As we close out the year, it’s a good time to step back and assess the vulnerabilities being flagged by national cybersecurity agencies around the world. I routinely monitor updates from the Canadian Centre for Cyber Security and Australia’s—both among the most transparent and high‑quality sources of threat intelligence—but this month’s warnings from South Africa, the UK, and Germany are equally worth attention. One theme cuts across all of them: foreign state‑sponsored cyber activity continues to dominate the global cyber threat landscape.
From long‑term espionage campaigns to zero‑day exploitation in foundational web frameworks, December has been marked by a surge in high‑severity alerts—many of them aimed squarely at managed service providers (MSPs) and their clients. Below is a breakdown of the most critical developments.
BRICKSTORM malware in multi‑year espionage campaign
In a joint advisory, CISA, the NSA, and the Canadian Cyber Centre exposed BRICKSTORM, a highly sophisticated backdoor malware used by Chinese state‑sponsored operators. The malware is engineered for persistent access across VMware vSphere and Windows environments, targeting government agencies, enterprise IT providers, and critical infrastructure—primarily in North America.
CISA’s analysis covered eight BRICKSTORM samples taken from compromised organizations. One incident response case revealed that attackers maintained undetected access for 17 months, from April 2024 through September 2025. BRICKSTORM employs multiple layers of encryption, DNS‑over‑HTTPS for concealed communications, and even self‑reinstallation if defenders attempt to remove it.
CrowdStrike has attributed recent BRICKSTORM activity to Warp Panda, a newly identified threat actor targeting legal, tech, and manufacturing firms throughout 2025. Although some victims include government and SaaS organizations, many specifics remain masked in public reports.
To defend against BRICKSTORM, organizations should:
- Scan systems using CISA’s published YARA (malware identification) and Sigma (behavioral analytics) rules
- Block unauthorized DNS‑over‑HTTPS providers
- Harden and inventory all edge devices
- Strengthen network segmentation, especially between DMZ and internal networks
React server components flaw achieves maximum severity
CISA has added CVE‑2025‑55182, a remote code execution vulnerability in Meta’s React Server Components, to its Known Exploited Vulnerabilities catalog. Carrying a CVSS score of 10.0, the flaw—nicknamed React2Shell—affects React versions 19.0.0 to 19.2.0 and enables unauthenticated attackers to execute arbitrary code.
This vulnerability has sweeping implications. React underpins a huge portion of the global web ecosystem, from SaaS applications to major retail platforms—including Shopify, Walmart, and Target storefronts. The Canadian Cyber Centre echoed CISA’s warnings, urging immediate patch deployment and post‑update compromise checks on all internet‑facing systems.
Multiple vendors issue December patches
’Tis the season—not just for holiday cheer, but also for heavy patching.
Microsoft shipped its December 2025 security update addressing a wide range of vulnerabilities, including CVE‑2025‑62221, which is already being actively exploited. Canada’s Cyber Centre emphasized the importance of rapid patching across enterprise environments.
CISA added two more exploited vulnerabilities to its catalog:
- CVE‑2022‑37055 (D‑Link routers — buffer overflow)
- CVE‑2025‑66644 (Array Networks ArrayOS AG — command injection)
Fortinet released critical patches for authentication bypass flaws (CVE‑2025‑59718 and CVE‑2025‑59719) affecting FortiCloud SSO, FortiOS, and FortiWeb. Both Australia’s ACSC and Canada’s Cyber Centre issued coordinated alerts highlighting the severity of these bugs, which allow attackers to completely bypass authentication.
Mobile and hardware vulnerabilities demand attention
Android security updates for December addressed CVE-2025-48572 and CVE-2025-48633, both added to CISA’s Known Exploited Vulnerabilities Database. Qualcomm published patches for critical vulnerabilities affecting numerous mobile devices, with CVE-2025-47372 rated as the most severe.
Ivanti Endpoint Manager users face critical vulnerabilities in version 2024 SU4 and prior, prompting urgent advisories from both U.S. and Canadian agencies. Jenkins also released security updates addressing multiple vulnerabilities in its automation server and plugins.
Industrial control systems remain in the crosshairs
CISA issued 12 new ICS advisories in mid‑December, covering vulnerabilities across Mitsubishi Electric, Advantech, Johnson Controls, and more. Two advisories targeted medical devices, highlighting the growing attack surface within healthcare operational technology.
Australia’s ACSC also warned about pro‑Russia hacktivist groups launching ongoing, low‑sophistication but disruptive attacks against globally exposed ICS infrastructure.
CISA updates cross‑sector cybersecurity performance goals
Rounding out the month, CISA released version 2.0 of its Cross‑Sector Cybersecurity Performance Goals. The new version integrates refreshed NIST Cybersecurity Framework guidance and introduces a governance component focused on accountability, risk management, and embedding cybersecurity into daily operations.
What MSPs and organizations should do now
Given the flood of high‑severity alerts, MSPs should prioritize:
- Immediate patching of any known exploited vulnerabilities
- Comprehensive scanning for BRICKSTORM using CISA’s detection rules
- Hardening VMware vSphere deployments
- Ensuring all clients leveraging React have updated to patched versions
- Reviewing DNS‑over‑HTTPS configurations
- Re‑evaluating segmentation and access control policies
State‑sponsored actors are embedding themselves deeper and longer, while zero‑day vulnerabilities continue to appear in the frameworks that power the modern web. December’s threat landscape is a reminder that defenders must stay aggressive, vigilant, and proactive.
Photo: DC Studio / Shutterstock
This post originally appeared on Smarter MSP.