Daily Threat Intel Digest - 2025-12-18

🔴 Critical Threats & Active Exploitation

[UPDATE] React2Shell exploitation intensifies with 180+ public exploits and critical infrastructure targeting
Attackers are exploiting React2Shell (CVE-2025-55182) at unprecedented scale, with over 60 organizations compromised and public exploit counts hitting an all-time high of 180. Ransomware gangs and at least five Chinese espionage groups are deploying varied post-exploitation tactics, including reverse shells, lateral movement, and data theft. Critical infrastructure operators – including a nuclear fuel authority – have been targeted alongside U.S. government agencies and academic institutions. New research reveals traditional WAFs fail against these exploits, with only 48% detection rates due to the vulnerability’s root in JavaScript framework deserialization logic [VulnCheck via CyberScoop; Microsoft; Cloudflare; Miggo Security via CyberPress]. Organizations should urgently apply patches for CVE-2025-55182 and newly disclosed related CVEs (CVE-2025-55183, CVE-2025-67779) while hunting for signs of compromise via indicators like Weaxor ransomware deployment.

[NEW] Cisco AsyncOS zero-day exploited by Chinese APT for system-level command execution
A critical zero-day vulnerability in Cisco AsyncOS Software is being actively exploited by Chinese-nexus threat actor UAT-9686 to execute system-level commands and deploy backdoors on email security appliances. The multi-stage attack framework includes custom Python backdoors (AquaShell), reverse SSH tunneling (AquaTunnel), and log sanitization tools (AquaPurge) to erase forensic evidence. Affected products include Cisco Secure Email Gateway and Secure Email and Web Manager. Talos observed overlaps with APT41 and UNC5174 TTPs, with ongoing campaigns since late November. Organizations should immediately review Cisco advisories for IoCs and restrict management interface access [Cisco Talos via CyberPress].

[NEW] SonicWall SMA1000 zero-day chained in privilege escalation attacks
Attackers are actively exploiting a local privilege escalation flaw (CVE-2025-40602, CVSS 6.6) in SonicWall SMA1000 appliances by chaining it with a previously patched critical vulnerability (CVE-2025-23006, CVSS 9.8). The combination allows unauthenticated attackers to gain complete system control after initial access. Vulnerable versions include 12.4.3-03093 and earlier, and 12.5.0-02002 and earlier. SonicWall has released patches (12.4.3-03245+, 12.5.0-02283+) and urges immediate upgrades. Temporary mitigations include restricting SSH access to trusted IPs and disabling public AMC exposure [SonicWall Advisory via CyberPress].

🎯 Threat Actor Activity & Campaigns

[NEW] China-linked Ink Dragon compromises European governments via multi-regional relay network
Chinese espionage group Ink Dragon has expanded operations into European government networks by compromising servers across Asia and South America to create a distributed relay infrastructure. The group exploits misconfigured Microsoft IIS/SharePoint servers, harvests credentials via RDP hijacking, and deploys an updated FinalDraft backdoor that hides C2 traffic in Microsoft cloud service drafts. Unique tactics include converting victims’ servers into relay nodes using custom IIS modules, obscuring malicious traffic as legitimate web requests. Researchers observed coexistence with unrelated threat actor RudePanda in compromised environments, emphasizing the need for comprehensive network-wide remediation [Check Point Research via CyberPress].

[NEW] Kimwolf botnet infects 1.8M Android devices with 30 Tbps DDoS capability
A massive Android botnet named Kimwolf has compromised 1.8 million devices globally – primarily smart TVs and TV boxes – with the capacity to launch up to 30 Tbps DDoS attacks. Evolved from the Aisuru botnet, it uses DNS-over-TLS for evasion, elliptic curve signature verification for C2 authentication, and blockchain-based EtherHiding to store C2 data in Ethereum Name Service domains. Peak activity showed 2.7 million unique IPs communicating with C2 servers, with Brazil, India, and the U.S. most affected. The malware’s sophisticated stealth features include process masquerading (e.g., “netd_services”) and encrypted command channels [QAX XLab via CyberPress].

[NEW] Industrial-scale fake shopping domain campaign targets holiday shoppers
Cybercriminals have registered 244 fraudulent domains impersonating major retailers (Zalando, IKEA, Lululemon) to exploit holiday shopping surges. The campaign, active since early 2025, uses automated infrastructure deployment across 43 registrars – primarily West263 International and Dynadot – with 79% of malicious domains resolving to Chinese IP addresses. Attackers leverage social media ads and Google Shopping to lure victims, employing agenda-oriented disguises like humanitarian-themed sites (e.g., “peaceforsecurity.com”). Researchers have escalated confirmed domains for takedown and blocked associated infrastructure [BforeAI via CyberPress].

⚠️ Vulnerabilities & Patches

[NEW] Critical Apache Commons Text RCE enables arbitrary command execution
A severe vulnerability (CVE-2025-46295, CVSS 9.8) in Apache Commons Text’s interpolation feature allows unauthenticated remote code execution when applications process untrusted input. Attackers can inject malicious strings to trigger system commands via interpolators like “script” or “dns.” Apache has released version 1.14.0 with mitigations removing dangerous interpolation functionality. FileMaker Server users must upgrade to 22.0.4+ to incorporate the patched library. Organizations should audit applications for direct input processing via text-substitution APIs [CyberPress].

[NEW] Popular Node.js systeminformation flaw enables Windows command injection
A command injection vulnerability (CVE-2025-68154, CVSS 7.5) in the widely-used systeminformation Node.js library allows arbitrary command execution on Windows systems. The flaw exists in the fsSize() function’s inadequate sanitization of the “drive” parameter before concatenation into PowerShell commands. Attackers can inject payloads like “C:; whoami #” to achieve RCE. Developer Sebastian Hildebrandt released patched version 5.27.14 on December 16. Organizations using affected versions should prioritize updates, as the library has millions of downloads and powers enterprise system monitoring tools [CyberPress].