Introduction

This vulnerability report has been generated using data aggregated on
Vulnerability-Lookup,
with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for December 2025, based on sightings collected from various sources,
including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists,
The Shadowserver Foundation, Nuclei,
SPLOITUS, Metasploit, and more.
For further details, please visit this page.

A new section dedicated to detection rules is available.

The Month at a Glance

December 2025 was dominated by a massive surge in activity surrounding CVE-2025-55182 affecting Meta's react-server-dom-webpack. With 852 sightings, this critical vulnerability (referenced by contributors as "React2Shell") significantly outpaced all other vulnerabilities, highlighting a major focus on web application infrastructure exploitation.

Database and network security were also primary themes this month. MongoDB (CVE-2025-14847) ranked second in sightings and was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on December 29th. The networking sector remained volatile, with critical vulnerabilities in Cisco Secure Email, WatchGuard Fireware OS, Fortinet, and SonicWall appearing in both the top sightings and the CISA KEV list.

Despite the influx of 2025 vulnerabilities, "zombie" vulnerabilities continue to plague the internet. Legacy issues from 2015 (D-Link) and 2017 (Zyxel) persist in the Top 10, proving that unpatched IoT devices remain active attack vectors years after disclosure.

In the broader ecosystem, CISA added a wide variety of threats to their catalog, ranging from mobile operating systems (iOS, Android) and browsers (Chrome) to desktop utilities like WinRAR. Additionally, community contributors highlighted significant structural shifts, notably the End-of-Life status for the Linux 5.4 kernel and new cryptographic implementation flaws in GnuPG.

Evolution of published CVE in 2025

More information.

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

| Vulnerability | Sighting Count | Vendor | Product | VLAI Severity |
| ---------------------------------------------------------------------- | --------------- | --------------- | --------------- | --------------------------------------------------|
| CVE-2025-55182 | 852 | Meta | react-server-dom-webpack | Critical (confidence: 0.9783) |
| CVE-2025-14847 | 204 | MongoDB Inc. | MongoDB Server | High (confidence: 0.9538) |
| CVE-2025-20393 | 89 | Cisco | Cisco Secure Email | Critical (confidence: 0.5137) |
| CVE-2015-2051 | 62 | dlink | dir-645 | High (confidence: 0.607) |
| CVE-2017-18368 | 62 | zyxel | p660hn-t1a_v1 | Critical (confidence: 0.9763) |
| CVE-2025-14733 | 60 | WatchGuard | Fireware OS | Critical (confidence: 0.976) |
| CVE-2025-66516 | 57 | Apache Software Foundation | Apache Tika core | High (confidence: 0.8155) |
| CVE-2018-10562 | 56 | dasannetworks | gpon_router | Critical (confidence: 0.9815) |
| CVE-2025-40602 | 53 | SonicWall | SMA1000 | Medium (confidence: 0.9162) |
CVE-2025-59718 | 53 | Fortinet | FortiSwitchManager | Critical (confidence: 0.7339) |

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

ENISA

No new entry in December.

Top 10 Weaknesses of the Month

Detection rules

CVE-2025-55182

• ET WEB_SPECIFIC_APPS Waku RSC React2Shell Unsafe Flight Protocol Property Access [SURICATA]
• ET WEB_SPECIFIC_APPS Vite RSC React2Shell Unsafe Flight Protocol Property Access [SURICATA]
• ET WEB_SPECIFIC_APPS React Server Components React2Shell Unsafe Flight Protocol Property Access [SURICATA]

CVE-2015-2051

• ET EXPLOIT D-Link HNAP SOAPAction Command Injection [SURICATA]

CVE-2017-18368

• ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE [SURICATA]

CVE-2025-66516

• ET WEB_SPECIFIC_APPS Apache Tika XML External Entity Injection [SURICATA]

CVE-2023-52163

• ET WEB_SPECIFIC_APPS DigiEver DS-2105 Pro time_tzsetup.cgi ntp Parameter Command Injection Attempt [SURICATA]

CVE reserved, but partial information has already appeared on the public internet

Sightings detected between 2025-12-01 and 2025-12-31 that are associated with vulnerabilities without public records.

Insights from Contributors

• gpg.fail - multiple vulnerabilities in GnuPG
• React2Shell
• The LAST Linux 5.4.y release. It is now end-of-life and should not be > used by anyone, anymore.
• Apache Tika
• Security content of iOS 26.2 and iPadOS 26.2
• Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manage

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
github.com/vulnerability-looku…

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release

The most sophisticated cyber attacks often rely on the simplest human behaviors. 👀 The FBI’s latest flash warning regarding North Korean state-sponsored actors (Kimsuky) using malicious QR codes is a fascinating case study in behavioral engineering. A QR code is essentially a digital question mark in the physical world. It begs to be resolved. We have spent the last few years training ourselves to scan them automatically; for menus, for parking, for connectivity. Attackers are weaponizing this muscle memory. They aren't just exploiting code; they are exploiting our inherent need to know what is on the other side of that scan. In high-stakes environments like academia and think tanks, unchecked curiosity is now a critical vulnerability.

