12/17/2025-12/24/2025 Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution, New UEFI Flaw Enables Early-Boot DMA Attacks And More

1. Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances

A critical security vulnerability has been disclosed in the n8n workflow automation platform that could allow arbitrary code execution under certain conditions. The flaw, tracked as CVE-2025-68613, has a CVSS score of 9.9  It has approximately 57,000 weekly downloads on npm. According to the maintainers, expressions provided by authenticated users during workflow configuration may be evaluated in an execution context that is not properly isolated from the underlying runtime. An authenticated attacker could exploit this behavior to execute arbitrary code with the privileges of the n8n process, potentially leading to full system compromise, including data theft, workflow manipulation, and system-level operations. The vulnerability affects all versions from 0.211.0 up to but not including 1.120.4 and has been patched in 1.120.4, 1.121.1, and 1.122.0. Users are strongly urged to update immediately or restrict workflow permissions and harden deployments if patching is delayed.

2. U.S. CISA Adds a Flaw in WatchGuard Fireware OS to its Known Exploited Vulnerabilities Catalog

CISA has added a critical WatchGuard Firebox OS vulnerability, CVE-2025-14733 (CVSS 9.3), to its KEV catalog after active exploitation was confirmed. The flaw is an out-of-bounds write issue in WatchGuard Fireware OS that can be exploited remotely and without authentication via exposed IKEv2 VPN services. When Mobile User VPN or Branch Office VPN with IKEv2 is configured using a dynamic gateway peer, specially crafted network traffic can trigger improper memory handling, allowing attackers to execute arbitrary code on affected Firebox devices. The vulnerability impacts multiple Fireware OS branches, including 11.10.2–11.12.4_Update1, 12.0–12.11.5, and 2025.1–2025.1.3, putting VPN gateways at risk of full compromise.   WatchGuard has released patches, Indicators of Attack, and mitigation guidance. CISA has ordered federal agencies to remediate the flaw by December 26, 2025. Organizations are strongly urged to apply updates immediately, rotate secrets after patching, and restrict exposure if fixes cannot be deployed at once.

3. New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

Certain motherboard models from ASRock, ASUS, GIGABYTE, and MSI are affected by a firmware vulnerability that exposes systems to early-boot DMA attacks despite UEFI and IOMMU protections being enabled. Discovered by Nick Peterson and Mohamed Al-Sharifi of Riot Games, the flaw stems from firmware incorrectly reporting that DMA protection is active while failing to initialize the IOMMU during early boot.

This gap allows a malicious PCIe DMA-capable device with physical access to read or modify system memory before the operating system and its security controls load, potentially enabling pre-boot code injection and undermining system integrity. CERT/CC warns attackers could access sensitive data or alter the system’s initial state.

The issue affects multiple Intel and AMD chipset families and is tracked under CVE-2025-14304, CVE-2025-11901, CVE-2025-14302, and CVE-2025-14303, each with a CVSS score of 7.0. Vendors are releasing firmware updates to fix IOMMU initialization. Users are strongly advised to apply patches promptly, especially in environments where physical access cannot be fully controlled.

4. Exploited SonicWall Zero-Day Patched (CVE-2025-40602)

SonicWall has released a hotfix for a local privilege escalation vulnerability, CVE-2025-40602, affecting Secure Mobile Access (SMA) 1000 appliances and warned that the flaw has been exploited in the wild. The vulnerability was reportedly chained with CVE-2025-23006 to achieve unauthenticated remote code execution with root privileges. CVE-2025-23006, patched in January 2025, is a deserialization of untrusted data flaw in the Appliance and Central Management Consoles that allows unauthenticated attackers to execute OS commands. The newly disclosed CVE-2025-40602 also impacts the Appliance Management Console and, due to missing authorization checks, enables attackers with local access to escalate privileges to root when chained with the earlier bug.

SonicWall credited researchers from Google’s Threat Intelligence Group for reporting the issue, though no indicators of compromise have been shared. Customers are urged to upgrade to 12.4.3-03245 or 12.5.0-02283 and restrict management interface access. Even if earlier patches are applied, deploying the latest updates remains essential to fully mitigate the risk.

12/10/2025-12/17/2025 New React RSC Vulnerabilities, Hackers Exploit GitHub, New PCPcat Exploiting React2Shell Vulnerability And More

1. New React RSC Vulnerabilities Enable DoS and Source Code Exposure

The React team has released fixes for newly discovered flaws in React Server Components (RSC) that could lead to denial-of-service (DoS) attacks or source code exposure. The issues were uncovered by security researchers while probing patches for CVE-2025-55182, a critical RSC vulnerability that has already been exploited in the wild. Two vulnerabilities, CVE-2025-55184 and CVE-2025-67779 (both CVSS 7.5), enable pre-authentication DoS through unsafe deserialization that can trigger infinite loops and hang server processes. A third issue, CVE-2025-55183 (CVSS 5.3), may allow attackers to retrieve Server Function source code via crafted HTTP requests under specific conditions. The flaws affect multiple 19.x versions of react-server-dom packages. Researchers RyotaK, Shinsaku Nomura, and Andrew MacPherson reported the issues. Users are strongly advised to upgrade to versions 19.0.3, 19.1.4, or 19.2.3 to mitigate risk.

