Security Weekly: Apple 0-days, WinRAR, .NET RCE, OAuth

This week’s security roundup is a patch-now moment. Actively exploited flaws are hitting software most of us use daily—phones, browsers, archives, and popular frameworks.

Threat of the week

• Apple and Google ship fixes for two zero-days: CVE-2025-14174 (ANGLE memory corruption) and CVE-2025-43529 (use-after-free). Targets include iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari; Chrome is impacted via ANGLE. Both bugs enable code execution via malicious web content. Exploitation appears highly targeted, likely tied to commercial spyware.

Top news highlights

• .NET SOAPwn enables RCE via HTTP client proxies: Unexpected handling of non-HTTP URLs can lead to arbitrary file writes, NTLM challenge leaks, and RCE through web shells or PowerShell script drops. WSDL imports may also be abused.
• CentreStack/Triofox exploited: A design failure in token encryption key generation lets attackers access web.config and execute code. Keys don’t rotate; at least nine orgs impacted as of Dec 10, 2025.
• WinRAR CVE-2025-6218 (path traversal) under active attack: Exploited by GOFFEE (Paper Werewolf), Bitter, and Gamaredon. Added to CISA KEV; U.S. federal agencies must patch by Dec 30, 2025.
• React2Shell (CVE-2025-55182) mass exploitation: Multiple China-nexus clusters (UNC6600, UNC6586, UNC6588, UNC6603, UNC6595) deploy malware including MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, and Noodle RAT. Organizations on React/Next.js must patch fast.
• Hamas-linked WIRTE (Ashen Lepus) expands espionage across the Middle East: Long-running phishing leads to a modular AshTag framework delivered via C2 code hidden in HTML tags; persistent operations continued through and after the 2025 Gaza ceasefire.

Trending CVEs to prioritize

• Apple/Chrome: CVE-2025-43529, CVE-2025-14174
• React/Next.js: CVE-2025-55183, CVE-2025-55184, CVE-2025-67779
• WinRAR: CVE-2025-6218
• Plus critical issues across Windows, Fortinet, Ivanti, SAP, PCIe IDE protocol, routers/cameras, Jenkins, GitLab, Apache Struts 2, and more. Triage against exposure and business impact, then patch on risk.

Around the cyber world

• UK fines LastPass £1.2M for 2022 breach: Attackers pivoted via a compromised developer MacBook, abused Plex CVE-2020-5741 to keylog a DevOps master password, and breached cloud storage. ICO cited insufficient safeguards.
• APT-C-60 targets Japan with SpyGlace: Phishing attaches VHDX directly; GitHub replaces Bitbucket for payload delivery.
• ConsentFix, a new OAuth phishing twist: Victims paste a localhost URL containing an OAuth code into a fake Cloudflare challenge page, granting access—entirely within the browser, evading endpoint detections.
• 2025 CWE Top 25: XSS leads, then SQLi, CSRF, missing authorization, and out-of-bounds write.
• Salt Typhoon members tied to Cisco training: Findings suggest local training programs may inadvertently boost offensive capabilities if safeguards are weak.
• Freedom Chat fixes two flaws: Possible phone-number enumeration and exposed PINs triggered a global PIN reset; no message content was exposed.
• New Windows RasMan 0-day DoS gets unofficial 0patch: Impacts Windows 7–11 and Server 2008 R2–2025; no in-the-wild exploitation reported.
• Ukrainian national charged over OT attacks: Linked to NoName057(16) and CARR, allegedly GRU-directed; U.S. cites opportunistic OT intrusions via exposed VNC and basic tradecraft.
• APT36 (Transparent Tribe) targets Indian government Linux (BOSS): Spear-phishing Linux LNK files deploy a Python RAT for remote control.
• Operation Hanoi Thief hits Vietnamese IT/HR: Fake resumes deliver LOTUSHARVEST via DLL side-loading; steals Chrome/Edge data.
• PowerShell security boost: New prompt warns on Invoke-WebRequest without safe parameters; Microsoft rolls out Baseline Security Mode across M365 services for risk-based hardening.
• U.S. to require foreign travelers’ 5-year social media history: Applies to all countries, including visa waiver entrants.
• AitM phishing targets Microsoft 365/Okta: Proxies SSO to steal credentials and session tokens, bypassing non-phishing-resistant MFA.
• Calendly-themed phishing steals Google/Facebook credentials: BitB pop-ups and brand spoofing target ad account managers to fuel malvertising and ClickFix-style campaigns.
• Calendar subscription abuse: Hijacked/expired iCal subscription domains can push malicious events to users’ calendars; 390+ abandoned domains sinkholed.
• The Gentlemen ransomware ramps up: Uses BYOVD and GPO manipulation in double-extortion attacks across 17 countries; one of 2025’s most active emerging crews.

Webinars to watch

• Zero Trust + AI for modern, fileless threats and secure Dev environments.
• Patch faster, safely: Guardrails for Chocolatey/Winget, version drift detection, and staged rollouts.

Helpful tools (review before use)

• Strix: Lightweight framework for building consistent CLIs.
• Heisenberg: Scans SBOMs and public sources to surface supply chain risk signals.
  Disclaimer: For research only. Review code, test safely, and follow laws/policies.

What to do now

• Patch Apple platforms and Safari; update Chrome.
• Update WinRAR; deploy React/Next.js fixes.
• Audit .NET apps for SOAP/WSDL proxy behaviors; block non-HTTP schemas.
• Harden SSO/MFA (phishing-resistant methods), monitor OAuth consent flows, and train users on ConsentFix-style lures.
• Review calendar subscriptions; remove abandoned sources.
• Enable new PowerShell protections and review Microsoft Baseline Security Mode.

Source: The Hacker News