TL;DR
🧠 FBI Alert: North Korean group Kimsuky (APT43) is active.
🎯 Targets: NGOs, academia, and foreign policy experts.
⚡ Vector: Malicious QR codes bridging physical and digital gaps.
🛡️ Defense: Treat an unknown QR code like a discarded USB drive. Do not scan.

forbes.com/sites/daveywinder/2…

#CyberSecurity #HumanFactor #Infosec #HigherEd #security #privacy #cloud

🥳 Auto-Encrypt Localhost version 9.0.0 released

Bye bye, Windows.

• Windows is no longer supported as Microsoft is complicit in Israel’s genocide of the Palestinian people¹ and Small Technology Foundation² stands in solidarity with the Boycott, Divestment, and Sanctions (BDS) movement³. Windows is an ad-infested and surveillance-ridden dumpster fire of an operating system and, alongside supporting genocide, you are putting both yourself and others at risk by using it.

Enjoy!

💕

About Auto-Encrypt Localhost:

codeberg.org/small-tech/auto-e…

Auto Encrypt Localhost is similar to the Go utility [mkcert](github.com/FiloSottile/mkcert/) but with the following important differences:

1. It’s written in pure JavaScript for Node.js.

2. It does not require certutil to be installed.

3. It uses a different technique to install its certificate authority in the system trust store of macOS.

4. It uses enterprise policies on all platforms to get Firefox to include its certificate authority from the system trust store.

5. In addition to its Command-Line Interface, it can be used programmatically to automatically handle local development certificate provisioning while creating your server.

Auto-Encrypt Localhost is licensed under AGPL version 3.0.

#AutoEncryptLocalhost #SmallTech #SmallWeb #localhost #TLS #SSL #certificates #web #security #dev #FOSS #israel #microsoft #BigTech #genocide #Palestine #StopIsrael #FreePalestine

¹ bdsmovement.net/microsoft
² small-tech.org/
³ bdsmovement.net/

A critical vulnerability (CVE-2026-21858) dubbed "Ni8mare" allows unauthenticated attackers to gain complete control over n8n workflow automation instances¹. The flaw, which received the highest CVSS score of 10.0, affects all versions prior to 1.121.0 and enables attackers to read files, bypass authentication, and execute arbitrary commands².

The vulnerability stems from a Content-Type confusion in n8n's Form Webhook handling, where attackers can manipulate file paths to read sensitive system files and escalate privileges³. Cyera Research Labs discovered approximately 100,000 exposed servers globally are at risk¹.

Key timeline:
- November 9, 2025: Vulnerability reported to n8n
- November 18, 2025: Patched in version 1.121.0
- January 6, 2026: CVE assigned
- January 7, 2026: Public disclosure

Censys reports 26,512 exposed n8n hosts, with most located in the US (7,079), Germany (4,280), and France (2,655)⁴.

Required actions:
- Upgrade to version 1.121.0 or later
- Avoid exposing n8n to the internet
- Require authentication for all Forms
- Rotate stored credentials and API tokens²

1. Cyera Research Labs - Ni8mare - Unauthenticated Remote Code Execution in n8n ↩︎ ↩︎
2. Aikido - n8n Critical Vulnerability Explained ↩︎ ↩︎
3. The Hacker News - Critical n8n Vulnerability Allows Unauthenticated Attackers to Take Full Control ↩︎
4. The Hacker News - Update section on Censys findings ↩︎

A major cybersecurity breach has exposed dozens of global companies through stolen cloud credentials obtained via Infostealer malware infections. A threat actor known as "Zestix" (alias "Sentap") is selling access to approximately 50 global corporations' cloud services including Sharefile, Owncloud, and Nextcloud¹.

The compromised data includes sensitive materials across multiple sectors:
- Defense: TF-X Fighter Jet and UAV blueprints from INTECRO ROBOTICS
- Infrastructure: LA Metro engineering schematics and security data from CRRC MA
- Aviation: 77GB of Iberia Airlines' A320/A321 aircraft maintenance data
- Healthcare: 2.3TB of Brazilian Military Police health records from Maida.health¹

Hudson Rock's investigation identified additional victims including Pickett, Sekisui House, IFLUSAC, K3G Solutions, GreenBills, and CiberC². The research indicates thousands more companies have exposed credentials circulating for these cloud services.

