In 2025, Greenbone increased the total number of vulnerability tests in the OPENVAS ENTERPRISE FEED to over 227,000, adding almost 40,000 vulnerability checks. Since the first CVE was published in 1999, over 300,000 software vulnerabilities have been added to MITRE’s CVE repository. CVE disclosures continued to rocket upward, increasing roughly 21% compared to 2024. CISA added 245 CVEs to its Known Exploited Vulnerabilities (KEV); 24 of these are known ransomware vectors. Defenders seeking to detect and protect can try OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.

5,519 new CVEs were published in December 2025, setting a new all-time high for a single month. New critical severity vulnerabilities and emergency responses continued throughout the holiday season unabated. The Greenbone blog has already reported on two actively exploited CVSS 10 vulnerabilities that emerged in December: CVE-2025-55182 dubbed React2Shell and CVE-2025-20393 affecting Cisco AsyncOS Spam Quarantine. In the December 2025 Threat Report, we will round off the month’s most critical emerging threats to IT security.

Ransom Attacks against Hypervisors Spiked in Late 2025

Research from Huntress shows that hypervisors are trending upward as a prime ransomware target. According to their data, hypervisors played a role in 3% of malicious encryption attacks during the first half of 2025, increasing to 25% during the second half. They believe the increase was driven by the Akira ransomware APT, a group known to aggressively exploit software vulnerabilities.

To reduce risk to hypervisor infrastructure, defenders should plan and implement comprehensive security controls, including:

• Regularly run vulnerability scans across hypervisor infrastructure and prioritize any discovered vulnerabilities for mitigation
• Disable or restrict unnecessary hypervisors and VM instances
• Never expose management interfaces directly to the internet
• Limit access to hypervisor IP addresses and management consoles using firewall rules

MongoBleed Gifts an Emergency Holiday Patch

CVE-2025-14847 (CVSS 7.5, EPSS 98th pctl), affecting MongoDB, was published on December 19th, 2025. The flaw allows an unauthenticated remote attacker to access sensitive memory locations by sending malformed packets with length parameter inconsistency [CWE-130]. It has been nicknamed MongoBleed, following the informal convention for memory leak vulnerabilities such as HeartBleed [1][2], and CitrixBleed [3][4]. The flaw lies in MongoDB’s network transport-layer zlib compression process. When faced with a length mismatch, the zlib message compressor could return an allocated buffer length rather than the true decompressed length, allowing attackers to read uninitialized heap memory.

One security researcher estimates over 200,000 instances are exposed on the public internet globally. The Shadowserver Foundation lists over 80,000. At least one proof-of-concept (PoC) exploit has been published for CVE-2025-14847 that can automatically hunt for secrets like DB passwords and cloud keys. The PoC demonstrates how an attacker can enumerate through heap memory to exfiltrate sensitive information. CVE-2025-14847 has been added to CISA’s KEV catalogue and numerous national CERT alerts have been issued globally [5][6][7][8][9][10][11][12][13]. No ransomware attacks leveraging MongoBleed have yet been reported.

Greenbone’s OPENVAS ENTERPRISE FEED includes remote version detection checks for Windows and Linux instances of MongoDB Server [14][15]. The vendor’s official advisory includes a list of affected versions, and patches. Users should upgrade with urgency and inspect MongoDB servers for indicators of compromise (IoC).

CVSS 10 SmarterMail Flaw Allows Unauthenticated RCE

CVE-2025-52691 (CVSS 10) is a new unauthenticated remote code execution (RCE) vulnerability in SmarterTools SmarterMail affecting Build 9406 and earlier. The flaw is caused by an arbitrary file upload weakness [CWE-434] that lets attackers upload files to any location on the target server. These uploaded files can potentially serve as web shells or be executed as SYSTEM if placed in sensitive directories.

SmarterMail runs on the Windows/IIS/.NET stack and includes a web application with webmail and sync services over HTTPS. SmarterMail’s official documentation claims over 15 million users. Other sources attribute SmarterMail with less than 0.1% of all identifiable web applications. SmarterMail is often used in managed web hosting environments, which could increase the potential blast radius if exploited.

