Top stories.
- White House releases National Security Strategy and issues executive order on AI.
- Dozens of organizations breached by React2Shell exploitation.
- Intelligence agencies warn of Russian hacktivists targeting critical infrastructure.
- Patch Tuesday notes.
- Maryland man sentenced to prison for involvement in North Korean employment schemes.
White House releases National Security Strategy and issues executive order on AI.
The White House late last week released the United States' new National Security Strategy, a 30-page document outlining the Trump administration's global priorities. On the cyber front, the biggest change is the elevation of economic power, industrial capacity, and supply-chain control as core strategic tools. The strategy says the US government should "partner with regional governments and businesses to build scalable and resilient energy infrastructure, invest in critical mineral access, and harden existing and future cyber communications networks that take full advantage of American encryption and security potential."
POLITICO notes that the National Security Strategy is the first of several upcoming defense and foreign policy papers scheduled for release by the Trump administration. The others, including the National Defense Strategy, can be expected to be similarly on-brand.
Separately, President Trump on Thursday signed an executive order, "Ensuring a National Policy Framework for Artificial Intelligence," aimed at preempting state-level AI regulations. The White House cites three reasons for the order: "First, State-by-State regulation by definition creates a patchwork of 50 different regulatory regimes that makes compliance more challenging, particularly for start-ups. Second, State laws are increasingly responsible for requiring entities to embed ideological bias within models. For example, a new Colorado law banning 'algorithmic discrimination' may even force AI models to produce false results in order to avoid a 'differential treatment or impact' on protected groups. Third, State laws sometimes impermissibly regulate beyond State borders, impinging on interstate commerce."
CNBC says tech companies like Google and OpenAI will welcome the law, while states are likely to challenge the order in court. Some states—notably, California, Utah, Colorado, and Texas—have already passed their own laws regulating AI. States that refuse to comply with the executive order may face Federal funding restrictions.
Dozens of organizations breached by React2Shell exploitation.
Researchers continue to track the impact of React2Shell (CVE-2025-55182), a maximum-severity RCE flaw affecting all frameworks that implement React Server Components. Suspected Chinese threat actors began exploiting the flaw within hours of its disclosure on December 3rd, and cybercriminal gangs and nation-state actors are now scanning for vulnerable systems.
Palo Alto Networks' Unit 42 says at least 30 organizations have been breached via multiple vectors of attack. Unit 42's Justin Moore told the Record, "We have observed scanning for vulnerable RCE, reconnaissance activity, attempted theft of AWS configuration and credential files, as well [as] installation of downloaders to retrieve payloads from attacker command and control infrastructure." Unit 42 attributes this activity to an initial access broker associated with China's Ministry of State Security.
Sysdig warns that North Korean threat actors are using new malware in attacks targeting React2Shell. The malware, dubbed "EtherRAT," uses "Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org." The researchers note, "EtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic cryptomining and credential theft toward persistent, stealthy access designed for long-term operations."
Intelligence agencies warn of Russian hacktivists targeting critical infrastructure.
The US intelligence community and its international partners from thirteen countries have issued an advisory warning of pro-Russian hacktivist groups targeting critical infrastructure. The threat actors, including the Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16, are "capitalizing on the widespread prevalence of accessible VNC devices to execute attacks against critical infrastructure entities, resulting in varying degrees of impact, including physical damage." The hackers are targeting water and wastewater systems, food and agriculture entities, and the energy sector.
The advisory notes, "These groups have limited capabilities, frequently misunderstanding the processes they aim to disrupt. Their apparent low level of technical knowledge results in haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate actual impact. Despite these limitations, the authoring organizations have observed these groups willfully cause actual harm to vulnerable critical infrastructure."
Patch Tuesday notes.
Microsoft on Tuesday issued patches for 57 vulnerabilities, including three zero-days, SecurityWeek reports. One of the zero-days (CVE-2025-62221) is under active exploitation, while the other two were publicly disclosed before patches were released. The exploited zero-day is a use-after-free flaw in the Windows Cloud Files Mini Filter Driver, which has been assigned a CVSS score of 7.8.
Adobe issued fixes for nearly 140 vulnerabilities, most of which are cross-site scripting bugs affecting Experience Manager.
Fortinet fixed two critical authentication bypass flaws affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
Ivanti patched a critical vulnerability (CVE-2025-10573) in Ivanti Endpoint Manager that can allow a remote unauthenticated attacker to execute arbitrary JavaScript.
SAP addressed three critical flaws, including a code injection vulnerability (CVE-2025-42880) in Solution Manager with a CVSS score of 9.9.
IBM has issued fixes for more than 100 vulnerabilities across its products, most of which affected third-party dependencies. The company patched six critical flaws in Storage Defender, one critical vulnerability in IBM Guardium Data Protection's implementation of the Apache Tomcat server, and another critical bug in the form-data library used in Maximo Application Suite.
SecurityWeek also has a roundup of patches released by ICS vendors, including Siemens, Rockwell Automation, Schneider Electric, and Phoenix Contact.
Maryland man sentenced to prison for involvement in North Korean employment schemes.
A 40-year-old Maryland man, Minh Phuong Ngoc Vong, has been sentenced to 15 months in prison after pleading guilty to allowing North Korean nationals to use his identity in fraudulent employment schemes, the Record reports. Vong helped "John Doe," a North Korean national living in China, obtain employment at several American companies, including a contractor for the Federal Aviation Administration (FAA) that worked on "a particular software application used by various U.S. government agencies to manage sensitive information regarding national defense matters."
The Justice Department stated, "Between 2021 and 2024, Vong used fraudulent misrepresentations to obtain employment with at least 13 different U.S. companies, who collectively paid Vong more than $970,000 in salary for software development services that were, unbeknownst to them, performed by Doe or other overseas conspirators. Several of these defrauded companies contracted out Vong’s services to U.S. government agencies in addition to the FAA."
