Multiple Critical Vulnerabilities Exploited in Popular Software

First reported

15.12.2025 14:24

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Multiple critical vulnerabilities in widely used software, including Apple products, .NET applications, WinRAR, and React, are being actively exploited by threat actors. These flaws allow for arbitrary code execution, remote code execution (RCE), and other malicious activities. The vulnerabilities affect a broad range of users and systems, necessitating immediate updates and patches. The exploits target various vectors, including memory corruption, path traversal, and design flaws in cryptographic keys. The affected software includes Apple's iOS, iPadOS, macOS, Safari, .NET applications, WinRAR, and React. The impact of these vulnerabilities is significant, as they enable attackers to execute arbitrary code, gain unauthorized access, and compromise sensitive data. The urgency of these updates is underscored by the active exploitation of these flaws, with some attacks occurring before fixes were available. Users are advised to install the necessary updates promptly to mitigate the risks.

Timeline

15.12.2025 14:24 1 articles · 5h ago

Multiple Critical Vulnerabilities Exploited in Popular Software
Multiple critical vulnerabilities in widely used software, including Apple products, .NET applications, WinRAR, and React, are being actively exploited by threat actors. These flaws allow for arbitrary code execution, remote code execution (RCE), and other malicious activities. The vulnerabilities affect a broad range of users and systems, necessitating immediate updates and patches. The exploits target various vectors, including memory corruption, path traversal, and design flaws in cryptographic keys. The affected software includes Apple's iOS, iPadOS, macOS, Safari, .NET applications, WinRAR, and React. The impact of these vulnerabilities is significant, as they enable attackers to execute arbitrary code, gain unauthorized access, and compromise sensitive data. The urgency of these updates is underscored by the active exploitation of these flaws, with some attacks occurring before fixes were available. Users are advised to install the necessary updates promptly to mitigate the risks.
Show sources

⚡ Weekly Recap: Apple 0-Days, WinRAR Exploit, LastPass Fines, .NET RCE, OAuth Scams & More — thehackernews.com — 15.12.2025 14:24
Open in new tab

Information Snippets

Apple released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari to address two zero-days (CVE-2025-14174 and CVE-2025-43529) exploited in highly targeted attacks.
First reported: 15.12.2025 14:24

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Apple 0-Days, WinRAR Exploit, LastPass Fines, .NET RCE, OAuth Scams & More — thehackernews.com — 15.12.2025 14:24
CVE-2025-14174 is a memory corruption issue, while CVE-2025-43529 is a use-after-free bug, both exploitable via maliciously crafted web content to execute arbitrary code.
First reported: 15.12.2025 14:24

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Apple 0-Days, WinRAR Exploit, LastPass Fines, .NET RCE, OAuth Scams & More — thehackernews.com — 15.12.2025 14:24
Google also addressed CVE-2025-14174 in its Chrome browser, as it resides in the Almost Native Graphics Layer Engine (ANGLE) library.
First reported: 15.12.2025 14:24

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Apple 0-Days, WinRAR Exploit, LastPass Fines, .NET RCE, OAuth Scams & More — thehackernews.com — 15.12.2025 14:24
SOAPwn vulnerability in .NET applications allows remote code execution (RCE) through HTTP client proxies accepting non-HTTP URLs, leading to arbitrary file writes and potential RCE via web shells and PowerShell scripts.
First reported: 15.12.2025 14:24

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Apple 0-Days, WinRAR Exploit, LastPass Fines, .NET RCE, OAuth Scams & More — thehackernews.com — 15.12.2025 14:24
A new flaw in CentreStack and Triofox is being exploited to achieve code execution by accessing the web.config file, due to a design failure in cryptographic key generation.
First reported: 15.12.2025 14:24

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Apple 0-Days, WinRAR Exploit, LastPass Fines, .NET RCE, OAuth Scams & More — thehackernews.com — 15.12.2025 14:24
WinRAR flaw (CVE-2025-6218, CVSS score: 7.8) is being exploited by three threat actors: GOFFEE, Bitter, and Gamaredon, allowing code execution in the context of the current user.
First reported: 15.12.2025 14:24

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Apple 0-Days, WinRAR Exploit, LastPass Fines, .NET RCE, OAuth Scams & More — thehackernews.com — 15.12.2025 14:24
React2Shell flaw (CVE-2025-55182, CVSS score: 10.0) is being widely exploited to deliver various malware, including MINOCAT, SNOWLIGHT downloader, COMPOOD backdoor, and HISONIC backdoor.
First reported: 15.12.2025 14:24

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Apple 0-Days, WinRAR Exploit, LastPass Fines, .NET RCE, OAuth Scams & More — thehackernews.com — 15.12.2025 14:24
Hamas-affiliated group WIRTE (aka Ashen Lepus) has been conducting espionage on government bodies and diplomatic entities across the Middle East since 2018, using spear-phishing emails to deliver AshTag malware.
First reported: 15.12.2025 14:24

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Apple 0-Days, WinRAR Exploit, LastPass Fines, .NET RCE, OAuth Scams & More — thehackernews.com — 15.12.2025 14:24