Singapore’s Cyber Security Agency (CSA) published CVE-2025-52691 and first alerted the public to its risk. Active exploitation in the wild or public PoC exploits have not been disclosed, but penligent.ai researchers have published technical descriptions of the attack chain [1][2]. Other national security agencies have also issued emergency cyber alerts [3][4].

The OPENVAS ENTERPRISE FEED includes a version detection check for CVE-2025-52691. The issue was patched in early October 2025 in Build 9413 of SmarterMail. Users are advised to upgrade to the newest version.

OSGeo GeoServer Actively Exploited via XXE Flaw

CVE-2025-58360 (CVSS 9.8, EPSS 99th pctl) is an unauthenticated XML External Entity (XXE) vulnerability [CWE-611] in OSGeo GeoServer. The flaw lets remote attackers read arbitrary files, trigger Server-Side Request Forgery (SSRF) [CWE-918], or cause Denial of Service (DoS). The root cause is a failure to properly sanitize XML data processed by the /geoserver/wms GetMap endpoint.

CVE-2025-58360 was added to CISA KEV on December 11th and multiple public PoC exploits exist [1][2][3]. Use in ransomware attacks or espionage has not been confirmed. The Shadowserver Foundation has tracked 2,451 exposed GeoServer instances; Shodan reports over 14,000, indicating significant global risk. Several national CERT agencies have published alerts for CVE-2025-58360 [4][5][6][7][8]. Previously, in 2024, CVE-2024-36401 (CVSS 9.8) in GeoServer was actively exploited and led to a confirmed breach of an unnamed U.S. federal agency. This indicates cyber adversaries are familiar with exploiting GeoServer infrastructure, which increases the risk.

The OPENVAS ENTERPRISE FEED includes a remote banner check to detect vulnerable GeoServer instances. CVE-2025-58360 affects the main OSGeo GeoServer application, docker.osgeo.org/geoserver containers, gs-web-app, and gs-wms Maven packages. Full affected product status is available in the vendor’s official advisory.

Living on the Edge: New Threats to Network Perimeters in December 2025

Our monthly Threat Report has been closely tracking software vulnerabilities impacting the network perimeter [1][2][3]. In December 2025, there was indeed another wave of new high-risk CVEs and active exploitation. Let’s cover some emerging risks to perimeter networks:

Multiple Fortinet Products Actively Exploited via Authentication

Published on December 9th, 2025, CVE-2025-59718 (CVSS 9.8, EPSS 90th pctl) and CVE-2025-59719 (CVSS 9.8) were added to CISA’s KEV list one week after being made public. CVE-2025-59718 affects Fortinet FortiOS, FortiProxy, and FortiSwitchManager, while CVE-2025-59719 only impacts FortiWeb. The new CVEs allow authentication bypass of FortiCloud SSO admin logins due to improper cryptographic signature verification [CWE-347] of SAML messages. According to the first report of active attacks, made by Arctic Wolf, FortiCloud SSO login may be enabled by default when registering devices via the FortiCare GUI.

At least one PoC exploit is publicly available [1]. The new CVEs triggered a widespread response from national CERT agencies globally [1][2][3][4][5][6][7][8][9][10][11][12]. Greenbone provides detection for both new critical severity CVEs. For a full list of affected products, see Fortinet’s official advisory.

Privilege Escalation Flaw in SonicWall SMA 1000 Appliances

CVE-2025-40602 (CVSS 6.6, EPSS 84th pctl) is a local privilege escalation flaw affecting the Appliance Management Console of SonicWall Secure Mobile Access (SMA) 1000 appliances. The vulnerability is caused by insufficient or missing authorization [CWE-862]. Exploitation can lead to root-level OS command execution. CVE-2025-40602 is now on CISA’s KEV list and being actively exploited in the wild for unauthenticated RCE when chained with CVE-2025-23006 (CVSS 9.8, EPSS 98th pctl), published in January 2025 and covered in our January 2025 Threat Report. However, CVE-2025-40602 can be exploited on its own with local account access.

