Another day, another emergency patch.

Apple and Google issue emergency updates to patch zero-days. Google links five additional Chinese state-backed hacking groups to “React2Shell.” France’s Ministry of the Interior was hit by a cyberattack. Atlassian patches roughly 30 third-party vulnerabilities. Microsoft says its December 2025 Patch Tuesday updates are breaking Message Queuing. Researchers uncovered a massive exposed database with nearly 4.3 billion professional records openly accessible online. Britain’s new MI6 chief warns of an “aggressive, expansionist, and revisionist” Russia. Monday Business Brief. On today’s Threat Vector, ⁠Michael Heller⁠ from Unit 42 chats with security leaders ⁠Greg Conti⁠ and ⁠Tom Cross⁠ to unpack the hacker mindset and the idea of “dark capabilities”. A cyber holiday gift guide for the rest of us. 

Today is Monday December 15th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Apple and Google issue emergency updates to patch zero-days.  

Apple and Google have both issued emergency security updates after zero-day vulnerabilities were found under active exploitation in what they describe as sophisticated real-world attacks. Apple released patches across iPhones, iPads, and Macs to fix two WebKit flaws it says were used in highly targeted attacks, offering few technical details beyond confirming the exploits were already circulating. Google, meanwhile, updated Chrome’s Stable channel to address several bugs, including an actively exploited zero-day tracked as CVE-2025-14174, an out-of-bounds memory access flaw. Google acknowledged the exploit was in the wild and later revealed Apple’s security team and Google’s Threat Analysis Group were involved in its discovery, suggesting spyware-grade activity. The incidents add to a growing tally, with Apple patching nine in-the-wild zero-days in 2025 and Google addressing eight in Chrome so far this year.

Google links five additional Chinese state-backed hacking groups to “React2Shell.” 

Google’s threat intelligence team has linked five additional Chinese state-backed hacking groups to active exploitation of the maximum-severity “React2Shell” vulnerability, tracked as CVE-2025-55182. The flaw affects recent versions of the React JavaScript library and enables unauthenticated remote code execution with a single HTTP request, impacting React and Next.js applications using vulnerable server components. Attacks began shortly after public disclosure on December 3, with Palo Alto Networks reporting dozens of breaches and AWS warning that multiple China-linked groups were exploiting the bug within hours. Google says the attackers are deploying a range of backdoors and tunneling tools, while other actors, including Iranian groups and cybercriminals, are also abusing the flaw. More than 116,000 systems remain exposed, highlighting widespread risk across internet-facing applications.

France’s Ministry of the Interior was hit by a cyberattack. 

France’s Interior Minister has confirmed that the Ministry of the Interior was hit by a cyberattack that compromised its email servers. The breach, detected overnight between December 11 and 12, allowed attackers to access some document files, though authorities have not confirmed whether any data was stolen. In response, the ministry tightened security protocols and strengthened access controls, while opening an investigation into the attack’s origin and scope. Officials say multiple scenarios are being considered, including foreign interference, activist activity, or cybercrime. The Interior Ministry, which oversees police, internal security, and immigration services, is a high-value target. The incident follows previous French attributions of state-backed campaigns, including activity linked to Russia’s APT28 group targeting government and diplomatic email systems.

Atlassian patches roughly 30 third-party vulnerabilities. 

Atlassian has released patches for roughly 30 third-party vulnerabilities affecting multiple products, including several critical flaws. The most severe is CVE-2025-66516, a maximum-severity XML External Entity vulnerability in Apache Tika that could enable information disclosure, denial of service, SSRF, or remote code execution via crafted PDF files. Atlassian products using Tika, including Jira, Confluence, and Bamboo, have been fixed. The updates also address critical prototype pollution bugs and more than two dozen high-severity issues across Atlassian’s server and data center products. Users are urged to patch promptly.

Microsoft says its December 2025 Patch Tuesday updates are breaking Message Queuing. 

Microsoft says its December 2025 Patch Tuesday updates are breaking Message Queuing, or MSMQ, on some Windows systems, disrupting enterprise applications and IIS websites. The issue affects Windows 10 22H2 and Windows Server 2016 and 2019 after specific security updates are installed. Microsoft says recent changes to MSMQ’s security model altered permissions on a system folder, causing message failures unless users have administrative rights. Symptoms include stalled queues, application errors, and misleading resource warnings. Microsoft is investigating but has not announced a fix, leaving administrators to weigh rolling back updates against security risks.