1. LinkedIn - Dozens of Global Companies Hacked via Cloud Credentials from Infostealer Infections & More at Risk ↩︎ ↩︎
2. Infostealers.com - Dozens of Global Companies Hacked via Cloud Credentials from Infostealer Infections & More at Risk ↩︎

This Gmail hack is unsettling not because it’s flashy, but because it’s bureaucratic. Attackers aren’t breaking encryption or outsmarting algorithms. They’re filling out forms. By changing an account’s age and abusing Google’s Family Link feature, they can quietly reclassify an adult user as a “child” and assume parental control. At that point, the rightful owner isn’t hacked so much as administratively erased.

The clever part is that everything happens inside legitimate features. Passwords are changed. Two-factor settings are altered. Recovery options are overwritten. And when the user tries to get back in, Google’s automated systems see a supervised child account and do exactly what they were designed to do: say no.

Google says it’s looking into the issue, which suggests this wasn’t how the system was supposed to work. But it’s a reminder of an old lesson. Security failures often happen when protective mechanisms are combined in ways no one quite imagined. The tools aren’t broken. The assumptions are.

There’s no dramatic fix here, only mildly annoying advice that suddenly feels urgent. Review recovery settings. Lock down account changes. Use passkeys. Because once an attacker controls the recovery layer, proving you’re you can become surprisingly difficult.

TL;DR
🧠 Family safety tools are being weaponized
⚡ Account recovery can be shut down entirely
🎓 Legitimate features enable the lockout
🔍 Prevention matters more than appeals

forbes.com/sites/daveywinder/2…

#Cybersecurity #Gmail #IdentitySecurity #AccountRecovery #DigitalRisk #security #privacy #cloud #infosec

I've mentioned this before but SimpleX is more private secure and anonymous that signal threema and session.

SimpleX is decentralised meaning taking down a single group of servers or org wouldnt destroy the simplex network, people can run completely anonymous simplex servers over tor, this puts simplex ahead of Signal and Threema

SimpleX has quantum resistant encryption which puts it ahead of Threema and Session, the UK military[1] and NATO[2] both consider quantum computers to be a threat now because of store now decrypt later attacks

SimpleX has no user identifiers not even random strings, its essentially like having a "burner phone for every contact". Two or more compromised contacts could corroborate your messages by linking them to your signal username or your session id, but with simplex your contacts can't prove your identity even between eachother. This fact puts SimpleX above Signal Threema and Session

These technical details about the simplex protocol can all be found on the project website including the whitepaper

[3]
[1]ncsc.gov.uk/whitepaper/prepari…

[2]nato.int/docu/review/articles/…

[3]isdb4l77sjqoy2qq7ipum6x3at6hyn…

#SimpleX #Threema #Signal #Session #PSA #Privacy #Security #Anonymity #NATO #UnitedKingdom #Tor #QuantumResistantEncryption

Just in time for the end of the year, we’re happy to share our final release before the holidays: Vulnerability-Lookup 2.20.0 🎄

What's New

GCVE (Global CVE Allocation System): Relationships

We’ve updated the bundled Vulnogram interface to better support the GCVE ecosystem. Vulnerability-Lookup now allows you to define and manage relationships between vulnerabilities, in line with the GCVE BCP-05 specification.

Commit: 2f39bf8

This is a first step toward implementing full GCVE BCP-05 compliance.

Displaying relationships of a vulnerability

vulnerability.circl.lu/vuln/GC…

In this case, opposes indicates that the GNA does not agree with the status or validity of the referenced vulnerability. This can be used when a GCVE published by another GNA is considered not to be a vulnerability for the product in question (e.g., the behavior is expected, or the scenario describes a discouraged or unsupported configuration).

Editing relationships with the Vulnogram UI

Sightings Visualization

Understanding how vulnerabilities are observed in the wild just got easier. We’ve added a new Heat Map to visualize vulnerability sightings over time, featuring built-in filters for dates and sighting types.

Commit: 56a66e0

Examples

vulnerability.circl.lu/vuln/CV…

vulnerability.circl.lu/vuln/CV…

Sighting correlations

vulnerability.circl.lu/vuln/CV…

Changes

• Authentication: Allowed password recovery triggers based on case-insensitive usernames. #290
• Vulnerability Disclosure: A guidance message is now displayed to unauthenticated users when attempting to submit a new disclosure. (90787db)
• Product API: product.find_vulnerabilities now returns more comprehensive results. (a31f6c3)

vulnerability.circl.lu/vuln/GC…

Fixes

• Data Ingestion: Fixed an issue to ignore temporary files in ossf/malicious-packages. (6bc93b1)
• Website: Fixed the routing path used to delete vulnerability disclosures. (e2ecb2a)
• Website: Updated vulnerability ID requirements to be optional for disclosures. (5bd5353)

Changelog

For the full list of changes, check the GitHub release:
v2.20.0 Release Notes

Thank you to all our contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories in real-time by following us on Mastodon:
@vulnerability_lookup