8. FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE
   Source: The Hacker News | Published: 2025-12-15T14:32:00+00:00 | Score: 16.88
   Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations.
   The shortcomings, discovered by Horizon3.ai and reported to the project maintainers on September 15, 2025, are listed below –

   CVE-2025-61675 (CVSS score: 8.6) – Numerous

9. React2Shell Exploitation Escalates into Large-Scale Global Attacks, Forcing Emergency Mitigation
   Source: The Hacker News | Published: 2025-12-12T08:41:00+00:00 | Score: 16.763
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation.
   The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization
10. CISA Flags Actively Exploited GeoServer XXE Flaw in Updated KEV Catalog
    Source: The Hacker News | Published: 2025-12-12T05:01:00+00:00 | Score: 16.654
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild.
    The vulnerability in question is CVE-2025-58360 (CVSS score: 8.2), an unauthenticated XML External Entity (XXE) flaw that affects all versions prior to

End of report.