December 2025 saw the disclosure of several high-impact vulnerabilities affecting enterprise applications, cloud platforms, and developer tools. This month’s incidents highlight the growing risks in modern software stacks, from insecure deserialization in frontend frameworks to zero-click remote code execution in widely deployed office software. Threat actors are increasingly exploiting these flaws within hours of disclosure, underscoring the need for timely patching, credential rotation, and monitoring for anomalous activity.
What We'll Cover
CVE-2025-55182 (React2Shell)
A critical vulnerability in the React Server Components (RSC) Flight protocol caused by insecure deserialization of serialized objects sent to server functions via POST requests. During function “revival,” the framework fails to enforce strict type validation, allowing crafted payloads to exploit JavaScript duck-typing and reference internal Node.js modules (such as child_process). Exploitation chains self-referential object graphs, prototype shadowing, and Blob Handler abuse to execute arbitrary shell commands with full privileges of the Node.js process, bypassing application-level access controls. Applications are vulnerable even if they do not explicitly use server functions, as long as they support RSC.
Severity and Score:
Critical | CVSS 10.0
Type:
Unauthenticated Remote Code Execution (RCE)
Disclosure:
3 December 2025
Exploitation Status:
Highly active. Multiple malware campaigns, including “Emerald” and “Nuts,” deployed reverse shells and credential harvesting tooling within 30 hours of disclosure.
Mitigation Strategies:
Upgrade to React 19.0.1 or later, or Next.js 15.1 or later. Rotate all environment secrets immediately. Monitor for HTTP POST requests containing $@ patterns or resolved_model statuses in the request body.
CVE-2025-14847 (MongoBleed)
A high-severity memory disclosure vulnerability in MongoDB Server rooted in the implementation of the zlib-compressed network message protocol (message_compressor_zlib.cpp). By sending a malformed packet that declares an exaggerated uncompressed size, an attacker triggers a logic error in which the server allocates a large buffer but only fills it partially with valid data. The remaining memory, uninitialized from previous server operations, is returned to the client prior to authentication. This leaked memory often contains sensitive data including plaintext database fragments, user passwords, authentication tokens, and session information, allowing substantial data exfiltration without valid credentials.
Severity and Score:
High | CVSS 8.8
Type:
Unauthenticated Information Disclosure
Disclosure:
19 December 2025 (publicly tracked as “MongoBleed” by 26 December)
Exploitation Status:
Actively exploited and added to the CISA KEV catalog. Approximately 87,000 exposed instances globally have been identified.
Mitigation Strategies:
Patch to MongoDB 8.0.17, 7.0.28, 6.0.27, or 5.0.32. If patching is delayed, disable zlib compression by removing it from the net.compression.compressors configuration in mongod.conf.
CVE-2025-59718 and CVE-2025-59719 (Fortinet SSO Bypass)
Two critical authentication bypass vulnerabilities stemming from improper cryptographic signature verification in the SAML implementation used by FortiOS, FortiProxy, and FortiWeb. The flaw resides in how these devices validate Security Assertion Markup Language (SAML) response messages during the FortiCloud Single Sign-On (SSO) login process. An unauthenticated attacker can craft a malicious SAML response that the system accepts as valid without proper verification against the trusted identity provider (IdP) certificate. This enables the impersonation of administrative users, often the “admin” account, providing full management access to the network infrastructure, configuration export capability, and the potential to harvest credentials for lateral movement.
Severity and Score:
Critical | CVSS 9.8
Type:
Authentication Bypass
Disclosure:
9 December 2025
Exploitation Status:
Actively targeted by advanced threat actors. Arctic Wolf and CISA reported intrusions where attackers exfiltrated device configurations to harvest hashed credentials and prepare for broader network compromise.
Mitigation Strategies:
Upgrade FortiOS to 7.6.4, 7.4.9, or 7.2.12. Immediately disable “Allow administrative login using FortiCloud SSO” and enforce local or certificate-based authentication.
CVE-2025-66516 (Apache Tika XXE and SSRF)
A maximum-severity vulnerability in Apache Tika’s PDF parsing module mishandling XML Forms Architecture (XFA) content embedded in PDFs. Tika fails to restrict external entity resolution when processing XFA forms, enabling attackers to trigger XML External Entity (XXE) injection. Crafted PDFs can be used to exfiltrate local system files (e.g., /etc/passwd) or initiate Server-Side Request Forgery (SSRF) requests to internal network resources. This vulnerability is pervasive because Tika is rarely deployed standalone and is commonly embedded as a hidden backend dependency in enterprise search engines, CMS platforms, and ingestion pipelines, meaning many organizations are unaware they are exposed.
Severity and Score:
Critical | CVSS 9.1 (some vendors rate as 10.0)
Type:
XML External Entity (XXE) and SSRF
Disclosure:
4 December 2025
Exploitation Status:
Public proof-of-concept available. High risk due to Tika’s silent integration, allowing attackers to leverage trusted services for reconnaissance or internal network attacks.
Mitigation Strategies:
Upgrade tika-core and related modules to version 3.2.2 or later. Ensure document-parsing services are network-isolated and prevented from accessing internal IP ranges.
