Vulnerability Review – December 2025
This is a recap of the most critical vulnerabilities disclosed between 01 December and 31 December 2025 that most likely impact software utilized by managed service providers (MSPs).
While not all MSPs use the software discussed here, the software has been labeled as a priority software by Blackpoint’s Adversary Pursuit Group (APG) due to the overall number of MSPs (and other organizations) that use it.
Key Findings
- There were more than 5,500 vulnerabilities disclosed between 01 December and 31 December 2025, with more than 2,300 being scored with a high or critical Common Vulnerability Scoring System (CVSS) rating.
- There are several that have been actively exploited and 20 that have been added to the U.S. CISA Known Exploited Vulnerabilities (KEV) Catalog, indicating reliable reports of active exploitation.
- Blackpoint’s APG assesses with high confidence that threat actors will continue to leverage known and unknown vulnerabilities in ubiquitous software and services over the next 12 months.
Vulnerabilities
As we wrap up the year, December delivered several critical vulnerabilities and active exploitation campaigns across popular platforms. Below is what you need to know.
Network Edge Devices
Network edge devices – firewalls, routers, VPN gateways, etc. – are the critical gatekeepers between internal networks and the internet. These devices manage and filter traffic, enforce security policies, and often provide remote access capabilities making them high-value targets for threat actors. Edge devices often operate with elevated privileges and are typically exposed to the internet, they’re frequently targeted via vulnerabilities, exposed devices, or misconfigurations.
WatchGuard Firebox – CVE-2025-14733
WatchGuard disclosed a critical remote code execution (RCE) vulnerability in Fireware OS versions 11.x and later caused by an out of bounds write weakness that allows unauthenticated attackers to execute code remotely. Firebox firewalls are vulnerable if configured to use IKEv2 VPN, and even after removing vulnerable settings, residual risk persists if a branch office VPN remains configured.
To mitigate this threat, apply the latest patches immediately and audit VPN configurations for lingering exposure.
This vulnerability was added to the U.S. CISA KEV Catalog on December 19, 2025.
SonicWall SMA1000 – CVE-2025-40602
SonicWall patched a local privilege escalation vulnerability in SMA1000 Appliance Management Console (AMC). While this issue does not impact firewall products or SSL VPN, it was actively exploited as a zero-day in December, often chained with CVE-2025-23006 for remote command execution. SonicWall confirmed exploitation in the wild. To mitigate this threat, apply the latest SonicWall updates and review privilege escalation detection measures.
- CVE-2025-23006 a critical vulnerability in SonicWall SMA1000 management consoles that allows attackers to run arbitrary OS commands before authentication.
This vulnerability was added to the U.S. CISA KEV Catalog on December 17, 2025.
Fortinet Multiple Vulnerabilities
Fortinet disclosed two critical vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager related to improper cryptographic signature verification, which could allow attackers to abuse SAML messages for unauthorized access. Although there are no reports of active exploitation at this time, Fortinet vulnerabilities are frequently targeted.
- CVE-2025-59718 is an improper verification of cryptographic signature vulnerability impacting FortiOS, FortiProxy, and FortiSwitchManager.
- CVE-2025-59719 is an improper verification of cryptographic signature vulnerability impacting FortiWeb.
To reduce risk, apply Fortinet security updates promptly and disable FortiCloud SSO login if it is not required.
CVE-2025-59718 was added to the U.S. CISA KEV Catalog on December 16, 2025.
Cisco AsyncOS – CVE-2025-20393
Cisco confirmed active exploitation of a zero-day (RCE) vulnerability in AsyncOS based appliances, including Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM). This flaw allows remote, unauthenticated attackers to execute arbitrary commands as root.
Threat actors have deployed persistent backdoors, encrypted tunnels, and log tampering tools, with Cisco attributing the attacks to UAT 9686, a China based group.
To mitigate risk, apply Cisco’s recommended mitigations immediately and monitor for indicators of compromise (IoCs) provided in Cisco advisories.
The vulnerability was added to the U.S. CISA’s KEV catalog on December 17, 2025.
File Sharing
File sharing software enables organizations to store files on a server and transfer them to a computer, another user, or another server. This type of software is frequently used by MSPs to enable secure remote access, collaboration, and data mobility across client environments. Threat actors often target this type of software because it allows widespread access to sensitive information, can provide threat actors an opportunity to elevate privileges, gather credentials, and move laterally; and can be utilized to exfiltrate data that can be sold or used for extortion purposes.
Gladinet CentreStack Exploitation
On December 4, Blackpoint’s SOC observed multiple alerts indicating likely exploitation of CentreStack servers, with investigations revealing anomalous subprocess chains and unusual HTTP requests from external IPs using nonstandard user agents—behavior highly abnormal for legitimate web applications.
Gladinet confirmed a vulnerability and recommended updating CentreStack to version 16.11.10417.56762, released November 29, 2025.
- CVE-2025-14611 is a hardcoded cryptographic vulnerability.
Active exploitation was confirmed, and Blackpoint isolated impacted servers to prevent further malicious activity.
To mitigate risk, update CentreStack immediately to the latest version, rotate machine keys, and monitor for suspicious activity.
The vulnerability was added to the U.S. CISA KEV Catalog on December 15, 2025.
Web Application / Development Framework
Web applications and development frameworks are considered critical business applications because they underpin how organizations deliver products, services, and capabilities. Frameworks and server-side web platforms form the foundation of customer-facing applications, internal business systems, and operational workflows. A successful compromise, misconfiguration, or disruption of these technologies can directly impact availability, data integrity, and customer trust at scale.
React & Next.js React2Shell
Two critical vulnerabilities affecting React Server Components and Next.js frameworks allow pre-authentication remote code execution, which could lead to full server compromise. These vulnerabilities have been exploited to deploy downloaders, backdoors, and cryptocurrency miners by multiple threat actors.
To mitigate risk, upgrade React and Next.js to patched versions and verify whether your applications are exposed to React Server Components.
- CVE-2025-55182 is a critical pre-authentication remote code execution vulnerability in React Server Components caused by unsafe deserialization of HTTP payloads, allowing attackers to execute arbitrary code.
- CVE-2025-66478 is a severe remote code execution vulnerability in React and Next.js frameworks that enables network-accessible code injection through server DOM packages, potentially leading to full server compromise.
Both vulnerabilities were added to the U.S. CISA KEV Catalog on December 5, 2025.
Blackpoint’s APG Analysis
Blackpoint’s SOC consistently monitors and actions lateral movement and remote execution within our customer’s environments. Additionally, Blackpoint has detections in place to identify the behaviors associated with the vulnerabilities detailed within this blog.
Blackpoint’s APG assesses with high confidence that threat actors will continue to target, or begin targeting, these vulnerabilities over the next 12 months to deploy malware, steal sensitive information, and gain unauthorized access to organizations. It is likely that these vulnerabilities will be targeted by multiple types of threat actors, including both nation-state and financially motivated threat actors over the next 12 months.