As 2025 draws to a close, yet another critical Cisco zero-day has emerged, joining earlier high-severity disclosures: two RCE flaws in Cisco ISE and SE-PIC (CVE-2025-20281 and CVE-2025-20282) and a September zero-day in Cisco IOS and IOS XE (CVE-2025-20352). The latest uncovered Cisco vulnerability, identified as CVE-2025-20393, affects AsyncOS Software and reaches a maximum-severity CVSS score of 10.0. The flaw is already under active exploitation by a China-linked APT group tracked as UAT-9686.  

Exploitation of zero-day vulnerabilities is increasing, while the time to patch them is shrinking, making prompt updates more critical than ever. The 2025 Verizon DBIR report highlights a 34% year-over-year rise in breaches initiated via vulnerability exploitation, highlighting the need for proactive defenses. China-backed espionage campaigns are driving this trend, with operations increasingly emphasizing stealth and operational security over the past five years. China-aligned APT clusters remain among the fastest and most active state-sponsored actors, often weaponizing newly disclosed exploits almost immediately, further complicating the global cybersecurity landscape.

In early December, a new maximum-severity vulnerability in React Server Components, known as React2Shell, was observed being exploited in multiple China-linked campaigns, with activity quickly accelerating in both scale and pace and broadening its targeting scope. Another maximum-severity vulnerability (CVE-2025-20393), recently discovered in Cisco AsyncOS Software, has been causing a stir in the cyber threat arena, which requires ultra-vigilance from defenders. 

Sign up for SOC Prime Platform, offering the world’s largest detection Intelligence dataset and covering a full pipeline from detection to simulation to take your SOC to the next level and proactively thwart APT attacks, exploitation campaigns, and cyber threats of any scale and sophistication. Press Explore Detections to reach a comprehensive context-enriched rule set addressing critical exploits, filtered by the corresponding “CVE” tag.

Explore Detections

The above-mentioned SOC content is supported across 40+ SIEM, EDR, and Data Lake platforms to enable cross-platform content utilization and is mapped to the most recent MITRE ATT&CK® v18.1 framework. Security teams can further accelerate end-to-end detection engineering workflows with Uncoder AI, which enables smooth rule creation from live threat intelligence, instant detection logic refinement and validation, automatic Attack Flow visualization, IOC-to-hunt query conversion, and AI-backed translation of detection content across multiple language formats.

CVE-2025-20393 Analysis

Cisco has recently warned the global defender community of a critical zero-day in its AsyncOS Software tracked as CVE-2025-20393 that is being actively exploited by a China-linked APT group, UAT-9686, targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.

The company reported becoming aware of the campaign on December 10, 2025, noting that only a limited subset of appliances with certain internet-exposed ports appear to be affected. The total number of impacted customers remains unclear.

According to the vendor, the flaw enables threat actors to execute arbitrary commands with root privileges on affected appliances. Investigators have also found evidence of a persistence mechanism planted to maintain control over compromised devices.

The vulnerability remains unpatched and stems from improper input validation, allowing attackers to run malicious commands with elevated privileges on the underlying operating system.

All versions of Cisco AsyncOS are impacted, though exploitation requires specific conditions across both physical and virtual deployments of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The Spam Quarantine feature must be enabled and accessible from the internet—an important detail, as this feature is disabled by default. Cisco advises administrators to verify its status via the web management interface by checking the relevant network interface settings.

The vendor traced exploitation activity back to at least late November 2025, when the China-linked actor UAT-9686 began abusing the flaw to deploy tunneling tools such as ReverseSSH (AquaTunnel) and Chisel, along with a log-cleaning utility named AquaPurge. AquaTunnel has previously been associated with diverse Chinese groups, including APT41 and UNC5174. Adversaries also deployed a lightweight Python backdoor, AquaShell, which passively listens for unauthenticated HTTP POST requests, decodes specially crafted payloads, and executes commands via the system shell.

Until a patch becomes available, Cisco recommends hardening affected appliances by restricting internet exposure, placing them behind firewalls that allow only trusted hosts, separating mail and management interfaces, disabling HTTP access to the main admin portal, and closely monitoring web logs for anomalous activity. Additional guidance includes disabling unnecessary services, enforcing strong authentication mechanisms such as SAML or LDAP, and replacing default administrator credentials with stronger passwords. The company emphasized that in confirmed compromise scenarios, rebuilding the appliance is currently the only effective way to remove attacker persistence.

