vFeed Community wishes everyone a Happy New Year 2026!
Welcome to vFeed December 2025 edition of Cybersecurity and Vulnerability Newsletter.
TL;DR
December concluded the year as one of the most operationally intense months for security teams, incident responder, not because of an explosion in new CVEs, but due to an unprecedented surge in revisions, exploitability updates, and critical re-classifications. Modified vulnerabilities continued to spike 19% month-over-month and 54% year-over-year, overwhelming responders with constantly shifting risk signals. The real challenge was not in discovering those, but was keeping pace with rapidly evolving exploit intelligence.
Key Highlights from the Month
- Risk churn > CVE volume: New CVEs rose modestly (+17.8%), but nearly 5,000 CVEs were modified, signaling a decisive shift toward reassessing real-world exploitability as attacks matured in the wild.
- Critical risk accelerated: December recorded 414 critical vulnerabilities (CVSS ≥9.0)—up again from November—with 24 perfect 10.0 issues, more than double last month. This reflects deeper systemic weaknesses rather than isolated bugs.
- Exploit-driven prioritization is now mandatory: While only ~1.7% of critical CVEs had EPSS >20%, these represented the highest near-term breach probability, reinforcing that severity alone is no longer enough for prioritization.
- Deserialization is the breakout weakness: CWE-502 surged across high-impact platforms (React Server, NVIDIA Isaac Lab, Mongo, Apache Tika), highlighting a growing class of unsafe data-handling flaws enabling unauthenticated RCE.
- Identity and privilege failures dominated: Elevation-of-privilege, auth bypass, and token replay attacks outpaced all other classes—turning cloud identity, developer tooling, and security appliances themselves into primary entry points.
- Supply-chain and platform risk intensified: Widely used components (React Server Components, Zlib/MongoDB “MongoBleed”, WordPress plugins, FortiGate, Microsoft cloud services) created blast-radius risks across thousands of downstream environments.
- Patch volume hit historic scale: vFeed tracked 27.7M+ vendor patches and 2.5M+ advisories, with nearly 854K affected packages in the last five years—underscoring the unsustainable pace of manual patch triage.
What December Signals Going Into 2026
- Vulnerability landscape has entered a continuous-reclassification era where exploit maturity evolves faster than disclosure cycles.
- Metadata velocity (i.e. CVSS4, EPSS4, KEV, exploit feeds) now drives risk more than raw CVE counts.
- Reactive patching is insufficient — organizations must adopt exploit-aware, identity-centric, and continuously reprioritized defense models.
There appears to be a structural shift in the vulnerability and threat analysis market underway. The winners in 2026 will be teams that treat vulnerabilities as living threats, not static records.
Vulnerability Trends in December
December extended to be one of the most active months for incident responders, and security analysts that are packed with several patterns of impactful and exploitable vulnerabilities across software packages, cloud vendors, and hardware platforms. The month concluded with a high-velocity for the security landscape, characterized by a significant surge in volatility and risk reassessments, and several critical exploitable platform vulnerabilities. While new CVE volume remained steady, the primary challenge for responders was the aggressive rate of metadata revisions and exploitability updates.
Vulnerability Trends in December
| CVEs | Oct | Nov | Dec | Month-over-Month Change |
| New CVEs | 3,703 | 2,928 | 3,451 | +17.8% |
| Modified CVEs | 4,433 | 4,180 | 4,985 | +19.3% |
We observed the following insights in our vFeed threat intel dataset.
- Increased Revisions and Modifications: December saw a 54% year-over-year increase in modified vulnerabilities compared to December 2024 (4,985 vs. 3,228). This indicates that analysts are increasingly prioritizing the update of risk scores, priorities, and advisories for existing threats over the mere cataloging of new ones.
- Larger traction of CVEs: vFeed correlated 37,544 vulnerabilities throughout 2025. This volume places the year on track to become one of the most prolific in recorded history, highlighting a sustained expansion of the attack surface across cloud, hardware, and software ecosystems.
