The "So What" for Executives December 2025 was a landmark month for "Edge-In" attacks. Threat actors successfully targeted the very devices meant to protect the network: Firewalls, VPNs, and Email Gateways. We saw a shift away from simple malware toward Identity Forgery and Protocol Exploitation.

SecureIT Monthly Vulnerability Brief. December 2025

December 2025 had exploited issues across perimeter devices, email security appliances, Windows endpoints, browsers, developer platforms, and databases. Several flaws let attackers take over internet exposed systems or gain full control after a first foothold. The outcome is downtime, data exposure, fraud risk, and high recovery cost. Reputation takes a hit when customer portals, email, or executive devices are compromised.

Here are the vulnerabilities to know and what to do next.

Fortinet FortiOS, FortiProxy, FortiSwitchManager, FortiWeb. CVE-2025-59718, CVE-2025-59719

What happened

Attackers can sign in to the appliance as an administrator without a valid login. [authentication bypass]. The appliance accepts forged identity tokens from the single sign on process. [SAML]. Active attacks were reported against exposed devices.

Impact

Perimeter controls are changed without notice. Remote access is opened and filtering is weakened. Attackers use the device to reach internal systems and steal data. Emergency patching and credential rotation cause downtime. Incident response expands fast because a compromised gateway is trusted by the network.

Who is at risk

Organizations with Fortinet admin interfaces reachable from the internet are at high risk. Environments that enabled cloud connected login features are exposed.

What to do

Update to the fixed Fortinet releases for each affected product, and verify the patch level after reboot. Disable cloud login and single sign on until updates are complete, and restrict management access to a trusted admin network. Review admin authentication logs and configuration exports for unexpected activity, then rotate appliance credentials and API keys.

Sources: Fortinet PSIRT | ITPro coverage

WatchGuard Firebox Fireware OS. CVE-2025-14733

What happened

A flaw in the Firebox VPN service lets a remote attacker run code on the appliance without a login. [remote code execution]. The trigger is the VPN handshake used to set up encrypted tunnels. [IKEv2]. WatchGuard reported exploitation in real attacks.

Impact

Attackers take control of the firewall. Policies change and access rules are weakened. Traffic can be intercepted or redirected. Sites lose connectivity during emergency response and rebuild. Recovery costs rise due to forensic review and device replacement.

Who is at risk

Organizations with Firebox devices that expose VPN services to the internet are at risk. Older Fireware builds and systems using dynamic peer setups are higher risk.

What to do

Apply the WatchGuard Fireware OS fix for your release branch and confirm the device shows the patched build. Until patched, restrict VPN access to known source addresses or disable the affected VPN configuration. Check for unauthorized configuration changes, new admin users, and unexpected outbound connections, and rebuild the firewall if you find any sign of compromise.

Sources: WatchGuard advisory WGSA-2025-00027 | The Hacker News coverage

Cisco Secure Email Gateway and Secure Email and Web Manager. CVE-2025-20393

What happened

Attackers can run system commands on the appliance from the network. [remote command execution]. The issue is reachable through the Spam Quarantine feature when it is exposed to the internet. Cisco reported active exploitation.

Impact

Email security controls are bypassed or disabled. Messages are forwarded, deleted, or delayed. Credentials for mail and identity systems are stolen. Attackers use the appliance as a step to reach internal systems and data stores. Recovery can require emergency isolation, deep review, and full rebuild of the gateway.

Who is at risk

Organizations running these Cisco appliances with Spam Quarantine reachable from the internet are at highest risk. Any environment that depends on the appliance for mail routing and quarantine access is impacted.

What to do

Remove internet access to Spam Quarantine now and restrict management access to a private admin network. Follow Cisco incident guidance to assess for compromise, and plan for a rebuild if indicators are present. Monitor mail routing changes, new admin activity, and unexpected outbound connections from the appliance.

Sources: Cisco security advisory | SecurityWeek report

React Server Components. CVE-2025-55182

What happened

A flaw in server rendered React pages lets an unauthenticated attacker run code on the server. [remote code execution]. The issue is in the feature that sends server rendered components to the browser. [React Server Components]. Widespread exploitation began soon after public disclosure.

Impact

Web applications are taken over. Data in customer portals and internal tools is accessed. Order and payment workflows can be modified. Servers are used to run malware or to steal data at scale. Emergency patching forces outages and change freezes across teams that share the same platform.

Who is at risk

Teams running React 19 server rendering on internet exposed apps are at risk, including environments using Next.js app router. Any server that accepts server function requests from untrusted networks is exposed.

What to do

Upgrade to the fixed React Server Components versions published by the React team, such as 19.0.1, 19.1.2, or 19.2.1. Prioritize internet exposed services and add request filtering to block unexpected payloads until patch coverage is confirmed. Review server logs for abnormal traffic to server function endpoints, and check hosts for new processes, new scheduled jobs, and unknown binaries.