In response to the increasing threat, CISA has added CVE-2025-20393 to its KEV catalog, mandating that Federal Civilian Executive Branch agencies implement mitigations by December 24, 2025.

In addition, GreyNoise reported detecting a coordinated, automated credential-stuffing campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals. The activity involves large-scale scripted login attempts rather than vulnerability exploitation, with consistent infrastructure and timing suggesting a single campaign pivoting across multiple VPN platforms.

The fast-moving exploitation of CVE-2025-20393 and its active use by a China-backed hacking group suggest a rising risk of follow-on attacks against organizations worldwide. To minimize the risks of exploitation attempts, rely on SOC Prime’s AI-Native Detection Intelligence Platform, which equips SOC teams with cutting-edge technologies and top cybersecurity expertise to stay ahead of emerging threats while maintaining operational effectiveness. 

The post CVE-2025-20393 Exploitation: A Maximum-Severity Zero-Day Vulnerability in Cisco AsyncOS Software Abused in Attacks by the China-Backed APT UAT-9686  appeared first on SOC Prime.

Zero-day vulnerabilities continue to pose increasing risks, enabling attackers to weaponize undisclosed weaknesses ahead of defensive fixes. Following a disclosure of a critical zero-day in Gladinet’s Triofox (CVE-2025-12480), a new zero-day vulnerability is already being exploited in the wild, underscoring the narrow window defenders have to act. Apple has confirmed that a newly discovered WebKit zero-day vulnerability, known as CVE-2025-14174, alongside CVE-2025-43529, has been actively exploited in highly targeted attacks. CVE-2025-14174 and CVE-2025-43529 affect all Apple devices capable of rendering web content, including Safari and every browser on iOS and iPadOS, leaving any unpatched system exposed to compromise.

WebKit, the cross-platform browser engine behind Safari and numerous applications on macOS, iOS, Linux, and Windows, continues to be a high-value target for attackers, particularly because it is mandatory for all browsers on iOS and iPadOS. For instance, in the early spring of 2025, a zero-day flaw tracked as CVE-2025-24201 was discovered in WebKit weaponized via maliciously crafted web content to break out of the Web Content sandbox. 

With the latest fixes, Apple has now addressed nine zero-day vulnerabilities exploited in the wild in 2025. This reflects a clear trend that attackers are heavily investing in browser engines and rendering pipelines to bypass sandboxing and silently compromise critical targets. 

Register for SOC Prime’s AI-Native Detection Intelligence Platform for SOC teams backed by cutting-edge technologies and top cybersecurity expertise to outscale cyber threats and build a resilient cybersecurity posture. Click Explore Detections to access the comprehensive collection of SOC content for vulnerability exploit detection, filtered by the custom “CVE” tag.

Explore Detections

Detections from the dedicated rule set can be applied across 40+ SIEM, EDR, and Data Lake platforms and are mapped to the latest MITRE ATT&CK® framework v18.1. Security teams can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, auto-visualizing Attack Flows, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.

CVE-2025-14174 Analysis

On December 12, Apple issued out-of-band security patches across its ecosystem after confirming that two WebKit zero-day vulnerabilities are under active exploitation in the wild. The weaponized security issues are CVE-2025-43529, a use-after-free vulnerability in WebKit that could allow attackers to achieve arbitrary code execution, and CVE-2025-14174 (with a CVSS of 8.8), a WebKit zero-day that may result in memory corruption when handling maliciously crafted web pages. Both flaws can be exploited through specially crafted web content, requiring no app installation or user interaction beyond visiting a malicious page

Apple confirmed it is aware that the flaws may have been exploited in an extremely sophisticated attack against specific targeted individuals running iOS versions prior to iOS 26.

Notably, CVE-2025-14174 is the same vulnerability Google patched in Chrome on December 10, 2025. Google described it as an out-of-bounds memory access issue in ANGLE, its open-source graphics library, specifically within the Metal renderer. Because ANGLE is shared across platforms, this points to cross-browser exploitation rather than an isolated bug.

Both vulnerabilities were identified through collaboration between Apple Security Engineering and Architecture and Google Threat Analysis Group. The fact that both flaws affect WebKit strongly suggests they were weaponized for highly targeted surveillance campaigns. Any device capable of rendering WebKit content, including iPhone 11 and later, supported iPads, Apple Watch Series 6+, Apple TV, and Vision Pro, was within scope. 

Apple released fixes across almost its entire ecosystem, including iOS and iPadOS (26.2 and 18.7.3), macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2 for macOS Sonoma and Sequoia.