No detailed attack tutorials or PoC exploits are publicly available for either CVE. This may indicate that ongoing attacks are conducted by nation-state threat actors or other APT groups. The OPENVAS ENTERPRISE FEED includes remote banner checks for both CVEs described above [1][2]. SMA 1000 Series appliances (6200, 6210, 7200, 7210, 8000v, 8200v) versions 12.4.3-03093 and prior and versions 12.5.x through 12.5.0-02002 are impacted.

CVE-2025-14733: WatchGuard VPNs Actively Exploited Again

CVE-2025-14733 (CVSS 9.8, EPSS 97th pctl) is an unauthenticated RCE flaw affecting WatchGuard Firebox mobile user VPNs and branch office VPNs with IKEv2 when configured with a dynamic gateway peer. The root cause is a software flaw that allows out-of-bounds memory write in the iked IKEv2 daemon responsible for managing VPN sessions. According to the vendor’s own threat report, attackers have exfiltrated configuration files and the user database from compromised VPN devices [TA0010].

The CVE has been added to CISA’s KEV database, but no proof-of-concept or detailed technical write-ups are available yet. The Shadowserver Foundation reports more than 100,000 affected devices exposed on the internet. A similar out-of-bounds write flaw in WatchGuard VPNs, CVE-2025-9242 (CVSS 9.8), has been exploited in the wild since September 2025.

Greenbone’s OPENVAS ENTERPRISE FEED includes remote checks for both CVEs referenced above [1][2], allowing defenders to quickly identify affected devices. See the vendor’s official advisory for more information including specific affected versions and configuration requirements for exploitation, mitigation steps, and indicators of compromise (IoC).

Array Networks AG Series VPNs Exploited for RCE

CVE-2025-66644 (CVSS 9.8, EPSS 86th pctl) is an unauthorized command injection flaw [CWE-78] in Array Networks ArrayOS AG Series VPNs with the DesktopDirect remote access feature enabled. According to a report published in early December 2025, CVE-2025-66644 has been actively exploited against entities in Japan since at least August. The attack chain has included installing PHP webshells [T1505.003] and creating rogue users [T1136] for persistence.

The CVE has been added to CISA’s KEV list. However, no public PoC exploit is available. Greenbone includes a remote banner check to detect vulnerable devices. For mitigation, the vendor instructs users to upgrade to ArrayOS version 9.4.5.9 or later.

Ivanti Patches New Vulnerabilities in EndPoint Manager (EPM)

Four new risky CVEs affecting Ivanti EndPoint Manager (EPM) were published and patched in December 2025. Active exploitation is not yet reported, and none of the flaws triggered high EPSS scores. Users should upgrade to Ivanti Endpoint Manager 2024 SU4 SR1 and ensure that EPM is not internet-facing. The OPENVAS ENTERPRISE FEED includes remote detection for all four new Ivanti vulnerabilities. See Ivanti’s official advisory for more information.

The four new CVEs are briefly described below.

• CVE-2025-13659 (CVSS 8.8) allows unauthenticated arbitrary file write on the server, potentially leading to remote code execution, due to improper control of dynamically managed code resources [CWE-913].
• CVE-2025-13662 (CVSS 7.8) enables unauthenticated code execution via improper signature verification in the patch management process [CWE-347].
• CVE-2025-13661 (CVSS 8.0) is an authenticated path traversal flaw [CWE-22] enabling arbitrary file writes.
• CVE-2025-10573 (CVSS 6.1): a stored XSS flaw [CWE-79] enabling unauthenticated JavaScript execution in an admin session in Ivanti Endpoint Manager Core and remote consoles.

Update: New CVEs Add to Social Engineering Risks

Social engineering is a prominent attack chain used by adversaries. Using deceptive context to trick users into clicking on links and files [T1566] has proven to be a highly effective means for gaining unauthorized access and even RCE. Here are some emerging threats on the social engineering landscape that defenders should mitigate:

UK National Health Service: 7-Zip is Actively Exploited

CVE-2025-11001 (CVSS 7.8) is a path traversal flaw [CWE-22] in the 7-Zip application for Windows caused by insecure handling of Linux-style symbolic links in .zip files. A maliciously crafted .zip archive can potentially allow RCE by placing files into sensitive directories [T1574], or enable other attacks such as placing malware in visible locations on the victim’s system, hoping the user executes them [T1204.002]. On Windows, exploitation depends on the local user having the SeCreateSymbolicLinkPrivilege permission or other configurations such as Developer Mode, or running 7-Zip as admin.