- Increase in publications: While the volume of new publications was slightly “muted” compared to the October peak, the 19% spike in modifications suggests a month focused on refinement—reclassifying criticalities as new exploit patterns emerged in the wild.
vFeed vendor patches exceeded 27.7M, led by sources such as Ubuntu, Suse, Debian, Microsoft and Oracle accounting for nearly 78% of patched advisories issued during the month. vFeed vendor advisories exceeded 2.51M, led by sources including Microsoft, Ubuntu, RedHat, Gentoo, GitHub, etc. vFeed has consolidated and kept track of nearly 854K affected package software just in the last 5 years, one of the significant counts.
vFeed threat intel data feeds have continued to adopt and embrace the latest NIST NVD 2.0 schema and CISA schemas for correlating and maintaining our threat intel feeds. Our feed database continues to build upon CVSS4 and EPSS4 risk scoring metrics as part of our threat intel feed, and so far we recorded 11,744 risk scoring in 2025 alone, the largest we have seen so far in any year. Of those, December alone accounted for about 436 new CVSS4 risk scores reported and aggregated. Specifically, about 32 of those are determined to be critical vulnerabilities of which 2 also have a higher exploitability probability greater than 20%. A higher EPSS probability score indicates the likelihood of being exploited in the wild soon in the coming months compared to other similar vulnerabilities in the platform.
Vulnerability Landscape
vFeed has kept track of nearly 90K exploits so far with exploits, github, metasploit, packetstorm accounting for a large portion of identified counts.
The number of critical vulnerabilities identified by vFeed in December – those with a critical score of 9.0 or higher continued to surge significantly to 414, compared to 379 in November and to 408 in the previous month. Among those, CVSS4 reported scores were 32 (7.7%), and remaining CVSS3. Among those critical vulnerabilities, about 7 of those (1.7%) have a high probability of being exploited in the next few months with a probability of more than 20%.
Among those, 24 critical ones (~ 6%) had a perfect 10.0 score observed in several hardware and software drivers and components, more than double from last month. December led to several high‑impact vulnerabilities disclosed affecting many product platforms, and infrastructure.
Platform Impacts
Elevation‑of‑privilege and remote code execution techniques were the most prominent categories across patched and actively exploited vulnerabilities, outpacing other classes like information disclosure or denial of service by volume and risk impact during the month. Reports also highlighted increased exploitation of authentication bypass and token replay-style attack, where attackers capture or forge session artifacts to gain higher privileges in cloud and edge services without needing valid credentials. This underscores revisiting identity and privilege management infrastructure.
A critical React Server Components issue (often referred to as “React2Shell”, CVE‑2025‑55182) offers unauthenticated remote code execution with a maximum CVSS 10.0 score. Because it targets a popular frontend and server framework and is already being exploited, vulnerable internet‑facing apps can be taken over quickly for web‑shell deployment and supply‑chain style attacks.
Another FortiGate authentication bypass flaw (CVE‑2025‑59718/59719) allow attackers to bypass login on firewalls/VPN gateways, threatening perimeter security and remote‑access environments. Such issues effectively turn security appliances into entry points, enabling lateral movement into internal networks if exposed to the internet and left unpatched.
A critical maximum‑severity XML External Entity (XXE) vulnerability (CVE‑2025‑66516) in Apache Tika-core enabling attackers to read local files, perform SSRF, cause denial of service, and in some cases reach remote code execution when untrusted documents are parsed. This affects core Tika components including tika-core and PDF parsing modules across versions roughly 1.13–3.2.1.
A peculiar vulnerability affecting NVIDIA Isaac Lab, a robotics simulation framework, CVE-2025-33210, caused by a deserialization vulnerability, where an attacker could supply crafted serialized input causing arbitrary code to run in the context of the Isaac Lab process, is classified with CWE-502 weakness (Deserialization of Untrusted Data). NVIDIA Isaac Lab contains a flaw in its physics simulation components that allows deserialization of untrusted data, potentially leading to arbitrary code execution on the host system. Successful attacks could execute code with the process’s privileges, risking data compromise or system takeover in simulation environments.