CVE-2025-62221 (Windows Cloud Files Mini Filter)
A maximum-severity vulnerability in Apache Tika’s PDF parsing module mishandling XML Forms Architecture (XFA) content embedded in PDFs. Tika fails to restrict external entity resolution when processing XFA forms, enabling attackers to trigger XML External Entity (XXE) injection. Crafted PDFs can be used to exfiltrate local system files (e.g., /etc/passwd) or initiate Server-Side Request Forgery (SSRF) requests to internal network resources. This vulnerability is pervasive because Tika is rarely deployed standalone and is commonly embedded as a hidden backend dependency in enterprise search engines, CMS platforms, and ingestion pipelines, meaning many organizations are unaware they are exposed.
Severity and Score:
Critical | CVSS 9.1 (some vendors rate as 10.0)
Type:
XML External Entity (XXE) and SSRF
Disclosure:
4 December 2025
Exploitation Status:
Public proof-of-concept available. High risk due to Tika’s silent integration, allowing attackers to leverage trusted services for reconnaissance or internal network attacks.
Mitigation Strategies:
Upgrade tika-core and related modules to version 3.2.2 or later. Ensure document-parsing services are network-isolated and prevented from accessing internal IP ranges.
CVE-2025-62221 (Windows Cloud Files Mini Filter)
A high-impact “Use-After-Free” memory corruption vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys). This kernel-mode driver is used by cloud storage providers such as OneDrive, Dropbox, and iCloud to manage file placeholders. A race condition during file hydration allows a low-privileged user to free memory and inject malicious content before reuse, corrupting kernel memory and escalating privileges from standard user to full SYSTEM authority.
Severity and Score:
Important | CVSS 7.8
Type:
Local Privilege Escalation (LPE)
Disclosure:
9 December 2025 (Patch Tuesday)
Exploitation Status:
Actively exploited as a zero-day. Often chained with browser sandbox escapes to achieve complete system takeover following phishing or malware delivery.
Mitigation Strategies:
Deploy the December 2025 Microsoft Security Updates immediately. Prioritize patching for workstations, VDI environments, and multi-user systems exposed to web content.
CVE-2025-52691 (SmarterMail RCE)
A critical arbitrary file upload vulnerability in SmarterTools SmarterMail caused by insufficient sanitization of attachment filenames and storage paths. Attackers can use directory traversal sequences (../) to place executable files, such as ASPX web shells, into the web root. Once executed, attackers gain command-line access with the privileges of the SmarterMail service, enabling mailbox compromise, lateral movement, and persistent access.
Severity and Score:
Critical | CVSS 10.0
Type:
Remote Code Execution via Arbitrary File Upload
Disclosure:
28 December 2025
Exploitation Status:
Targeted exploitation observed against government and enterprise mail servers in the Asia-Pacific region. High-priority risk for organizations using SmarterMail as an Exchange alternative.
Mitigation Strategies:
Upgrade to Build 9413 or later (9483 recommended). Audit /App_Data/ and web root for unauthorized files. Review API logs for unusual uploads.
CVE-2025-64671 (GitHub Copilot for JetBrains)
A command injection vulnerability in GitHub Copilot for JetBrains IDEs. Malicious instructions in project code comments can influence Copilot to suggest or execute harmful terminal commands. Cross-prompt injection may lead to local shell execution if developers approve suggestions or auto-approval is enabled. Potential impact includes exfiltration of source code, SSH keys, and local environment variables.
Severity and Score:
Important | CVSS 8.4
Type:
Local Code Execution via Command Injection
Disclosure:
9 December 2025
Exploitation Status:
Publicly disclosed. Elevated risk for developers interacting with public or untrusted repositories.
Mitigation Strategies:
Upgrade the Copilot extension to 1.5.60-243+. Disable auto-approval for terminal commands and restrict file system access to project directories.
CVE-2025-62554 and CVE-2025-62557 (Microsoft Office)
Two critical memory safety vulnerabilities in Microsoft Word’s rendering engine (Type Confusion and Use-After-Free). Exploitation occurs during automatic parsing of document metadata, styles, or OLE objects. Zero-click RCE is possible via the Outlook Preview Pane or Explorer preview window without user interaction, enabling full system compromise.
Severity and Score:
Critical | CVSS 8.4
Type:
Remote Code Execution (RCE)
Disclosure:
9 December 2025
Exploitation Status:
Proof-of-concept available. High-priority target for phishing campaigns as no user action beyond viewing a message is required.
Mitigation Strategies:
Apply December 2025 Microsoft Office security updates. Disable the Preview Pane for untrusted senders via Group Policy in high-security environments.
The vulnerabilities disclosed in December 2025 reinforce the evolving threat landscape across enterprise software, cloud platforms, and developer tools. Several critical flaws enable unauthenticated remote code execution, zero-click compromise, or high-impact privilege escalation, while others expose sensitive data before authentication. Rapid exploitation by both automated campaigns and targeted threat actors highlights the urgency of proactive patch management, environment secret rotation, and monitoring for anomalous activity.
Organizations must prioritise immediate remediation of critical exposures, enforce strict authentication controls, and maintain continuous visibility into their systems. Failure to address these vulnerabilities promptly can result in full system compromise, data loss, or persistent adversary access.