Sources: React advisory | Google Threat Intelligence reporting

Apple WebKit on iOS, iPadOS, macOS, Safari. CVE-2025-14174, CVE-2025-43529

What happened

A malicious webpage can run code on an Apple device when it is opened in a browser. [remote code execution]. The flaw is in the web content engine used by Safari and other browsers on Apple devices. [WebKit]. Apple reported these bugs were used in real attacks against targeted users.

Impact

Device data is exposed. Passwords, cookies, and saved tokens are stolen. Corporate email and chat accounts are taken over. Attackers use the device to approve login prompts and access internal apps. Recovery includes device wipe, password resets, and investigation when sensitive data is involved.

Who is at risk

Any iPhone, iPad, or Mac not updated to the latest security release is at risk, especially devices used for browsing and email. Organizations without enforced update compliance on managed devices are exposed.

What to do

Deploy the latest Apple security updates across iOS, iPadOS, macOS, and Safari, and enforce minimum versions in your device management policy. Restrict web access on unmanaged devices for high risk roles and route managed browsing through a corporate web filter. Review web proxy logs for suspicious domains tied to targeted exploitation, and rotate credentials for users who clicked unknown links.

Sources: Apple security content | BleepingComputer coverage

Microsoft Windows. CVE-2025-62221

What happened

A bug in a Windows file driver lets an attacker raise their permissions to full local control. [privilege escalation]. Once exploited, attackers can act as the highest local Windows account. [SYSTEM]. CISA reported active exploitation in December.

Impact

Attackers take over endpoints and servers. Security tools are disabled and credentials are stolen. Access spreads to file shares and critical systems. Business operations stop during containment and reimaging. Costs rise due to overtime, lost productivity, and delayed projects.

Who is at risk

Windows desktops and servers missing the December 2025 updates are at risk. Organizations that face frequent credential theft and malware infections are exposed because attackers chain this after initial access.

What to do

Apply the December 2025 Windows cumulative updates across all supported versions, including remote worker laptops and servers. Treat infected machines as compromised, and reimage them before restoring network access. Audit for new local admin memberships, new services, and unexpected scheduled tasks created around the time of patching.

Sources: Microsoft Security Update Guide | CISA alert

RARLAB WinRAR. CVE-2025-6218

What happened

A crafted RAR archive can write files outside the folder the user chose during extraction. [path traversal]. Attackers use this to place a program where it runs on login or on reboot. [code execution]. CISA reported active exploitation.

Impact

Malware lands on endpoints through email attachments and file shares. Credentials are stolen and reused to access more systems. Finance and payroll systems are at risk through stolen access. Cleanup requires endpoint rebuild and password resets. Support tickets spike and productivity drops.

Who is at risk

Windows endpoints with WinRAR installed are at risk, especially where users open archives from email or public downloads. Teams handling external documents, invoices, and resumes are common targets.

What to do

Update WinRAR to 7.12 or later, and verify the version since WinRAR does not auto update. Block RAR archives at the email gateway where possible and restrict archive tools on endpoints that do not need them. Monitor for unexpected executables written to startup folders and for new scheduled tasks created right after archive extraction.

Sources: WinRAR release notes | CISA alert

MongoDB Server. CVE-2025-14847

What happened

An unauthenticated attacker can read small chunks of server memory over the network. [uninitialized memory read]. This can reveal credentials, tokens, or data fragments that were in memory at the time of the request. The issue is reachable when network message compression is enabled. [zlib].

Impact

Secrets leak from a core data platform. Attackers reuse leaked credentials to access applications and services. Data access can happen without normal login indicators. Security teams spend time triaging exposed servers and rotating keys. Downtime occurs during emergency patching and access changes.

Who is at risk

Self hosted MongoDB deployments that are internet exposed are at highest risk. Internal deployments shared across many applications are also impacted because one exposed server affects many systems.

What to do

Update MongoDB to the latest patched build for your major version and confirm the server binaries were replaced. Until patched, disable zlib based message compression and restrict database network access to private networks only. Monitor for unusual pre login traffic patterns, and rotate database users and application secrets if the server was exposed.

Sources: MongoDB releases | Censys advisory

What to prioritize this week

1. Remove internet exposure from Cisco Spam Quarantine and follow Cisco guidance to assess compromise and rebuild when needed.
2. Patch WatchGuard Firebox Fireware OS and validate no unauthorized configuration changes before reopening VPN access.
3. Patch affected Fortinet products, disable cloud login until patched, and rotate all appliance admin credentials and API keys.
4. Update React server applications to fixed versions and add short term request filtering on server function endpoints.
5. Enforce Apple security updates on all managed devices and restrict unmanaged browsing for high risk staff.
6. Deploy December Windows updates and hunt for privilege escalation artifacts on endpoints and servers.
7. Update WinRAR across desktops and tighten email and web controls on archive downloads.
8. Patch MongoDB, disable zlib compression until patched, and restrict database access to private networks.

At SecureIT, we deliver secure, enterprise-grade IT and cybersecurity solutions for highly regulated industries, like financial and healthcare. From proactive monitoring to advanced threat detection and compliance support, we help you stay ahead of evolving risks.

Contact us today to learn how we can help protect your firm from the next wave of cyber threats.