Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao El Salvador Guatemala Honduras Mexico Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
Contact Us
home News
Cybersecurity Alert: 01–07 November 2025 Cyber Threat Advisory

Cybersecurity Alert: 01–07 December 2025 Cyber Threat Advisory

12/10/2025
Cybersecurity Alert: 01–07 November 2025 Cyber Threat Advisory

The first week of December 2025 brought critical server‑side risks across web, mobile, and infrastructure stacks. CVSS 10.0 vulnerabilities in React Server Components and Apache Tika expose cloud apps and content pipelines to unauthenticated remote code execution and arbitrary file access, while actively exploited Android zero‑days highlight the continued use of mobile exploits by spyware vendors. At the same time, the Aisuru botnet delivered a record‑breaking 29.7 Tbps DDoS attack, Oracle EBS breaches spread across universities and enterprises, and state‑sponsored BRICKSTORM malware targeted VMware ESXi and Windows environments. Emergency WAF changes at Cloudflare and a contractor‑driven breach at Freedom Mobile underscore the operational and third‑party risks organizations must manage alongside rapid patching.

1. Critical Vulnerabilities

1.1 Apache Tika XXE Enables Arbitrary File Access & Potential RCE (CVE-2025-66516) 

Apache disclosed a CVSS 10.0 XML External Entity (XXE) flaw in Tika’s core, PDF parser module, and legacy parser bundles. Crafted PDF/XFA content can trigger external entity resolution during XML processing, enabling arbitrary file reads, SSRF‑style access to internal services, and, in some deployments, remote code execution. Many users remain exposed because prior fixes focused on parser modules without upgrading tika-core. 

Action: 

  • Immediately upgrade to fixed versions (tika-core and tika-parser-pdf-module 3.2.2+, tika-parsers 2.0.0+). 
  • Disable or tightly control PDF/XFA parsing in untrusted ingestion pipelines. 
  • Isolate Tika services (network and OS sandboxing) and review for suspicious file access and outbound requests.

Reference: https://www.cve.org/CVERecord?id=CVE-2025-66516 

1.2 React Server Components “React2Shell” Unauthenticated RCE (CVE-2025-55182) 

Meta’s React team disclosed a critical deserialization flaw in the React Flight protocol affecting react-server-dom-* packages and downstream frameworks including Next.js App Router. Malicious RSC payloads can reach vm.runInThisContext on the server, allowing unauthenticated attackers to execute arbitrary JavaScript in standard, internet‑facing deployments. Mass scanning and exploitation are already underway, with hundreds of thousands of exposed servers observed. 

Action: 

  • Upgrade React Server DOM packages and Next.js to patched versions (Next.js 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, 15.0.5 or later). 
  • Temporarily disable or restrict RSC endpoints where patching is delayed; place them behind strong WAF rules and authentication where possible. 
  • Hunt for unusual process spawns, file writes, and credential access from app servers handling RSC traffic. 

Reference: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components 

1.3 Actively Exploited Android Framework Zero-Days (CVE-2025-48633, CVE-2025-48572) 

Google’s December 2025 Android Security Update fixed two Framework vulnerabilities (information disclosure and elevation of privilege) confirmed as zero‑days in targeted attacks against Android 13–16. While technical details are withheld, Google notes likely use by commercial spyware vendors. These flaws are part of 107 issues patched in the December cycle. 

Action: 

  • Ensure devices reach security patch level 2025‑12‑05 or later; enforce updates via EMM/MDM where possible. 
  • Prioritize high‑risk users (executives, journalists, public officials) for accelerated patching and mobile threat defense. 
  • Review mobile app and device telemetry for anomalous privilege escalation or data exfiltration. 

Reference: https://source.android.com/docs/security/bulletin/2025-12-01 

2. Attack Campaigns

2.1 Aisuru Botnet Delivers Record 29.7 Tbps DDoS Attack 

Cloudflare mitigated a 29.7 Tbps, 14.1 Bpps UDP carpet‑bombing attack from the Aisuru botnet, now estimated at 1–4 million compromised devices. Aisuru regularly launches multi‑terabit, sub‑10‑minute “flash” attacks capable of saturating backbone links and national ISPs, with botnet chunks sold cheaply on underground markets. Sectors most targeted include IT services, telecom, finance, gaming, and hosting, with growing focus on generative AI providers. 

Action: 

  • Validate always‑on, automated L3/4 DDoS protection with pre‑negotiated response plans. 
  • Ensure upstream capacity and scrubbing arrangements can withstand multi‑Tbps attacks. 
  • Harden exposed services (anycast, rate limiting, responsive BGP/traffic engineering) and test run books for short, intense attack bursts. 

