Risks of OOB Access via IP KVM Devices
Recently, cheap IP KVMs have become popular. But their deployment needs to be secured.
https://isc.sans.edu/diary/Risks%20of%20OOB%20Access%20via%20IP%20KVM%20Devices/32598
Tailsnitch
Tailsnitch is a tool to review your Tailscale configuration for vulnerabilities
https://github.com/Adversis/tailsnitch
Net-SNMP snmptrapd vulnerability
A new vulnerability in snmptrapd may lead to remote code execution
https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq

Cryptocurrency Scam Emails and Web Pages As We Enter 2026
Scam emails are directing victims to confidence scams attempting to steal cryptocurrencies.
https://isc.sans.edu/diary/Cryptocurrency%20Scam%20Emails%20and%20Web%20Pages%20As%20We%20Enter%202026/32594
Debugging DNS response times with tshark
tshark is a powerful tool to debug DNS timing issues.
https://isc.sans.edu/diary/Debugging+DNS+response+times+with+tshark/32592/
Old Fortinet Devices Have not been updated
Over 10,000 Fortinet devices are still vulnerable to a five year old vulnerability
https://www.bleepingcomputer.com/news/security/over-10-000-fortinet-firewalls-exposed-to-ongoing-2fa-bypass-attacks/

MongoDB Unauthenticated Attacker Sensitive Memory Leak CVE-2025-14847
Over the Christmas holiday, MongoDB patched a sensitive memory leak vulnerability that is now actively being exploited
https://www.mongodb.com/community/forums/t/important-mongodb-patch-available/332977
https://github.com/mongodb/mongo/commit/505b660a14698bd2b5233bd94da3917b585c5728
https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/
https://github.com/joe-desimone/mongobleed/

DLLs & TLS Callbacks
As a follow-up to last week's diary about DLL Entrypoints, Didier is looking at TLS ( Thread Local Storage ) and how it can be abused.
https://isc.sans.edu/diary/DLLs%20%26%20TLS%20Callbacks/32580
FreeBSD Remote code execution via ND6 Router Advertisements
A critical vulnerability in FreeBSD allows for remote code execution. But an attacker must be on the same network.
https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc
NIST Time Server Problems
The atomic ensemble time scale at the NIST Boulder campus has failed due to a prolonged utility power outage. One impact is that the Boulder Internet Time Services no longer have an accurate time reference.
https://tf.nist.gov/tf-cgi/servers.cgi https://groups.google.com/a/list.nist.gov/g/internet-time-service/c/o0dDDcr1a8I

Positive trends related to public IP range from the year 2025
Fewer ICS systems, as well as fewer systems with outdated SSL versions, are exposed to the internet than before. The trend isn t quite clean for ISC, but SSL2 and SSL3 systems have been cut down by about half.
https://isc.sans.edu/diary/Positive%20trends%20related%20to%20public%20IP%20ranges%20from%20the%20year%202025/32584
Hewlett-Packard Enterprise OneView Software, Remote Code Execution
HPs OneView Software allows for unauthenticated code execution
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1
Trufflehog Detecting JWTs with Public Keys
Trufflehog added the ability to detect JWT tokens and validate them using public keys.
https://trufflesecurity.com/blog/trufflehog-now-detects-jwts-with-public-key-signatures-and-verifies-them-for-liveness

Maybe a Little Bit More Interesting React2Shell Exploit
Attackers are branching out to attack applications that initial exploits may have missed. The latest wave of attacks is going after less common endpoints and attempting to exploit applications that do not have Next.js exposed.
https://isc.sans.edu/diary/Maybe%20a%20Little%20Bit%20More%20Interesting%20React2Shell%20Exploit/32578
UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
Cisco s Security Email Gateway and Secure Email and Web Manager patch an already-exploited vulnerability.
https://blog.talosintelligence.com/uat-9686/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
SONICWALL SMA1000 APPLIANCE LOCAL PRIVILEGE ESCALATION VULNERABILITY
A local privilege escalation vulnerability, which SonicWall patched today, is already being exploited.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019
Google releases vulnerability details
Google updated last week s advisory by adding a CVE to the mystery vulnerability and adding a statement that it affects WebGPU. No new patch was released.
https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html

Beyond RC4 for Windows authentication
Microsoft outlined its transition plan to move away from RC4 for authentication and published guidance and tools to facilitate this change.
https://www.microsoft.com/en-us/windows-server/blog/2025/12/03/beyond-rc4-for-windows-authentication
FortiCloud SSO Login Vuln Exploited
Arctic Wolf observed exploit attempts against vulnerable FortiGate appliances.
https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/
FrePBX Vulnerability
Horizon3.ai identified three distinct vulnerabilities in FreePBX. In particular, the authentication by-pass issue should be of concern, but default FreePBX installs do not use the vulnerable web authentication feature.
https://horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/

More React2Shell Exploits CVE-2025-55182
Our honeypots continue to detect numerous React2Shell variants. Some using slightly modified exploits
https://isc.sans.edu/diary/More%20React2Shell%20Exploits%20CVE-2025-55182/32572
The Fragile Lock: Novel Bypasses For SAML Authentication
SAML is a tricky protocol to implement correctly, in particular if different XML parsers are used that may not always agree on how to parse a specific message
https://portswigger.net/research/the-fragile-lock
December Updates Causes issues with Microsoft Message Queuing
https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22h2#message-queuing--msmq--might-fail-with-the-december-2025-windows-security-update

Abusing DLLs EntryPoint for the Fun
DLLs will not just execute code when some of their functions are called, but also as they are loaded.
https://isc.sans.edu/diary/Abusing%20DLLs%20EntryPoint%20for%20the%20Fun/32562
Apple Patches Everything: December 2025 Edition
Apple released patches for all of its operating systems, fixing two already exploited vulnerabilities.
ClickFix Attacks Still Using the Finger
ClickFix Attacks Still Using the Finger
Two examples of ClickFix attacks abusing the finger protocol to load additional malware
Denial of Service and Source Code Exposure in React Server Components
Denial of Service and Source Code Exposure in React Server Components
After last week's critical patch, three more, but less critical, vulnerabilities were identified in React Server Components.
https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

Using AI Gemma 3 Locally with a Single CPU
Installing AI models on modes hardware is possible and can be useful to experiment with these models on premise
https://isc.sans.edu/diary/Using%20AI%20Gemma%203%20Locally%20with%20a%20Single%20CPU%20/32556
Mystery Google Chrome 0-Day Vulnerability
Google released an update for Google Chrome fixing a vulnerability that is already being exploited, but has not CVE number assigned to it yet
https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html
SOAPwn: Pwning NET Framework Applications Through HTTP Client Proxies And WSDL
Watchtwr identified a common vulnerability in SOAP implementations using .Net
https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/