2. Hackers Exploit GitHub with Fake Repos to Spread PyStoreRAT Malware

Hackers are abusing GitHub by creating fake repositories that impersonate OSINT, GPT, and DeFi tools to distribute PyStoreRAT, a modular remote access trojan designed for data theft and system control. Active since mid-2025, the campaign primarily targets cybersecurity professionals, developers, and cryptocurrency users who trust open-source platforms for tooling. The attackers publish seemingly legitimate Python or JavaScript projects, often promoted on X and YouTube, and artificially inflate stars and forks to build credibility. After users run the code, hidden loaders fetch HTA files from remote servers, ultimately installing PyStoreRAT. In many cases, malicious code is injected later through “maintenance” commits, allowing repositories to appear benign for weeks or months.

Once deployed, PyStoreRAT enables credential and wallet theft, keylogging, and remote command execution while using obfuscation and encrypted communications to evade detection. Researchers warn this campaign highlights growing supply-chain risks on GitHub and recommend strict repository verification, behavioral monitoring, and isolated testing environments as key defenses.

3. FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE

 Multiple critical vulnerabilities have been disclosed in the FreePBX platform, including a severe authentication bypass flaw.

Discovered by Horizon3.ai, the three primary flaws are:

• CVE-2025-61675 (8.6): Authenticated SQL injections across four endpoints.
• CVE-2025-61678 (8.6): An authenticated file upload flaw allowing PHP web shell deployment.
• CVE-2025-66039 (9.3): An authentication bypass when “Authorization Type” is set to “webserver,” enabling attackers to log into the admin panel with a forged header and insert malicious users.

These easily exploitable issues permit remote code execution. Updates have been released: CVE-2025-61675/61678 are fixed in versions 16.0.92/17.0.6, and CVE-2025-66039 in 16.0.44/17.0.23.

As mitigation, FreePBX advises setting “Authorization Type” to “usermanager” and disabling “Override Readonly Settings.” The “webserver” auth type is now considered legacy and offers reduced security; its configuration option has been removed from the UI. Users should analyze systems where it was enabled for signs of compromise.

4. New PCPcat Exploiting React2Shell Vulnerability to compromise 59,000+ Servers

A new malware campaign dubbed PCPcat has compromised more than 59,000 servers in under 48 hours by exploiting critical vulnerabilities in Next.js and React environments. The attacks abuse two flaws—CVE-2025-29927 and CVE-2025-66478—that enable unauthenticated remote code execution through prototype pollution and command injection.

PCPcat scans public-facing Next.js applications at scale, testing around 2,000 targets per batch every 30–60 minutes, and has achieved an unusually high success rate of 64.6%. Once a vulnerable server is identified, the malware extracts environment files, cloud credentials, SSH keys, and command histories, exfiltrating the data via simple HTTP requests. The operation is coordinated through a command-and-control server in Singapore using three ports: 666 for payload delivery, 888 for reverse tunnels, and 5656 for core management. To maintain persistence, PCPcat installs proxy and tunneling tools, allowing attackers to retain access even after patches are applied.

5. Fortinet Firewalls Under Active Attack

Threat actors are actively exploiting two critical authentication bypass flaws in Fortinet FortiGate devices, tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS 9.8), which affect FortiOS and other products. These vulnerabilities allow attackers to bypass single sign-on protections using crafted SAML messages when FortiCloud SSO is enabled. This feature is enabled by default during FortiCare registration, leaving many organizations unknowingly exposed. In observed attacks, malicious SSO logins from specific hosting providers have been used to gain administrative access, export full device configurations, and steal hashed credentials. Although these hashes require cracking, weak or reused passwords remain vulnerable. CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by December 23rd, 2025. To mitigate risk, organizations should immediately apply updates, change all passwords, and restrict management interface access to trusted internal networks only.

12/03/2025-12/10/2025 Critical RSC Bugs in React and Next.js; Malicious VS Code, Go, npm, and Rust Packages; Critical Apache Tika Vulnerability And More

1. Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

A critical vulnerability, CVE-2025-55182 (React2shell, CVSS 10.0), enables unauthenticated remote code execution in React Server Components. The flaw stems from unsafe deserialization of React Flight protocol payloads. An attacker can send a crafted HTTP request to any Server Function endpoint, achieving arbitrary JavaScript execution on the server with the Node.js process privileges. It impacts React versions 19.0-19.2.0 in packages like react-server-dom-webpack. Patched versions are 19.0.1, 19.1.2, and 19.2.1. The vulnerability also affects Next.js (App Router) and other RSC-bundling libraries. No special setup is required; standard deployments are immediately exploitable. Researchers warn over 968,000 servers may be exposed. Until patching, recommendations include deploying WAF rules (provided by Cloudflare, AWS, etc.), monitoring traffic, and restricting network access. Immediate patching is crucial due to the flaw’s severity and broad reach.