CVE-2025-11001 has not been added to CISA’s KEV list, but the UK’s NHS has reported a public PoC exploit [1]. Multiple national CERT agencies have issued alerts globally [2][3][4][5][6][7][8]. CVE-2025-11002 is often cited alongside CVE-2025-11001, but officially remains in RESERVED status. CVE-2025-11001 was patched in 7-Zip version 25.00. Greenbone’s OPENVAS ENTERPRISE FEED includes detection tests for the 7-Zip Windows application and other platforms that include vulnerable versions of 7-Zip.

CISA Adds New WinRAR Flaw to Actively Exploited List

CVE-2025-6218 (CVSS 7.8) is a directory traversal flaw [CWE-22] affecting WinRAR versions 7.11 and earlier. Similar to CVE-2025-11001 described above, attackers that trick a victim into opening a malicious archive file could write files into sensitive locations on the target system, potentially leading to a malware infection. In August 2025, another WinRAR flaw, CVE-2025-8088 (CVSS 8.8), was being exploited in espionage campaigns.

Multiple technical analyses of CVE-2025-6218 are available [1][2]. China’s 360 threat intel has attributed attacks to the APT-C-08 group (aka BITTER, Manlinghua, T-APT-17). The group is an Advanced Persistent Threat (APT) active since 2013, and is known to target government, energy, military, and defence-industrial entities in South Asia [3][4]. On December 9th, 2025, CISA added CVE-2025-6218 to its KEV list and numerous national CERT alerts have been issued, going back to the CVE’s time of initial disclosure [5][6][7][8][9][10][11].

The OPENVAS ENTERPRISE FEED includes an authenticated security check to detect the presence of vulnerable WinRAR applications on Windows endpoints. Users are advised to upgrade to the latest version of WinRAR for Windows.

CVE-2025-66516: New Guidance for Critical Apache Tika Vulnerability

CVE-2025-66516 (CVSS 9.8) is a new maximum severity CVE affecting Apache Tika, an open-source content analysis and extraction toolkit. The application is commonly used within search, ETL and indexing pipelines, Data Loss Prevention (DLP) and compliance scanning, and in AI RAG systems to convert encoded documents (such as .pdf and .docx) into plaintext and metadata.

CVE-2025-66516 allows any attacker who can submit a maliciously crafted XFA-enabled PDF to the Apache Tika processor to trigger an XML External Entity injection [CWE-611]. Exploitation enables file disclosure, SSRF, and DoS due to unsafe external entity handling during XFA XML parsing.

CVE-2025-66516 is considered an extension of CVE-2025-54988 (CVSS 8.4), published in August 2025. CVE-2025-54988 didn’t correctly describe the affected components; users who upgraded the tika-parser-pdf-module but didn’t upgrade tika-core are still vulnerable. Patching requires upgrading the full dependency chain to a fixed version.

Although reports do not indicate active exploitation or ransomware use, a public PoC exploit is available. The vulnerability is high-risk due to Tika’s widespread use in automated document-processing pipelines. Belgium’s CERT.be, and Korea’s KRCERT have issued alerts. Greenbone’s OPENVAS ENTERPRISE FEED includes detection tests for CVE-2025-66516, including affected upstream enterprise SaaS products from Atlassian, Elastic, and more.

Summary

In December 2025, critical CVEs landed throughout the holidays, driving emergency patching and rapid triage for defenders. This report covers new actively exploited vulnerabilities, including MongoBleed, a SmarterMail unauthenticated RCE, OSGeo GeoServer, and trending attacks against edge devices such those from Fortinet SonicWall, WatchGuard, and more. Defenders seeking to harden their IT infrastructure can try OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.