SOCshare: cybersecurity landscape in December 2025

December 2025 proved to be an active month in the global cyber threat landscape. While the year had already seen high levels of hacktivism and ransomware, the final month was defined by the disclosure of critical-severity vulnerabilities. These events, combined with a sharp increase in state-sponsored hybrid operations, forced organizations into an emergency patching cycle during the holiday period.

More about SOCshare

React2Shell: The Crisis of December

The standout threat of the month was React2Shell (tracked as CVE-2025-55182), a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components (RSC). Disclosed on December 3, the flaw received a CVSS score of 10.0 due to its widespread adoption and ease of exploitation (with the PoC available only 30 hours after disclosure)

The mechanism

The vulnerability resides in the RSC “Flight” protocol, specifically how it handles serialized data chunks. Attackers can send a single, specially crafted HTTP POST request that bypasses authentication and executes arbitrary JavaScript with full Node.js privileges on the server.

The scale of exploitation

Within the first eight days of disclosure, Cloudflare recorded over 582.1 million WAF hits targeting this flaw, averaging 3.49 million hits per hour.

Targeting and payloads

Global sensors identified over 111,000 vulnerable IP addresses, with 77,800 in the U.S., 7,500 in Germany, and 4,000 in France. Threat actors were observed deploying everything from cryptocurrency miners to sophisticated, previously unseen Linux backdoors.

MongoBleed: Infrastructure at Risk

Mid-month, the focus shifted to the database layer with the disclosure of MongoBleed (CVE-2025-14847), a high-severity (CVSS 8.7) vulnerability in MongoDB Server.

Key takeaways

The Flaw

Rooted in the zlib network message decompression logic, the vulnerability allows unauthenticated remote attackers to trigger a buffer over-read. By sending malformed packets, an attacker can force the server to return uninitialized heap memory.

Exposure

Threat intelligence data from Censys and Wiz indicated that over 87,000 MongoDB instances were potentially vulnerable worldwide. Approximately 42% of cloud environments were found to have at least one vulnerable instance.

The risk

MongoBleed is a silent information leak. It allows attackers to harvest fragments of sensitive data – including passwords, API tokens, and user records – directly from memory. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on December 29, 2025.

What Else Happened in Europe: December 2025?

According to the CERT-EU Cyber Brief 26-01, which analyzed 368 open-source reports this month, the landscape was further complicated by geopolitical friction:

Sanctions and Attribution: On December 15, the EU Council sanctioned 12 individuals and two entities linked to Russian hybrid threats. This included members of GRU Unit 29155 (Cadet Blizzard), responsible for spreading propaganda, GPS jamming in EU airspace, and sabotage operations against NATO allies.

China-Linked Espionage: The group Ink Dragon expanded its reach, targeting European government entities with sophisticated spear-phishing campaigns.

Critical Infrastructure Sabotage: Disruptive attacks targeted French postal services and Romanian water supply systems. These incidents highlight the intent to degrade public trust.

Financial Phishing: A new, highly sophisticated phishing kit named Spiderman emerged, enabling the automated impersonation of major European banks.

Looking Ahead and Key Takeaways

Organizations entering 2026 must prioritize:

System Hardening and Service Isolation: Organizations must audit all internet-facing services. If a service or protocol (like MongoDB) is not strictly required for business operations, it should be disabled or restricted to trusted IP ranges. Reducing the “attack surface”, while not replacing patching, is an effective and important measure.

Credential and Secret Rotation: Given that MongoBleed facilitated the theft of in memory secrets, a global rotation of API keys, service tokens, and administrative credentials is highly recommended. Static credentials should be replaced with short-lived, dynamically generated tokens where possible.

Patch Lifecycle Management: The 30-hour window between the React2Shell disclosure and the first PoC proves that a “monthly” patch cycle is obsolete. Organizations must automate the deployment of emergency patches for critical-severity framework vulnerabilities.

User Awareness is as Needed as Ever: Modern PhaaS frameworks like the Spiderman kit effectively neutralize technical controls by intercepting live session tokens and MFA codes in real-time. Because technical security is bypassed the moment the login process begins, human vigilance – spotting the fake domain before the first click – is the only way to stop an Adversary-in-the-Middle attack.

References

CERT-EU: Cyber Brief 26-01 (December 2025)
Unit42: Exploitation of Critical Vulnerability in React Server Components
Cloudflare: React2Shell and related RSC vulnerabilities threat brief: early exploitation activity and threat actor techniques
Google Threat Intelligence: Exploitation of React2Shell (CVE-2025-55182)
Wiz Research: MongoBleed: Critical MongoDB Vulnerability Analysis

This entry is published as part of the SOCshare project (No. 101145843), which we are running together with Vilnius City Municipality. It is partly funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect those of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.