Weekly Exploit Roundup

Generated 2025-12-23T08:00:14.055913+00:00 (UTC)

1. Critical RCE flaw impacts over 115,000 WatchGuard firewalls
   Source: BleepingComputer | Published: 2025-12-22T09:00:55+00:00 | Score: 23.016
   Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability actively exploited in attacks. […]
2. Test for React2Shell with Application Security using New Functionality
   Source: Rapid7 Cybersecurity Blog | Published: 2025-12-17T19:06:44+00:00 | Score: 21.545
   Following disclosure of the React2Shell vulnerability (CVE-2025-55182), a maximum-severity Remote Code Execution (RCE) in React Server Components (RSC) a.k.a. the Flight protocol, security teams are assessing exposure and validating fixes. React and ecosystem vendors have released patches; exploitation in the wild has been reported, so rapid validation matters. What is React2Shell? React2Shell is an unauthenticated RCE flaw caused by insecure Flight payload deserialization in server-side React/RSC implementations (including popular frameworks like Next.js). It carries a CVSS 10.0 rating and affects React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 as well as Next.js versions 15.0.0-15.1.6 and 16.0.0-16.0.6 prior to recent patches. You can read more about it in this detailed CVE overview blog post . In this detailed writeup, we will share how our customers can specifically test for React2Shell with Rapid7’s Application Security solution. Testing for React2Shell with application security
3. CVE-2025-37164: Critical unauthenticated RCE affecting Hewlett Packard Enterprise OneView
   Source: Rapid7 Cybersecurity Blog | Published: 2025-12-18T17:45:47+00:00 | Score: 20.219
   Overview On December 17, 2025, Hewlett Packard Enterprise (HPE) published an advisory for CVE-2025-37164 , a CVSS 10.0 vulnerability in HPE OneView . The vulnerability, which was reported to HPE by security researcher Nguyen Quoc Khanh, facilitates unauthenticated remote code execution (RCE) on versions of HPE OneView before 11.0. Defenders are advised to prioritize upgrading to version 11.0 or applying the emergency hotfixes ( HPE OneView virtual appliance hotfix , HPE Synergy hotfix ) as soon as possible. OneView sits at a privileged control plane for enterprise infrastructure, so successful exploitation isn’t just about establishing remote code execution, it’s about gaining centralized control over servers, firmware, and lifecycle management at scale. The real concern here is exposure and trust assumptions. Management platforms are often deployed deep inside the network with broad privileges and minimal monitoring because they’re ‘supposed’ to be trusted. When an unauthenticated RCE
4. Metasploit Wrap-Up 12/19/2025
   Source: Rapid7 Cybersecurity Blog | Published: 2025-12-19T21:02:00+00:00 | Score: 19.031
   React2Shell Payload Improvements Last week Metasploit released an exploit for the React2Shell vulnerability, and this week we have made a couple of improvements to the payloads that it uses. The first improvement affects all Metasploit modules. When an exploit is used, an initial payload is selected using some basic logic that effectively would make a selection from the first available in alphabetical order. Now Metasploit will prefer a default of x86 Meterpreters for Windows systems (since 32-bit payloads work on both 32-bit and 64-bit versions of Windows) and x64 Meterpreters for all other platforms including Linux. In the context of React2Shell, this means the payload now defaults to x64 for Linux instead of AARCH64. Another improvement that only affects this exploit was the change of the default payload to one leveraging Node.js which is more likely to be present than the wget binary that was required. These defaults should hopefully help users get started with this high-impact exp
5. WatchGuard Patches Firebox Zero-Day Exploited in the Wild
   Source: SecurityWeek | Published: 2025-12-22T09:44:19+00:00 | Score: 18.337
   The critical-severity bug in the Fireware OS’s iked process leads to unauthenticated remote code execution. The post WatchGuard Patches Firebox Zero-Day Exploited in the Wild appeared first on SecurityWeek .
6. SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances
   Source: The Hacker News | Published: 2025-12-17T18:17:00+00:00 | Score: 18.12
   SonicWall has rolled out fixes to address a security flaw in Secure Mobile Access (SMA) 100 series appliances that it said has been actively exploited in the wild.
   The vulnerability, tracked as CVE-2025-40602 (CVSS score: 6.6), concerns a case of local privilege escalation that arises as a result of insufficient authorization in the appliance management console (AMC).
   It affects the following
7. HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution
   Source: The Hacker News | Published: 2025-12-18T14:39:00+00:00 | Score: 17.726
   Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution.
   The critical vulnerability, assigned the CVE identifier CVE-2025-37164, carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a
8. WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability
   Source: The Hacker News | Published: 2025-12-19T11:23:00+00:00 | Score: 14.843
   WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks.
   Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code.
   "This vulnerability affects both the
9. Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances
   Source: The Hacker News | Published: 2025-12-18T04:10:00+00:00 | Score: 14.414
   Cisco has alerted users to a maximum-severity zero-day flaw in Cisco AsyncOS software that has been actively exploited by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 in attacks targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
   The networking equipment major said it became aware of the intrusion campaign on December 10, 2025, and that it
10. CISA flags ASUS Live Update CVE, but the attack is years old
    Source: BleepingComputer | Published: 2025-12-22T11:09:17+00:00 | Score: 14.379
    An ASUS Live Update vulnerability tracked as CVE-2025-59374 has been making the rounds in infosec feeds, with some headlines implying recent or ongoing exploitation. A closer look, however, shows the CVE documents a historic supply-chain attack in an End-of-Life (EoL) software product, not a new attack. […]

End of report.