In addition, a wide-spread vulnerability in the Zlib compression library (CVE‑2025‑14847) was caused due to mismatched length fields in compressed protocol headers allowing reading of uninitialized heap memory by any unauthenticated client. The vulnerability affects several MongoDB Server versions, and its impact is widely recognized as “Mongo Bleed”. In general, Zlib flaws tend to be significant because they sit underneath many protocols and file formats, and need to be patched.
In December, we observed 19 critical WordPress plugins that enable high‑impact site compromise, and exploit code or active attacks are available in the wild. Some of these include: 1) A critical authentication bypass in the JAY Login & Register plugin for WordPress affecting JAY Login & Register up to version 2.4.01, caused by trusting a specially crafted cookie in the jay_login_register_process_switch_back function. In this, an unauthenticated attacker who knows or can guess a user’s ID can log in as that user, including an administrator, leading to full site takeover and account abuse. 2) A well-known Fox WordPress LMS plugin CVE‑2025‑14156 allows unauthenticated or low‑privilege users to perform actions they should not, such as modifying course or user‑related data, due to missing access checks. Public exploit scripts target this logic to escalate privileges or inject malicious content into LMS pages, which can be used for phishing or malware delivery to students. 3) This vulnerability in Advanced Custom Fields: Extended CVE-2025-13486, is a critical issue that enables remote code execution via unsafe handling of user‑controlled input in custom fields or admin‑side functionality. Exploits let attackers run arbitrary PHP on the server, giving them the ability to install backdoors, exfiltrate data, and pivot to other systems; upgrading to the fixed 0.9.2+ release is strongly advised. 4) CVE‑2025‑13390 in WP Directory Kit involves insufficient validation on directory or listing‑related parameters, leading to SQL injection or arbitrary option changes depending on deployment. Exploit kits use crafted HTTP requests to either dump sensitive data (such as user records) or alter WordPress configuration, which can quickly progress to full compromise. 5) A flaw CVE-2025-13342 in Frontend Admin by DynamiApps plugin arises from broken access control on front‑end forms, allowing attackers to call privileged actions (like updating options or user profiles) from the public‑facing side. Available exploits automate sending these front‑end requests to create admin users or inject malicious settings, so deactivation or immediate patching plus user/account review is recommended.
Microsoft accounted for about 29 published known vulnerabilities during the month from the vFeed threat dataset. Microsoft’s December 2025 Patch Tuesday closed out the year with a relatively small but high‑risk set of fixes, dominated by elevation‑of‑privilege and remote‑code‑execution bugs across Windows, Office/Outlook, and cloud‑related components.
Specifically, CVE‑2025‑64672 and CVE‑2025‑65041 are both high‑impact Microsoft issues that expose SharePoint users to powerful stored XSS, and Partner Center tenants to privilege escalation over the network. CVE‑2025‑64672 is a stored cross‑site scripting vulnerability in Microsoft Office SharePoint Server caused by improper neutralization of user input during web page generation. A low‑privilege authenticated user can inject malicious JavaScript that runs for other users with no further interaction, enabling session token theft, account hijacking, spoofed UI, and modification or exfiltration of SharePoint data across the affected site. CVE‑2025‑65041 is an improper authorization flaw in Microsoft Partner Center that allows a remote, unauthorized attacker to gain higher‑than‑intended privileges over the network. Successful exploitation would let an attacker act with elevated roles inside Partner Center (for example, managing customer tenants, subscriptions, or resources), so it combines a critical base score with high real‑world risk and should be treated as a priority for patching, access hardening, and log review.
A peculiar Microsoft Copilot for Jetbrains in CVE‑2025‑64671 is a high‑severity command‑injection and remote‑code‑execution vulnerability in GitHub Copilot for JetBrains that shows how agentic AI features can expand the attack surface in developer tools. The issue is improper neutralization of special characters in commands, so Copilot’s “execute command” functionality can be tricked into running attacker‑controlled shell commands on the developer’s machine. Exploitation leverages “cross prompt injection”: malicious instructions are embedded in files or content retrieved via Model Context Protocol (MCP) servers, which Copilot’s agents then incorporate into their own prompts and actions.
