• Zero-Day Wire
  • Posts
  • Top 5 Threat News (Dec 8-15, 2025): Apple Spyware Zero-Days, React Patches Fail & Oracle Ransomware

Top 5 Threat News (Dec 8-15, 2025): Apple Spyware Zero-Days, React Patches Fail & Oracle Ransomware

Apple's 9th zero-day of 2025 hit millions of iPhones, React's security fix broke everything worse, and Chinese malware hid in VMware servers for 17 months undetected

December 14, 2025

In partnership with

THIS WEEK IN CYBER MONDAY 🔒

Dec 8 - Dec 15, 2025 | Top 5 Weekly Highlights

1. 🍎 Apple Patches Two Zero-Days Used in Spyware Attacks

Apple released emergency security updates on December 12 to fix two zero-days that hackers are actively using to attack iPhones.

These aren't normal bugs. They're being used by commercial spyware companies to target journalists, activists, and other high-value individuals.

Both vulnerabilities (CVE-2025-43529 and CVE-2025-14174) affect WebKit, which is the technology that powers Safari and every other browser on iPhone. One of these flaws (CVE-2025-14174) was also found in Google Chrome and patched two days earlier. This means attackers were exploiting the same vulnerability across both Chrome and iPhone simultaneously.

If you're on iPhone 11 or newer, you're vulnerable. This marks Apple's 9th zero-day patch in 2025.

Why you care: Spyware vendors are getting faster and smarter. What hits Chrome today can hit your iPhone tomorrow. And because all iOS browsers must use WebKit, this flaw affected Chrome, Firefox, Edge—everything.

Fix: Update to iOS 18.2.1 immediately. Settings → General → Software Update. Do it now.

⚡Starting a business in 2026? Only AI is not enough…

The Future of Shopping? AI + Actual Humans.

AI has changed how consumers shop by speeding up research. But one thing hasn’t changed: shoppers still trust people more than AI.

Levanta’s new Affiliate 3.0 Consumer Report reveals a major shift in how shoppers blend AI tools with human influence. Consumers use AI to explore options, but when it comes time to buy, they still turn to creators, communities, and real experiences to validate their decisions.

The data shows:

  • Only 10% of shoppers buy through AI-recommended links

  • 87% discover products through creators, blogs, or communities they trust

  • Human sources like reviews and creators rank higher in trust than AI recommendations

The most effective brands are combining AI discovery with authentic human influence to drive measurable conversions.

Affiliate marketing isn’t being replaced by AI, it’s being amplified by it.

2. 🔥 React Patches Introduce New Vulnerabilities

Remember React2Shell from last week? The patches didn't fully fix the problem. On December 11, researchers found the "fix" introduced THREE new vulnerabilities.

CVE-2025-55184 and CVE-2025-67779 let attackers crash servers with infinite loops. CVE-2025-55183 leaks your source code—including hardcoded API keys and secrets.

React had to patch their patch. Popular frameworks like Next.js had to scramble and update again too.

The lesson: Even the world's most popular web framework can fumble security. Twice. In the same week.

Why you care: If you're running React Server Components, you patched last week... and now you need to patch again. This affects Next.js, React Router, Waku, and more.

Fix: Upgrade to the latest React version (19.0.3+) and Next.js (15.1.6+/16.0.7+). Check twice this time.

3. 🌐 Hackers Are Actively Exploiting GeoServer Right Now

CISA added a GeoServer vulnerability (CVE-2025-58360) to their "Known Exploited Vulnerabilities" list on December 12. Hackers are actively using it right now.

This is an XML External Entity (XXE) flaw that doesn't need a password. Attackers can send a malicious XML request to the /geoserver/wms endpoint and compromise the server.

It affects all GeoServer versions up to 2.25.5 and 2.26.0-2.26.1. Over 14,000 instances are exposed online.

Why you care: This is the THIRD exploited GeoServer flaw CISA has flagged in 2025. Last year, hackers used a similar bug to breach a U.S. federal agency and stayed inside for three weeks. GeoServer hosts critical geospatial data for government agencies, military installations, and infrastructure mapping.

Fix: Upgrade to GeoServer 2.25.6+ or 2.26.2+. Federal agencies have until Jan 1, 2026. You? Do it today.

4. 💣 Cl0p's Oracle Zero-Day: Still Claiming Victims in December

Back in August, Cl0p ransomware gang exploited a zero-day in Oracle E-Business Suite (CVE-2025-61882) and quietly stole data from dozens of companies. Oracle patched it in October, but victims are still being disclosed in December.

The scary part? Cl0p had a 3-month head start before anyone noticed. They hit major targets: Allianz UK, University of Phoenix, Dartmouth College, Washington Post, and dozens more across healthcare, education, IT, and manufacturing.

The vulnerability (CVSS 9.8) let attackers execute code remotely without any authentication. Once inside, they stole payroll files, vendor contracts, financial data—everything in your ERP system.

Why this made December's list: Even though the hack started months ago, companies are still discovering they're victims. If you run Oracle EBS and haven't checked for compromise yet, you're playing Russian roulette with your data.

What to do: If you use Oracle E-Business Suite, assume breach. Check for indicators of compromise from August-October 2025. Oracle released emergency patches—apply them. And seriously, audit your ERP systems.

5. 🕵️ BRICKSTORM: Chinese Malware Hides for Months Undetected

CISA, NSA, and Canada dropped a joint warning on December 4: Chinese state hackers are using BRICKSTORM malware to maintain long-term access to government and IT systems.

BRICKSTORM targets VMware vSphere and Windows, hiding in plain sight with multiple encryption layers and DNS-over-HTTPS to dodge detection. It auto-reinstalls itself if you try to remove it.

In one case, attackers maintained access from April 2024 to September 2025—17 months of invisible control. They stole VM snapshots, created hidden rogue virtual machines, and exfiltrated credentials from domain controllers.

Who's at risk: Government agencies, IT service providers, and anyone running VMware infrastructure.

Why you care: Nation-state attacks don't make noise. They sit quietly in your network, stealing data for years before you notice. BRICKSTORM has hit dozens of U.S. organizations.

What to do: Use CISA's detection tools (YARA/Sigma rules) to scan VMware and Windows systems. Block unauthorized DNS-over-HTTPS providers. Segment your network. Monitor edge devices religiously.

🎯 The Big Picture

December's theme? Persistence. Apple zero-days hit millions while spyware vendors coordinate cross-platform attacks. React had to patch their patches. GeoServer is under active attack. Cl0p exploited Oracle for months before detection. And BRICKSTORM stayed hidden for 17 months.

The attackers are patient. The exploits are sophisticated. And the window between disclosure and exploitation is shrinking to hours, not days.

Your move:

  • Patch everything. Then patch it again when the "fixed" version breaks.

  • Assume breach. If you run Oracle EBS, VMware vSphere, or GeoServer, check for compromise.

  • Enable auto-updates. The 48 hours after a patch drops is your most dangerous window.

  • Monitor relentlessly. Nation-state actors won't trigger your alarms—they'll hide in plain sight.

Stay paranoid. Stay patched. Stay safe. 🛡️

Your Feedback Matters

Did You Enjoy This Week’s News?

Login or Subscribe to participate in polls.

Got questions? Found something we missed? Drop feedback in the comments.

Reply

or to participate.