Researchers uncovered a massive exposed database with nearly 4.3 billion professional records openly accessible online.

Researchers have uncovered a massive exposed database that left roughly 4.3 billion professional records openly accessible online. Cybersecurity researcher Bob Diachenko, working with nexos.ai, found the unsecured 16-terabyte MongoDB instance on November 23, 2025. It was secured two days later, but it remains unclear whether attackers accessed the data beforehand. Analysis showed multiple collections containing names, email addresses, phone numbers, job roles, employment history, education details, photos, and links to professional profiles such as LinkedIn. Researchers say the data appears to have been aggregated from multiple sources, likely through large-scale scraping, possibly including older leaks. While ownership has not been confirmed, evidence suggests ties to a lead-generation business. Experts warn the dataset could enable highly targeted phishing, fraud, and other social engineering attacks against professionals.

Britain’s new MI6 chief warns of an “aggressive, expansionist, and revisionist” Russia. 

Britain’s new MI6 chief, Blaise Metreweli, is warning that the United Kingdom now faces a constant, borderless threat environment, driven in large part by an “aggressive, expansionist, and revisionist” Russia. In her first public speech, Metreweli says the “front line is everywhere,” pointing to cyberattacks, espionage, sabotage, and other hybrid tactics as tools Moscow uses to export instability. She signals Britain’s intent to increase pressure on the Kremlin until President Putin is forced to rethink his strategy. Her remarks follow recent UK sanctions targeting Russia’s military intelligence agency and cyber operators, as well as additional sanctions against Russian and Chinese groups accused of cyber and influence operations. Metreweli, the first woman to lead MI6, also emphasizes blending human intelligence with advanced technology, arguing officers must be as fluent in code as in languages. Still, she stresses that human judgment, ethics, and agency will ultimately define security in the digital age.

Monday Business Brief. 

Cybersecurity and AI-focused companies saw a surge of funding and deal activity, highlighted by several large investment rounds and acquisitions. Saviynt led the week with a $700 million Series B to accelerate identity security development and AI-driven migration from legacy platforms. Eon raised $300 million to expand its cloud backup and AI analytics platform, while agentic AI security startups 7AI, Prime Security, and Lumia collectively secured more than $160 million. Hardware and infrastructure players, including Axiado and Niobium, also attracted significant capital for AI and quantum-resilient security technologies. At the lower end, multiple seed and pre-seed rounds backed startups focused on impersonation prevention, identity security, AI governance, and compliance. Mergers and acquisitions were equally active, with Proofpoint closing its $1.8 billion acquisition of Hornetsecurity and Checkmarx buying Tromzo to strengthen autonomous AppSec. Overall, the activity underscores sustained investor confidence in cybersecurity, particularly around AI, identity, and software supply chain risk.

 

A cyber holiday gift guide for the rest of us. 

Journalist Zack Whittaker’s Holiday Cyber Gift Guide opens by admitting what many readers already suspect: gift guides are usually terrible. Endless lists, questionable recommendations, and very little actual help. This one, he says, is meant to spare you that pain. The idea is to suggest gifts that improve security, privacy, or curiosity without accidentally turning someone into a breach waiting to happen.

Whittaker’s picks are practical, optional, and deliberately un-salesy. He points readers toward supporting independent journalism, because good reporting is still one of the best defenses we have. He suggests data removal services for anyone uneasy about their digital exhaust, password managers for people still reusing the same login everywhere, and tools like Flipper Zero or Shodan for those with a healthy, harmless curiosity about how tech really works.

There are also creature comforts, like coffee subscriptions, and long-term projects, like building a home lab with a NAS. The tone stays lightly irreverent throughout. No kickbacks, no guilt. Just thoughtful ideas from someone who has seen how badly security gifts can go wrong.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

A final note before we go - you may recall that not too long ago we asked for your help voting for an award I was nominated for — The SANS Difference Makers Awards. I am pleased to report that, thanks to all of you who voted, we won! Last night I was honored to accept the award live at the awards gala in Washington DC.

This show is truly a team effort, and I’m thankful for everyone who plays a role in making it possible for us to bring you the news and information that help make our world a little safer, every day. Thanks to all of you, our listeners, for supporting our efforts.