Reference: https://blog.cloudflare.com/ddos-threat-report-2025-q3/ 

2.2 Oracle E-Business Suite Campaign Hits Penn & Phoenix Universities 

The University of Pennsylvania and University of Phoenix confirmed compromise via a broad Oracle E‑Business Suite campaign linked to Cl0p and a FIN11‑related cluster. Attacks against EBS environments used for finance and administration have exposed PII and banking data across over 100 organizations, including leading universities and global enterprises. The specific Oracle zero‑day remains undisclosed. 

Action: 

  • Immediately apply all relevant Oracle EBS critical patches and review internet exposure of EBS instances. 
  • Conduct targeted threat hunting on EBS servers (web shells, unauthorized jobs, data exfiltration) and review vendor/partner access. 
  • Prepare breach‑response playbooks for ERP platforms and validate backup and recovery for financial systems. 

Reference: https://www.sec.gov/Archives/edgar/data/1600222/000095014225003098/eh250711375_8k.htm 

3. Security News

3.1 Cloudflare Outage Following Emergency React2Shell WAF Patch 

On December 5, Cloudflare introduced an urgent WAF update to block React2Shell exploitation, inadvertently causing a 25‑minute global outage affecting APIs, dashboards, and proxied traffic for major customers. Services were restored after a rollback, and Cloudflare emphasized the incident was an internal configuration issue, not an attack. 

Action: 

  • Incorporate staged rollouts, canary testing, and automatic rollback into WAF and security control changes. 
  • Consider multi‑CDN or failover strategies for mission‑critical applications heavily dependent on a single provider. 

Reference: https://blog.cloudflare.com/5-december-2025-outage/ 

3.2 BRICKSTORM: PRC Backdoor Targeting VMware ESXi & Windows 

CISA, NSA, and the Canadian Cyber Centre detailed BRICKSTORM, a Go‑based backdoor used by PRC state‑sponsored actors to persist in government and critical infrastructure networks. BRICKSTORM integrates with vCenter/ESXi for VM snapshot theft, rogue VM creation, and credential harvesting, using DNS‑over‑HTTPS, HTTPS, and WebSocket tunnels (including VSOCK variants) to evade detection and pivot within virtualized environments. 

Action: 

  • Patch and harden vSphere, vCenter, ESXi, and ADFS; restrict management plane access and service account privileges. 
  • Block or tightly control DoH to non‑approved resolvers; monitor for unusual DNS, WebSocket, and VSOCK activity. 
  • Use CISA IOCs to hunt for BRICKSTORM artifacts and persistence mechanisms in both Windows and Linux systems. 

Reference: https://www.cisa.gov/news-events/analysis-reports/ar25-338a 

3.3 Freedom Mobile Breach via Compromised Subcontractor Account 

Freedom Mobile reported unauthorized access to its customer account management system after a subcontractor account was compromised. Exposed data includes customer names, addresses, dates of birth, phone numbers, and account numbers; no payment card data, passwords, or PINs were accessed. The incident highlights continuing risks from third‑party access into core customer platforms. 

Action: 

  • Enforce strong access governance for vendors and subcontractors (least privilege, JIT access, mandatory MFA). 
  • Continuously monitor privileged and third‑party accounts for anomalous activity and unusual data queries. 
  • Educate customers on heightened phishing risk following breaches involving contact data. 

Reference: https://www.freedommobile.ca/en-CA/privacy-notice 

Summary

Vulnerability Details 

  • Apache Tika XXE Vulnerability Enables Arbitrary File Access & Potential RCE (CVE-2025-66516) 
  • React Server Components “React2Shell” Deserialization RCE (CVE-2025-55182) 
  • Actively Exploited Android Framework Zero-Days (CVE-2025-48633, CVE-2025-48572) 

Attack Campaigns 

  • Aisuru Botnet Launches Record-Breaking 29.7 Tbps DDoS Attack 
  • Oracle EBS Hack Campaign Impacts University of Pennsylvania, University of Phoenix, and 100+ Organizations 

Security News 

  • Cloudflare Global Outage Following Emergency React2Shell WAF Mitigation 
  • CISA/NSA/CSE Warn of BRICKSTORM Backdoor Targeting VMware ESXi and Windows 
  • Freedom Mobile Data Breach via Compromised Subcontractor Account 

Cyber resilience is more vital than ever—share to spread awareness and stay protected. 

Stay secure. Stay informed. 

From Crowe UAE Cyber Threat Management Services

Visit: Cyber Threat Management & Security Services UAE | Crowe UAE

Schedule a Consultation: +971 542468006 | [email protected]

Crowe UAE Cyber Security Operation Centre: SOC | 24/7 Cybersecurity Monitoring & Rapid Threat Response | Crowe UAE