As potential CVE-2025-43529 and CVE-2025-14174 mitigation measures, Organizations should enforce immediate OS and browser updates across all Apple devices, verify MDM compliance to prevent patch deferral, and treat any delay in applying updates as a real security exposure. Defenders should assume modern web-based exploits can bypass app-level controls, actively monitor for anomalous browser or network behavior following patch deployment, and, for high-risk users, recognize that patch latency directly expands the attack surface.

WebKit zero-days underscore a critical reality: today’s most dangerous attacks often begin in the browser. The combination of stealthy exploitation, zero user interaction, and the potential for complete device takeover makes these vulnerabilities especially dangerous and demands rapid, decisive action from defenders. Rely on SOC Prime Platform to reach ​​the world’s largest detection intelligence dataset, adopt an end-to-end pipeline that spans detection through simulation while streamlining security operations and speeding up response workflows, reduce engineering overhead, and always stay ahead of emerging threats. 

The post CVE-2025-14174 Vulnerability: A New Memory Corruption Zero-Day Vulnerability in Apple WebKit Exploited in Targeted Attacks appeared first on SOC Prime.

A newly disclosed maximum-severity vulnerability in React Server Components (RSC), known as React2Shell (CVE-2025-55182), has rapidly escalated into a serious threat. Multiple China-aligned state-backed groups have been observed exploiting the flaw in the wild to achieve RCE against vulnerable React deployments. In response to the exploitation of CVE-2025-55182, the React team also released additional fixes for newly identified RSC issues that could lead to denial-of-service (DoS) attacks or source code disclosure, tracked as CVE-2025-55183 and CVE-2025-55184, as well as CVE-2025-67779, which addresses an incomplete fix for CVE-2025-55184 with the same security impact.

The React2Shell exploitation has acquired a fast pace, with in-the-wild attacks going beyond stopping at opportunistic scans. For instance, shortly after the disclosure of CVE-2025-55182, researchers identified EtherRAT, an advanced implant deployed through React2Shell. Its capabilities mirror DPRK’s “Contagious Interview” operations, suggesting either a tactical pivot by North Korea-linked actors or the sharing of sophisticated tools among state-sponsored groups. Explore more about the attack details along with mitigation and response guidance, and get relevant detections, simulations, and full threat intel using SOC Prime’s Active Threats. 

With the React2Shell attacks unfolding, defenders stumbled upon a set of new RSC vulnerabilities mentioned above, which require ultra-responsiveness from security teams to minimize the risks of exploitation attempts. Sign up for SOC Prime’s vendor-agnostic platform for real-time defense to get access to ​​the world’s largest detection intelligence dataset, adopt a full pipeline from detection to simulation to accelerate security workflows, and take advantage of AI and top cybersecurity expertise to take your SOC to the next level. Press Explore Detections to drill down to the full collection of SOC content addressing current and existing vulnerabilities, filtered by the relevant “CVE” tag.

Explore Detections

Detection content from this collection can be instantly converted into multiple  SIEM, EDR, and Data Lake formats and is aligned with the latest MITRE ATT&CK® v18.1. Explore AI-native detection intelligence and comprehensive threat context to reduce analyst fatigue and boost operational effectiveness.

For security teams looking for ways to accelerate detection engineering workflows, SOC Prime curates Uncoder AI. Seamlessly convert IOCs into custom performance-optimized queries ready to run in your SIEM or EDR environment, craft detection logic directly from threat reports in an automated fashion, visualize Attack Flows, validate and fine-tune detection logic for accuracy and precision, and translate rules across diverse language formats in a matter of seconds. 

CVE-2025-55183 and CVE-2025-55184 Analysis

Following the weaponization of React2Shell, researchers uncovered additional vulnerabilities while analyzing the effectiveness of the initial patches. These newly identified issues do not enable RCE, and the existing fixes successfully block that attack vector, according to the React team. However, they introduce new risks: two denial-of-service flaws (CVE-2025-55184 and CVE-2025-67779, with the CVSS score of 7.5) and a source code disclosure issue tracked as CVE-2025-55183, with a CVSS score of 5.3.

CVE-2025-55184 stems from unsafe deserialization in Server Function request handling, which can trigger an infinite loop and effectively hang the server, while CVE-2025-55183 allows specially crafted requests to leak Server Function source code under specific conditions. 