2. China-Nexus Hackers Actively Exploiting React2Shell Vulnerability in the Wild

China-nexus threat groups began exploiting the new React2Shell vulnerability (CVE-2025-55182) only hours after it was publicly disclosed. Activity tied to groups like Earth Lamia and Jackpot Panda shows active testing of proof-of-concept exploits, including commands like whoami, id, and writing files to /tmp. A typical attack uses a crafted POST request to the /_rsc endpoint to abuse unsafe deserialization and trigger server-side JavaScript execution. Teams are urged to monitor for suspicious headers and unexpected Node.js child processes.

3. Researchers Find Malicious VS Code, Go, npm, and Rust Packages Stealing Developer Data

Cybersecurity researchers have found two malicious Microsoft Visual Studio Code (VS Code) extensions that infect developer machines with stealer malware. The extensions pretend to be a premium dark theme and an AI coding assistant but secretly download extra payloads, take screenshots, and steal data such as WiFi passwords, clipboard content, and browser sessions. The stolen information is sent to an attacker-controlled server. The extensions BigBlack.bitcoin-black and BigBlack.codo-ai were removed by Microsoft in early December 2025, along with a third related package, BigBlack.mrbigblacktheme. One extension activated on every VS Code action, while the AI tool hid its malicious functions inside a working feature.
Earlier versions downloaded a password-protected ZIP file via PowerShell, while later ones used a batch script with curl to fetch the malware. The main payload used DLL hijacking to collect system info and browser cookies. The case highlights ongoing threats, as similar malicious packages have also been found in the Go, npm, and Rust ecosystems.

4. Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks

A critical security flaw in the Sneeit Framework WordPress plugin is being actively exploited. The remote code execution bug, CVE-2025-6389 (CVSS 9.8), affects all versions up to 8.3 and was patched in version 8.4. With more than 1,700 active installations, the flaw allows unauthenticated attackers to execute arbitrary PHP functions and create malicious admin accounts, enabling full site takeover.

Exploitation began on November 24, 2025, the day the issue was disclosed. Wordfence has blocked more than 131,000 attack attempts, including over 15,000 in the past 24 hours. Attackers have used crafted requests to create rogue users and upload backdoor PHP files such as “tijtewmg.php,” “xL.php,” and “simple.php.” Some attacks also download an .htaccess file from an external server to enable script execution.

In a related development, VulnCheck reported new attacks exploiting a flaw in ICTBroadcast (CVE-2025-2611) to deploy the Frost DDoS botnet, which spreads selectively and targets vulnerable systems.

5. Critical Apache Tika Vulnerability Leads to XXE Injection

A critical vulnerability in the Apache Tika analysis toolkit could let attackers perform XML External Entity (XXE) injection attacks. Apache Tika is widely used as a universal parser for extracting data from many file types, making the flaw especially dangerous.

The issue, CVE-2025-66516 (CVSS 10), affects the tika-core, tika-pdf-module, and tika-parsers components. Attackers can exploit it using crafted XFA files hidden inside PDFs on any platform. Successful XXE attacks can lead to data leaks, SSRF, DoS, or even remote code execution.

The bug expands on a previous issue, CVE-2025-54988, disclosed in August, which required updates to both tika-core and the PDF parser. The new vulnerability fixes gaps left in older 1.x and 3.x releases. Patches are available in tika-core 3.2.2, tika-parser-pdf-module 3.2.2, and tika-parsers 2.0.0. Users and developers are urged to update immediately, as the affected modules are widely used as dependencies.

6. AI Coding Tools Such as Copilot and Amazon Q Exposed to Over 30 Security Flaws

AI coding assistants like GitHub Copilot and Amazon Q are introducing serious security risks. Recent research has uncovered over 30 critical vulnerabilities across these tools, enabling threats such as data theft and remote code execution. These flaws often exist within IDE extensions, which operate with high privileges to access files and networks. Attackers can exploit weaknesses like command injection to siphon confidential information or run malicious commands without user detection. The opaque, non-deterministic nature of AI models makes them susceptible to adversarial prompts that generate insecure code.

The consequences are real, with documented incidents of data leaks and authentication bypasses in financial technology firms. These vulnerabilities can propagate flawed code into production systems at scale. Furthermore, the AI software supply chain is a growing concern, as attackers use generative AI to create malicious packages on public repositories.

Experts recommend sandboxing AI tools, routinely auditing AI-generated code, employing automated vulnerability scanners, and training developers on secure prompt engineering to mitigate these evolving threats.