December 2025 CVE Analysis: Critical Vulnerabilities Surge 120% as React2Shell Emerges as Dominant Exploit Vector

December 2025 saw a sharp 120% spike in critical vulnerabilities requiring urgent action. Recorded Future's Insikt Group® flagged 22 vulnerabilities demanding immediate remediation—more than double November's count of 10. The month was defined by mass exploitation of a flaw in Meta's React Server Components.

What security teams need to know:

• React2Shell chaos: CVE-2025-55182 sparked a global exploitation wave, with multiple threat actors deploying varied malware families
• China-nexus activity surges: Earth Lamia, Jackpot Panda, and UAT-9686 exploited critical flaws for espionage campaigns
• Public exploits spread fast: Eleven of the 22 vulnerabilities have proof-of-concept code circulating, shrinking exploitation windows
• Old vulnerabilities return: CISA added flaws from 2018-2022 to its Known Exploited Vulnerabilities catalog, exposing ongoing patch failures

Bottom line: December's surge reflects both fresh zero-days and renewed targeting of legacy flaws. React2Shell alone shows how rapidly modern web frameworks can become global attack surfaces.

Quick Reference Table

All 22 vulnerabilities below were actively exploited in December 2025.

Table 1: List of vulnerabilities actively exploited in December based on Recorded Future data (Source: Recorded Future)

Key Trends in December 2025

Affected Vendors

• Fortinet faced two critical authentication bypass flaws
• Google dealt with three vulnerabilities across Android (2) and Chromium (1)
• Microsoft patched a Windows kernel use-after-free vulnerability
• Meta suffered the month's most damaging vulnerability with React2Shell
• Other affected vendors: Array Networks, Gogs, Gladinet, ASUS, Cisco, Apple, SonicWall, WatchGuard, MongoDB, Digiever, Sierra Wireless, OSGeo, RARLAB, D-Link, and OpenPLC

Most Common Weakness Types

• CWE-22 – Path Traversal
• CWE-347 – Improper Verification of Cryptographic Signature
• CWE-416 – Use After Free
• CWE-434 – Unrestricted Upload of File with Dangerous Type
• CWE-787 – Out-of-bounds Write

Threat Actor Activity

React2Shell exploitation dominated December's activity:

• Threat actors observed exploiting this vulnerability:
  • China-nexus actors Earth Lamia and Jackpot Panda
  • China-linked clusters UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595
  • North Korea-linked and financially motivated groups
• Observed payloads included EtherRAT, PeerBlight, CowTunnel, ZinFoq, Kaiji variants, Zndoor, RondoDox, MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, ANGRYREBEL.LINUX, and Weaxor ransomware (using a Cobalt Strike stager)
• Infrastructure connections to HiddenOrbit relay infrastructure and GobRAT relay component

Additional activity:

• UAT-9686 exploited Cisco Secure Email Gateway (CVE-2025-20393), deploying AquaShell, AquaPurge, and AquaTunnel
• Unknown actors leveraged Gogs vulnerability (CVE-2025-8110) for Supershell malware deployment

Priority Alert: Active Exploitation

These vulnerabilities require immediate attention due to confirmed widespread exploitation.

CVE-2025-55182 | Meta React Server Components (React2Shell)

Risk Score: 99 (Very Critical) | CISA KEV: Added December 5, 2025

Why this matters: Unauthenticated remote code execution affects React and Next.js, two of the world's most widely deployed web frameworks. Multiple threat actors are actively exploiting vulnerable instances with diverse malware payloads.

Affected versions:

• React packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)
• Next.js: 15.x, 16.x, and Canary builds from 14.3.0-canary.77
• Also affects: React Router, Waku, RedwoodSDK, Parcel, Vite RSC plugin

Immediate actions:

• Upgrade React to 19.0.3, 19.1.4, or 19.2.3 immediately
• Update Next.js to 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5
• Monitor for unusual multipart/form-data POST requests targeting Next.js Server Actions or RSC endpoints
• Check logs for E{"digest" error patterns indicating exploitation attempts
• Review server processes for unexpected Node.js child processes

Exposure: Approximately 310,500 Next.js instances visible on Shodan (concentrated in US, India, Germany, Japan, Australia)

Figure 1: Vulnerability Intelligence Card® for CVE-2025-55182 (React2Shell) in Recorded Future (Source: Recorded Future)

CVE-2025-20393 | Cisco Secure Email Gateway

Risk Score: 99 (Very Critical) | Active exploitation by UAT-9686

Why this matters: Chinese threat actors are actively compromising email security infrastructure to establish persistent access and pivot into internal networks.

Affected products: Cisco Secure Email Gateway and Secure Email and Web Manager running AsyncOS

Immediate actions:

• Apply Cisco's security updates immediately
• Monitor Spam Quarantine web interface access logs
• Check for modifications to /data/web/euq_webui/htdocs/index.py
• Hunt for AquaShell, AquaPurge, and AquaTunnel indicators
• Review outbound connections to suspicious IPs

Known C2 infrastructure: 172.233.67.176, 172.237.29.147, 38.54.56.95 (inactive)