All issues affect the same RSC packages and versions as CVE-2025-55182, with fixes available in versions 19.0.3, 19.1.4, and 19.2.3. The React team notes that follow-on disclosures are a common outcome after major vulnerabilities, reflecting deeper scrutiny of adjacent code paths rather than failed remediation. As highly recommended CVE-2025-55183 and CVE-2025-55184 mitigation measures, the vendor strongly advises users to update promptly, given ongoing exploitation activity.

The escalating exploitation of React2Shell, followed closely by newly uncovered RSC vulnerabilities, underscores the need for defenders to remain highly vigilant and continuously strengthen their security posture to reduce exposure to similar threats. By leveraging SOC Prime’s AI-Native Detection Intelligence Platform, organizations can enhance real-time defense at scale while increasing their engineering team productivity, accelerating workflows by adopting the full lifecycle from detection to simulation, and operationalizing threat intel faster across tools, teams, and environments.

The post CVE-2025-55183 and CVE-2025-55184: New React RSC Vulnerabilities Expose Applications to Denial of Service Attacks and Source Code Leaks appeared first on SOC Prime.

Hot on the heels of CVE-2025-66516, the maximum-severity Apache Tika XXE vulnerability, a couple of other security flaws have emerged in Windows products. In its December 2025 security update, Microsoft addressed 57 vulnerabilities, including two zero-days, CVE-2025-62221 and CVE-2025-54100.

Microsoft’s technologies underpin a vast share of the global digital infrastructure, making the security of its ecosystem especially critical. The 2025 BeyondTrust Microsoft Vulnerabilities Report notes that 2024 set a new record with 1,360 disclosed Microsoft vulnerabilities—an 11% jump from the previous year—with Elevation of Privilege (EoP) and RCE issues standing out as the most severe. That trend continued into 2025, with Tenable noting that Microsoft delivered patches for 1,129 CVEs in 2025—the second consecutive year the company exceeded the thousand-vulnerability threshold. In the December 2025 Patch Tuesday rollout, EoP flaws made up half of all addressed vulnerabilities, with RCE vulnerabilities following at roughly one-third (33.9%). The above-mentioned zero-days addressed in the December 2025 Patch Tuesday also fit into these threat categories. 

Register for SOC Prime Platform, the industry-first AI-Native Detection Intelligence Platform for real-time defense, to explore a collection of 600,000+ detection rules addressing the latest threats and equip your team with AI and top cybersecurity expertise. Click Explore Detections to reach the extensive rule set for vulnerability exploit detection, pre-filtered using the custom “CVE” tag.

Explore Detections

All detection rules can be used across multiple SIEM, EDR, and Data Lake platforms and are aligned with the latest MITRE ATT&CK® framework v18.1. Explore AI-native threat intelligence, including CTI references, attack timelines, audit configurations, triage recommendations, and more threat context each rule is enriched with.

Security teams can also significantly reduce detection engineering overhead with Uncoder AI by instantly converting detection logic across multiple language formats for enhanced translation accuracy, crafting detections from raw threat reports, visualizing Attack Flows, accelerating enrichment and fine-tuning while streamlining validation workflows. 

CVE-2025-62221and CVE-2025-54100 Analysis

Microsoft is wrapping up the year by releasing patches for 57 security vulnerabilities in Windows products covered in its December 2025 security update release, including two zero-days with a CVSS score of 7.8, CVE-2025-62221 and CVE-2025-54100.

The actively exploited flaw, CVE-2025-62221, is a use-after-free elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver that allows an authenticated local attacker to escalate privileges to SYSTEM. By exploiting this flaw, adversaries can gain full control of affected Windows systems without user interaction, though local access is required.

The vendor has confirmed 2025-62221 active exploitation in the wild; however, specific attack methods remain undisclosed. The vulnerability impacts systems with the Cloud Files minifilter, which is present even if apps like OneDrive, Google Drive, or iCloud aren’t installed. 

Due to the increasing exploitation risks, CISA has recently added CVE-2025-62221 to its KEV catalog, requiring Federal Civilian Executive Branch agencies to apply the update by December 30, 2025. 

Another zero-day, CVE-2025-54100, is an RCE flaw in Windows PowerShell that allows unauthenticated attackers to run arbitrary code if they can get a user to execute a crafted PowerShell command, for instance, via Invoke-WebRequest.

The risk becomes more pronounced when paired with common social-engineering tactics: adversaries could trick a user or administrator into running a PowerShell snippet that retrieves malicious content from a remote server, triggering a parsing bug and enabling code execution or implant delivery. Although the issue is publicly known, Microsoft reports no active exploitation and currently rates the likelihood of exploitation as low. The flaw requires no privileges but does rely on user interaction, making social engineering the most probable attack path.

