Warning: WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation to succeed, it requires a prospective target to visit a malicious page or open a malicious file.
„RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user,“ CISA said in an alert.
The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It only affects Windows-based builds. Versions of the tool for other platforms, including Unix and Android, are not affected.
Source: The hacker news
Link: https://thehackernews.com/2025/12/warning-winrar-vulnerability-cve-2025.html
Microsoft Issues Security Fixes for 56 Flaws, Including Active Exploit and Two Zero-Days
Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild.
Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code execution, four information disclosure, three denial-of-service, and two spoofing vulnerabilities.
In total, Microsoft has addressed a total of 1,275 CVEs in 2025, according to data compiled by Fortra. Tenable’s Satnam Narang said 2025 also marks the second consecutive year where the Windows maker has patched over 1,000 CVEs. It’s the third time it has done so since Patch Tuesday’s inception.
The update is in addition to 17 shortcomings the tech giant patched in its Chromium-based Edge browser since the release of the November 2025 Patch Tuesday update. This also consists of a spoofing vulnerability in Edge for iOS (CVE-2025-62223, CVSS score: 4.3).
The vulnerability that has come under active exploitation is CVE-2025-62221 (CVSS score: 7.8), a use-after-free in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and obtain SYSTEM permissions.
„File system filter drivers, aka minifilters, attach to the system software stack, and intercept requests targeted at a file system, and extend or replace the functionality provided by the original target,“ Adam Barnett, lead software engineer at Rapid7, said in a statement. „Typical use cases include data encryption, automated backup, on-the-fly compression, and cloud storage.“
Source: The hacker news / Dark reading / Krebs on security / Securityweek / CISCO Talos intelligence group / Infosecurity magazine / SANS internet storm center
Link: https://thehackernews.com/2025/12/microsoft-issues-security-fixes-for-56.html
Link: https://krebsonsecurity.com/2025/12/microsoft-patch-tuesday-december-2025-edition/
Link: https://www.securityweek.com/microsoft-patches-57-vulnerabilities-three-zero-days/
Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-december-2025/
Link: https://www.infosecurity-magazine.com/news/microsoft-three-zerodays-patch/
Link: https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20December%202025/32550
Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws
Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution.
The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS scores: 9.8).
„An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device,“ Fortinet said in an advisory.
The company, however, noted that the FortiCloud SSO login feature is not enabled in the default factory settings. FortiCloud SSO login is enabled when an administrator registers the device to FortiCare and has not disabled the toggle „Allow administrative login using FortiCloud SSO“ in the registration page.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2025/12/fortinet-ivanti-and-sap-issue-urgent.html
Link: https://www.securityweek.com/ivanti-epm-update-patches-critical-remote-code-execution-flaw/
Link: https://www.securityweek.com/fortinet-patches-critical-authentication-bypass-vulnerabilities/
Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.
The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an unauthenticated attacker without requiring any special setup. It’s also tracked as React2Shell.
„Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints,“ CISA said in an advisory.
The problem stems from insecure deserialization in the library’s Flight protocol, which React uses to communicate between a server and client. As a result, it leads to a scenario where an unauthenticated, remote attacker can execute arbitrary commands on the server by sending specially crafted HTTP requests.
Source: The hacker news / Securityweek / Infosecurity magazine / Cloudflare blog / AWS security blog
Link: https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html
Link: https://www.securityweek.com/react2shell-attacks-linked-to-north-korean-hackers/
Link: https://www.securityweek.com/exploitation-of-react2shell-surges/
Link: https://www.infosecurity-magazine.com/news/react2shell-exploit-campaigns/
Link: https://blog.cloudflare.com/5-december-2025-outage/
Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch
A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack.
The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity.
„Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF,“ according to an advisory for the vulnerability.
It affects the following Maven packages –
- org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in version 3.2.2)
- org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in version 3.2.2)
- org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in version 2.0.0)
XXE injection refers to a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. This, in turn, makes it possible to access files on the application server file system and, in some cases, even, achieve remote code execution.
Source: The hacker news / Dark reading / Securityweek
Link: https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html
Link: https://www.darkreading.com/application-security/apache-max-severity-tika-cve-patch-miss
Link: https://www.securityweek.com/critical-apache-tika-vulnerability-leads-to-xxe-injection/
Building SOX compliance through smarter training and stronger password practices
A SOX audit can reveal uncomfortable truths about how a company handles access to financial systems. Even organizations that invest in strong infrastructure often discover that everyday password habits weaken the controls they thought were solid. CISOs know that passwords still sit at the center of most access decisions, and any weakness in how people create, store or share them can undermine internal control over financial reporting.
Source: Helpnet security
Link: https://www.helpnetsecurity.com/2025/12/10/sox-compliance-password-practices/