ThreatScope by DIAMATIX: Critical Vulnerabilities Actively Exploited (01–07 December 2025)
From local roots to global trust — DIAMATIX monitors the vulnerabilities that matter most.
During the past week, the global cyber landscape was dominated by several critical vulnerabilities—some already under active exploitation by threat actors.
This briefing highlights the most widely used, most dangerous, and most business-critical CVEs that require immediate attention.
1. Critical Unauthenticated RCE in React Server (CVE-2025-55182)
A high-severity remote code execution flaw affecting React Server Components (RSC) and frameworks using the Flight protocol (including vulnerable versions of Next.js).
A remote attacker can craft a malicious RSC request leading to server-side deserialization and arbitrary code execution — without authentication.
High risk for SaaS platforms, e-commerce applications, and modern web architectures.
2. Critical XXE Injection in Apache Tika (CVE-2025-66516)
Affects: tika-core, tika-pdf-module, tika-parsers.
The vulnerability enables XML External Entity (XXE) attacks through a crafted XFA file embedded in a PDF.
Potential impact:
• Server-side file disclosure
• SSRF attacks
• Compromised document processing pipelines
Tika is widely used → the attack surface is extensive.
3. React/Next.js RSC Maximum-Severity Bugs (CVE-2025-55182)
Another high-impact disclosure on the same core weakness:
Unauthenticated RCE through improper payload decoding in Server Function endpoints.
Threat intelligence sources indicate active probing by attacker groups.
4. WordPress King Addons Exploit (CVE-2025-8489) – Active exploitation
Critical flaw in a popular Elementor plugin.
The issue allows unauthenticated privilege escalation, enabling attackers to assign themselves administrator rights simply by selecting the admin role during registration.
Currently exploited in the wild — high urgency for any WordPress-based business.
5. Advantech WISE-DeviceOn — Hard-coded JWT Secret (CVE-2025-34256)
A static HS512 HMAC secret is used to sign JWT tokens across all installations.
Impact:
• Attackers can forge valid tokens
• Full administrative takeover
• Remote execution on managed devices through DeviceOn features
This is critical for industrial, OT, and IoT environments.
6. GoAway Authentication Bypass via Hardcoded Credentials (CVE-2025-65730)
The platform uses a hardcoded JWT signing secret.
Result: authentication bypass and direct access to protected endpoints.
Fixed in version 0.62.19.
7. Fanvil x210 Series — Multiple Critical Vulnerabilities
Fanvil devices are widely used in VoIP systems, call centers, and enterprise networks.
CVE-2025-64056 – Arbitrary File Upload
Unauthenticated attackers on the local network can upload arbitrary files.CVE-2025-64053 – Buffer Overflow
Causes DoS or potential RCE through crafted POST requests.CVE-2025-64052 – Arbitrary Command Execution
Allows unauthenticated local attackers to execute system-level commands.
The combination of these issues creates a high-risk scenario for telephony infrastructures.
8. Apache HTTP Server — Critical Issues
CVE-2025-58098
With Server Side Includes (SSI) and mod_cgid enabled, Apache may pass the shell-escaped query string into #exec cmd="...", potentially leading to command execution.
CVE-2025-65082
Improper neutralization of environment variables allows them to override server-calculated values for CGI programs, leading to unpredictable and dangerous behavior.
The DIAMATIX Perspective
This week’s vulnerabilities reinforce what our SOC sees every day:
the combination of supply-chain dependencies, mainstream development frameworks, and widely deployed IoT/OT devices significantly increases organizational risk — even in well-maintained environments.
What organizations should focus on:
✔ Proactive Monitoring
Shield SIEM/XDR analyzes indicators associated with these CVEs even before exploit code becomes widely available.
✔ MDR Threat Hunting
Our team tracks abnormal activity linked to scanning patterns against React/Next.js and WordPress ecosystems — behavior typical of groups testing new RCE vectors.
✔ Full-Stack Coverage
JWT bypass, IoT command execution, and file upload flaws highlight the need for centralized visibility and rapid incident response.
✔ Regulatory Alignment
Supply-chain exposure and library-level vulnerabilities align closely with NIS2 and DORA expectations.
Our approach ensures operational resilience and documented compliance.
Conclusion
The vulnerabilities emerging this week reflect a clear trend: attackers target the most widely deployed technologies, regardless of sector or size.
With real-time visibility, proactive threat hunting, and unified defense, organizations can turn this evolving threat landscape into an opportunity for stronger resilience.
DIAMATIX stands beside its clients — providing clarity, confidence, and continuous protection.