As potential  2025-62221 and CVE-2025-54100 mitigation measures, organizations that rely on the corresponding Windows products are urged to apply the patches immediately. With SOC Prime’s AI-Native Detection Intelligence Platform, SOC teams can source detection content from the largest and up-to-date repository, seamlessly adopt the full pipeline from detection to simulation into their security processes, orchestrate workflows in their natural language, and smoothly navigate the ever-changing threat landscape while strengthening defenses at scale.

The post CVE-2025-62221 and CVE-2025-54100: Windows Elevation of Privilege and RCE Zero-Day Vulnerabilities Patched appeared first on SOC Prime.

Another maximum-severity vulnerability with the highest CVSS score of 10.0 has surfaced shortly after the recent React2Shell disclosure. Labeled CVE-2025-66516, the critical flaw affecting Apache Tika could expose systems to XML External Entity (XXE) attacks.

In 2025, Apache products were repeatedly targeted due to newly discovered vulnerabilities. Early in the year, CVE-2025-24813 demonstrated how quickly a critical Apache Tomcat flaw could be weaponized, with attackers exploiting unsafe deserialization for RCE on unpatched servers within just 30 hours of disclosure. Months later, two more vulnerabilities in Apache Tomcat, CVE-2025-55752 and CVE-2025-55754, surfaced, again leaving systems exposed to potential RCE attacks. At the end of 2025, another Apache critical flaw affecting a set of Tika components requires ultra-responsiveness from defenders to reduce the risks of exploitation. 

Sign up for SOC Prime Platform, the vendor-agnostic product suite for real-time defendense, to explore an extensive collection of high-quality detection content and AI-native intelligence, backed by top industry expertise, to help SOC teams navigate the ever-evolving cyber threat landscape. Click Explore Detections to drill down to the comprehensive rule stack for vulnerability exploit detection conveniently filtered by the custom “CVE” tag. 

Explore Detections

Detection content can be converted to dozens of SIEM, EDR, and Data Lake solutions in an automated fashion and is mapped with MITRE ATT&CK®. Each content item is enriched with AI-native threat intelligence, such as CTI references, attack timelines, audit configurations, triage recommendations, and more metadata for streamlined threat research.

Moreover, Uncoder AI assists security teams in their daily detection engineering operations. Use the solution to instantly convert IOCs into performance-optimized hunting queries, craft detection code from raw threat reports, visualize Attack Flows, perform cross-platform translation, seamlessly validate syntax and detection logic, etc. 

CVE-2025-66516 Analysis

A newly disclosed maximum-severity XXE vulnerability tracked as CVE-2025-66516 affects multiple Apache Tika components, including tika-core (1.13–3.2.1), tika-pdf-module (2.0.0–3.2.1), and tika-parsers (1.13–1.28.5), according to the corresponding vendor’s advisory. The flaw allows attackers to trigger XML External Entity injection by embedding a malicious XFA file inside a PDF. 

XXE injection is a type of security flaw in which adversaries manipulate how an application handles XML input. By doing so, threat actors may gain unauthorized access to files on the server and, in certain scenarios, even execute code remotely.

CVE-2025-66516 represents the same underlying weakness as CVE-2025-54988 but significantly broadens the scope of impacted packages. Although the earlier CVE identified the entry point in the tika-parser-pdf-module, the root cause and fix reside in tika-core, meaning users who updated only the PDF parser without upgrading tika-core to version 3.2.2 or later remain exposed. Additionally, the original advisory did not account for the 1.x release line, where PDFParser resides in the “org.apache.tika:tika-parsers” module.

Given the severity of this flaw and its expanded impact across the Tika ecosystem, users should update all affected modules as urgent CVE-2025-66516 mitigation measures. SOC Prime curates its AI-Native Detection Intelligence Platform to help global organizations outscale cyber threats of any sophistication, including emerging CVEs and high-profile attacks. Leveraging SOC Prime’s product suite, defenders can integrate the full pipeline from detection to simulation directly into their security operations, take advantage of the world’s largest detection intelligence dataset to stay ahead of the latest threats, and explore the benefits of the innovative Shif-Left Detection approach to maximize resource effectiveness.

The post CVE-2025-66516: Maximum-Severity Vulnerability in Apache Tika Could Lead to XML External Entity Injection Attack appeared first on SOC Prime.