Daily Security Briefing #098

December 9, 2025 | Read Online

Ivanti XSS patched, Microsoft December fixes 56 flaws including 3 zero-days, North Korea-linked EtherRAT via React2Shell exploit…

Executive Summary

Today’s cybersecurity landscape shows intensified activity in vulnerability patching and state-linked threat actor campaigns. Microsoft’s December patch Tuesday addresses a substantial number of vulnerabilities including actively exploited zero-days, reinforcing the ongoing need for timely updates. Meanwhile, Ivanti has resolved a critical unauthenticated XSS flaw affecting its Endpoint Manager platform. On the advanced threat front, North Korea-linked actors deploy a novel EtherRAT malware leveraging the recent React2Shell exploit, highlighting growing risks from nation-state adversaries. Additionally, the expansion of malware-as-a-service infrastructure and sophisticated phishing campaigns underscore persistent challenges for organizations.

Top Articles

CVE-2025-10573: Ivanti EPM Unauthenticated Stored Cross-Site Scripting (Fixed)
Ivanti patched a critical stored cross-site scripting vulnerability in its Endpoint Manager (EPM) affecting versions 2024 SU4 and below. Tracked as CVE-2025-10573 with a high CVSS score of 9.6, this flaw allowed unauthenticated attackers to add fake managed endpoints and poison the server environment. The issue was fixed with the release of Ivanti EPM 2024 SU4 SR1 on December 9, 2025, and users are advised to update promptly.
Rapid7

Microsoft December 2025 Patch Tuesday Fixes 56 Vulnerabilities Including 3 Zero-days
Microsoft’s final patch update for 2025 addresses 56 vulnerabilities across its products, including three zero-day flaws, one actively exploited in the wild. Two flaws are rated critical, with the rest classified as important. This batch of fixes spans various Microsoft components, and experts recommend immediate deployment to mitigate ongoing exploitation risks.
GBHackers

North Korea-linked Actors Exploit React2Shell to Deploy New EtherRAT Malware
State-linked threat actors associated with North Korea have been observed exploiting the React2Shell vulnerability in React Server Components to deploy EtherRAT, a previously undocumented remote access trojan. EtherRAT uses Ethereum smart contracts for command and control, employs multiple Linux persistence mechanisms, and represents a sophisticated step in malware evolution targeting cloud-native frameworks.
TheHackerNews

40,000 Phishing Emails Masquerading as SharePoint and E-signing Services Target Finance Sector
A new wave of finance-themed phishing emails impersonates SharePoint and electronic signature platforms to trick users into divulging sensitive information. Check Point researchers highlight 40,000 such emails exploiting the widespread adoption of digital file sharing and e-signature workflows in banking, real estate, and insurance industries, emphasizing the need for heightened email security vigilance.
Checkpoint

Zoom Rooms on Windows and macOS Vulnerable to Privilege Escalation and Data Leakage
Zoom patched two critical vulnerabilities in Zoom Rooms for Windows and macOS that allowed privilege escalation and unauthorized manipulation of software. The flaw tracked as CVE-2025-67460 affects Windows deployments with a high severity rating. Organizations running Zoom Rooms are urged to apply updates immediately to prevent potential exploitation.
GBHackers

Malicious Actors Use SEO Poisoning to Spread Fake Microsoft Teams Installers
The Chinese APT group Silver Fox (Void Arachne) is conducting a campaign leveraging SEO poisoning to distribute counterfeit Microsoft Teams installers targeting Chinese-speaking victims. The attackers use Cyrillic characters in filenames and UI elements to confuse attribution efforts, complicating investigation and response. Awareness and verification of software sources are critical mitigation steps.
CyberPress

GOLD BLADE Threat Group Deploys Custom QWCrypt Locker for Data Theft and Ransomware
The GOLD BLADE actor group, known previously for espionage, has evolved to incorporate hybrid tactics combining data exfiltration, credential harvesting, and ransomware deployment using their proprietary QWCrypt locker. Between February 2024 and August 2025, nearly 40 intrusions were observed, with about 80% involving selective ransomware attacks on victims.
CyberPress

Four Threat Clusters Employ CastleLoader as GrayBravo Malware Service Grows
Researchers identified four active threat clusters using CastleLoader, a malware loader now confirmed as part of a malware-as-a-service operation. The group behind it, dubbed GrayBravo by Recorded Future’s Insikt, has been expanding infrastructure, enabling multiple actors to deploy diverse malware payloads, illustrating increasing commodification of cybercrime tools.
TheHackerNews

Windows PowerShell Adds Warnings for Invoke-WebRequest Script Execution
Microsoft introduced a security feature in Windows PowerShell that warns users when running scripts utilizing the Invoke-WebRequest cmdlet. This measure aims to reduce the risk of executing potentially malicious code downloaded from the web and improve overall script safety practices in enterprise environments.
BleepingComputer

Maintaining Enterprise IT Hygiene Using Wazuh SIEM/XDR
Wazuh’s open-source SIEM and XDR platform helps enterprises improve their security posture by continuously monitoring inventory and identifying risks such as unused accounts, outdated software, and unsafe extensions. Proper IT hygiene reduces hidden vulnerabilities and streamlines incident response efforts.
BleepingComputer

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.