Microsoft’s December 2025 Patch Tuesday was the final security release of the year and addressed 50-60 new CVEs across Windows, Office, Exchange and other components according to several vendor analyses, with about 2–3 rated Critical. The majority of flaws were elevation‑of‑privilege and remote‑code‑execution issues, with smaller numbers of information‑disclosure, spoofing and denial‑of‑service bugs. The standout zero‑day was CVE‑2025‑62221, a Windows Cloud Files Mini Filter Driver elevation‑of‑privilege bug that was already being exploited in the wild and affects Windows 10 and later, including systems using OneDrive/Cloud Files integration. Two additional vulnerabilities (for example in PowerShell and GitHub Copilot) were publicly disclosed before patches, increasing their likelihood of exploitation even though they are not yet known to be weaponized at scale.
Top Weaknesses
vFeed identified several top weaknesses that contributed to critical impacts during the month. Of the 414 critical vulnerabilities identified in December, 90 (~ 21%) were CWE-74 Improper Neutralization injection weakness types, followed by 42 (~ 10%) CWE-119 Improper Restriction of Operations or buffer overflow, 21 (~ 5%) of CWE-89 SQL Injection weakness types. A new pattern of weakness CWE-502 Deserialization of Untrusted Data, saw a sudden spike with elevated assignments in December reports. Critical vulnerabilities possessing CWE-502 included Unauth RCE in server-side rendering in React server (CVE-2025-55182), React Server Components denial of service attack (CVE-2025-67779), and NVIDIA Isaac Lab contains a deserialization vulnerability (CVE-2025-33210), SAP jConnect RCE deserialization vulnerability (CVE-2025-42928).
Critical Exploitable Vulnerabilities – December 2025
Pay attention to these top critical vulnerabilities that are likely exploitable this month.
| CVE | Description | CVSS 3 / 4 Base | EPSS Prob | Exploit PoC Available? | Date Published | Weakness | Versions Affected | References |
| CVE-2025-66294 | Grav file-based Web platform allows attackers with editor permissions to execute arbitrary commands | 8.7 | 27% | Yes | 2025-12-01 | CWE-1336 | <1.8.0-beta.27 | https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f |
| CVE-2025-66516 | Critical XXE in Apache Tika allows to carry out XML External Entity injection | 10.0 | N/A | Yes | 2025-12-04 | CWE-611 | 1.13 to 3.2.2 | https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k |
| CVE-2025-14847 | affects all MongoDB Server due to Zlib compressed protocol headers allow uninitialized heap memory by unauthenticated client | 7.5 | NA | Yes | 2025-12-19 | CWE-130 | 8, 7, 6 | https://jira.mongodb.org/browse/SERVER-115508 |
| CVE-2025-37164 | HPE OneView. RCE | 10.0 | 77% | Yes | 2025-12-16 | CWE-94 | N/A | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us |
| CVE-2025-13486 | Advanced Custom Fields: Extended plugin for WordPress is vulnerable to RCE | 9.8 | 71.8% | Yes | 2025-12-03 | CWE-94 | 0.9.0.5 through 0.9.1.1 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c508cb73-53e6-4ebe-b3d0-285908b722c9 |
| CVE-2025-55182 | Pre-authentication RCE vulnerability exists in React Server Components | 10.0 | 44% | Yes | 2025-12-03 | CWE-502 | 19.0.0, 19.1.0, 19.1.1, and 19.2.0 | https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components |
| CVE-2025-20393 | Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager | 10.0 | 6.7% | Yes | 2025-12-17 | CWE-20 | 16.0.3-044 | https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4 |
| CVE-2025-59718 | Cryptographic signature vulnerability in Fortinet FortiOS | 9.8 | 5.5% | Yes | 2025-12-09 | CWE-347 | 7.6.0 to 7.6.4 | https://fortiguard.fortinet.com/psirt/FG-IR-25-647 |
May you live in interesting times! 🙂
Click here to schedule your demo with vFeed Threat Intel today!