Arctic Wolf reports active intrusions involving malicious SSO logins against FortiGate appliances beginning December 12, 2025, shortly after Fortinet disclosed two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719. The flaws allow unauthenticated administrative access via crafted SAML messages when FortiCloud SSO is enabled. While FortiCloud SSO is disabled by default, it is automatically enabled during FortiCare registration through the GUI unless administrators explicitly opt out, creating widespread exposure across FortiOS, FortiProxy, FortiWeb, and FortiSwitchManager deployments. Observed activity shows successful SSO logins to the admin account from a small set of cloud hosting providers, followed by immediate configuration exports via the GUI. This behavior strongly suggests post-authentication reconnaissance and credential material collection, with stolen configuration files posing downstream risk for offline password cracking and follow-on compromise.

Impact: Successful exploitation grants attackers administrative access to firewall and VPN infrastructure without credentials. Exfiltrated configurations may expose hashed credentials, VPN secrets, network topology, and trust relationships, enabling lateral movement, persistent access, or future attacks against internal networks. Because the activity leverages legitimate SSO workflows, compromises may blend into normal administrative logs and evade immediate detection.

Recommendation: Organizations should upgrade all affected Fortinet products to vendor-fixed versions and disable FortiCloud SSO until patching is complete. Review system logs for admin logins with method=sso, especially from unfamiliar cloud-hosted IPs, and check for configuration downloads following those logins. If suspicious activity is identified, assume firewall credentials are compromised and reset all administrative and VPN credentials. Restrict management interface access to trusted internal networks only, enforce strong passwords and MFA where supported, and audit FortiCare registration settings to ensure FortiCloud SSO is explicitly disabled if not required.

Microsoft Defender researchers report that exploitation of CVE-2025-55182 (React2Shell) was detected as early as December 5, 2025, impacting both Windows and Linux environments. The bug is a pre-authentication RCE (CVSS 10.0) in React Server Components where crafted POST requests can trigger unsafe deserialization and execute attacker code under the Node.js runtime. Microsoft observed real-world exploitation attempts and several hundred confirmed compromises across diverse organizations, with follow-on payloads including coin miners, SNOWLIGHT, VShell, EtherRAT, ShadowPad, and related tooling. Post-exploitation behavior included persistence through new user creation, RMM tools like MeshAgent, SSH authorized_keys changes, root login enablement, and defense evasion using Cloudflare Tunnel endpoints and bind mounts to hide artifacts. Microsoft also observed cloud credential targeting across Azure, AWS, GCP, and Tencent IMDS endpoints, plus secret discovery via TruffleHog and Gitleaks and attempts to harvest AI and cloud-native credentials such as OpenAI API keys and Kubernetes service account tokens.

Impact: Successful exploitation gives attackers immediate code execution on vulnerable React and Next.js servers with no authentication, enabling rapid deployment of miners or backdoors, credential theft, and lateral movement into cloud resources. Because many affected apps are deployed in containers and default configurations are vulnerable, compromise can spread from a single exposed service into broader infrastructure depending on container isolation and cloud permissions.

Recommendation: Patch listed fixed versions for React and Next.js and prioritize internet-facing workloads first, including container images and build artifacts that may still carry vulnerable dependencies. Consider using Defender Vulnerability Management and Defender for Cloud to inventory vulnerable packages, then monitor for exploitation signals such as Node or next-server spawned shell commands, suspicious downloads, Cloudflare tunnel usage, bind-mount hiding tactics, and secret discovery tooling execution. Review and implement Microsoft’s provided threat hunting queries related to the threat. Use Defender Vulnerability Management and Defender for Cloud to inventory vulnerable packages, then monitor for exploitation signals such as Node or next-server spawned shell commands, suspicious downloads, Cloudflare tunnel usage, bind-mount hiding tactics, and secret discovery tooling execution. Apply Azure WAF custom rules as a temporary control while patching is in progress, and if you suspect exploitation, isolate affected workloads and treat it as an incident due to the observed post-exploitation focus on persistence and cloud credential theft.

Apple released iOS 26.2 and iPadOS 26.2 on December 12, 2025, fixing multiple security issues across core components including WebKit, Kernel, FaceTime, Messages, and system frameworks. Apple notes that at least two WebKit vulnerabilities were exploited in “extremely sophisticated” attacks against specific targeted individuals on versions of iOS prior to iOS 26, and issued CVE-2025-14174 in response to this reporting. Among the fixes are issues that could lead to arbitrary code execution or memory corruption when processing maliciously crafted web content in WebKit, as well as privilege and data exposure risks such as an app gaining root privileges (Kernel), access to sensitive payment tokens (App Store), and exposure of hidden photos without authentication.

Impact: Organizations with iOS and iPadOS fleets face elevated risk from web-based exploitation paths, particularly via Safari or embedded WebKit content. The presence of in-the-wild exploitation signals that these flaws can be used for targeted compromise, and unpatched devices may remain exposed to drive-by or link-based attack chains that lead to code execution, data exposure, or privilege escalation.

Recommendation: Update all eligible devices to iOS 26.2 and iPadOS 26.2, prioritizing users in high-risk roles or who handle sensitive data. Enforce rapid OS patching through MDM, restrict untrusted browsing and link handling where possible, and monitor for signs of targeted mobile exploitation such as unusual Safari crashes, unexpected profile or configuration changes, and anomalous account activity following web interactions. Confirm Safari and platform updates are applied consistently across managed endpoints and review mobile security posture for gaps in update compliance.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a previously reported vulnerability, CVE-2025-58360, affecting OSGeo GeoServer, to its Known Exploited Vulnerabilities (KEV) Catalog. Details of the nature of the active exploitation were not provided. GeoServer is used for collecting/sharing geospatial data. The vulnerability is an XML External Entities (XXE) exploit, whereby improperly sanitized XML input via specific operations can allow an attacker to define external entities within the request, opening the door to a potential compromise. The vulnerability affects older versions up to 2.25.5 as well as 2.26.0 through 2.26.1, but versions 2.25.6 or 2.26.2 and above are patched.

Impact: Exploitation of this vulnerability could enable an attacker to undertake various malicious actions, such as accessing sensitive files, Server-Side Request Forgery (SSRF), or Denial of Service (DoS) attacks.

Recommendation: Organizations using GeoServer should ensure that they are running a patched version and keep an eye out for more details regarding active exploitation.