December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity

December 2025 experienced a dramatic 120% surge in critical vulnerabilities, with 22 CVEs actively exploited compared to 10 in November. The React2Shell vulnerability (CVE-2025-55182) in Meta's React Server Components dominated threat activity, being leveraged by China-nexus actors Earth Lamia, Jackpot Panda, and multiple UNC clusters for espionage operations. Observed threat actors deployed diverse malware including RATs (EtherRAT, PeerBlight), tunneling tools (CowTunnel), and Weaxor ransomware via Cobalt Strike stagers. UAT-9686 targeted Cisco email infrastructure with Aqua malware suite. Legacy vulnerabilities from 2018-2022 resurfaced, with 11 of 22 CVEs having public proof-of-concept code. Organizations must prioritize immediate patching of React2Shell and Fortinet authentication bypass flaws, while monitoring for associated malware and nation-state activity patterns.

December 2025 saw a 120% surge in critical CVEs, with 22 exploited flaws and React2Shell (CVE-2025-55182) dominating threat activity across Meta’s React framework.

December 2025 experienced a dramatic 120% surge in critical vulnerabilities, with 22 CVEs actively exploited compared to 10 in November. The React2Shell vulnerability (CVE-2025-55182) in Meta's React Server Components dominated threat activity, being leveraged by China-nexus actors Earth Lamia, Jackpot Panda, and multiple UNC clusters for espionage operations. Observed threat actors deployed diverse malware including RATs (EtherRAT, PeerBlight), tunneling tools (CowTunnel), and Weaxor ransomware via Cobalt Strike stagers. UAT-9686 targeted Cisco email infrastructure with Aqua malware suite. Legacy vulnerabilities from 2018-2022 resurfaced, with 11 of 22 CVEs having public proof-of-concept code. Organizations must prioritize immediate patching of React2Shell and Fortinet authentication bypass flaws, while monitoring for associated malware and nation-state activity patterns. December 2025 saw a 120% surge in critical CVEs, with 22 exploited flaws and React2Shell (CVE-2025-55182) dominating threat activity across Meta’s React framework. December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw. What security teams need to know: React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-concept code available, accelerating exploitation timelines Legacy vulnerabilities resurface: CISA added 2018-2022 era flaws to its Known Exploited Vulnerabilities (KEV) catalog, highlighting persistent patch gaps Bottom line: December's surge reflects both new zero-days and renewed interest in legacy vulnerabilities. React2Shell alone demonstrates how quickly modern web frameworks can become global attack vectors. Quick Reference Table All 22 vulnerabilities below were actively exploited in December 2025. # Vulnerability Risk Score Affected Vendor/Product Vulnerability Type/Component Public PoC 1 CVE-2025-55182 99 Meta React Server Components CWE-502 (Deserialization of Untrusted Data) Yes 2 CVE-2025-66644 99 Array Networks ArrayOS AG CWE-78 (OS Command Injection) No 3 CVE-2025-48572 99 Google Android CWE-306 (Missing Authentication for Critical Function) No 4 CVE-2025-48633 99 Google Android Insufficient Information No 5 CVE-2025-59718 99 Fortinet Multiple Products CWE-347 (Improper Verification of Cryptographic Signature) Yes 6 CVE-2025-59719 99 Fortinet FortiWeb CWE-347 (Improper Verification of Cryptographic Signature) Yes 7 CVE-2025-62221 99 Microsoft Windows CWE-416 (Use After Free) No 8 CVE-2025-8110 99 Gogs CWE-22 (Path Traversal) Yes 9 CVE-2025-14174 99 Google Chromium CWE-787 (Out-of-bounds Write) Yes 10 CVE-2025-14611 99 Gladinet CentreStack and Triofox CWE-798 (Use of Hard-coded Credentials) Yes 11 CVE-2025-59374 99 ASUS Live Update CWE-506 (Embedded Malicious Code) No 12 CVE-2025-20393 99 Cisco Multiple Products CWE-20 (Improper Input Validation) Yes 13 CVE-2025-43529 99 Apple Multiple Products CWE-416 (Use After Free) No 14 CVE-2025-40602 99 SonicWall SMA1000 appliance CWE-250 (Execution with Unnecessary Privileges) No 15 CVE-2025-14733 99 WatchGuard Firebox CWE-787 (Out-of-bounds Write) No 16 CVE-2025-14847 99 MongoDB and MongoDB Server CWE-130 (Improper Handling of Length Parameter Inconsistency) Yes 17 CVE-2023-52163 99 Digiever DS-2105 Pro CWE-862 (Missing Authorization) No 18 CVE-2018-4063 99 Sierra Wireless AirLink ALEOS CWE-434 (Unrestricted Upload of File with Dangerous Type) No 19 CVE-2025-58360 99 OSGeo GeoServer CWE-611 (Improper Restriction of XML External Entity Reference) Yes 20 CVE-2025-6218 99 RARLAB WinRAR CWE-22 (Path Traversal) Yes 21 CVE-2022-37055 99 D-Link Routers CWE-120 (Classic Buffer Overflow) No 22 CVE-2021-26828 99 OpenPLC ScadaBR CWE-434 (Unrestricted Upload of File with Dangerous Type) Yes Table 1: List of vulnerabilities that were actively exploited in December based on Recorded Future data (Source: Recorded Future) Key Trends in December 2025 Affected Vendors Fortinet continued vulnerability concerns with two critical authentication bypass flaws Google faced three vulnerabilities across Android (2) and Chromium (1) platforms Microsoft dealt with a Windows kernel use-after-free vulnerability Meta experienced the month's most impactful vulnerability with React2Shell Additional affected vendors: Array Networks, Gogs, Gladinet, ASUS, Cisco, Apple, SonicWall, WatchGuard, MongoDB, Digiever, Sierra Wireless, OSGeo, RARLAB, D-Link, and OpenPLC Most Common Weakness Types CWE-22 – Path Traversal CWE-347 – Improper Verification of Cryptographic Signature CWE-416 – Use After Free...