This week’s TWiC highlights several high impact security events that organizations should review and prioritize. Google patched a Chrome zero day already exploited in the wild. Microsoft released updates addressing an actively exploited Windows privilege escalation flaw along with two additional zero-day vulnerabilities. Fortinet disclosed critical authentication bypass issues affecting multiple appliance families when FortiCloud SSO is enabled. Finally, exploitation of the React2Shell vulnerability continues to accelerate, with threat actors deploying the advanced EtherRAT malware implant. The sections below outline the risks and recommended actions for each issue.
Google Chrome Zero Day Actively Exploited
Google released a security update for Chrome that includes a fix for a high severity flaw tracked as bug ID 466192044. The issue is already exploited in the wild. Google has not yet assigned a CVE or published technical details, but a linked Chromium commit points to a buffer handling flaw in the ANGLE Metal renderer that could lead to memory corruption or code execution. All major Chromium based browsers will need to apply updates as patches become available.
Risks Identified
- Ongoing exploitation targeting Chrome users
- Potential for remote code execution and sandbox escape
- Likely use in targeted campaigns
- Delay in patch availability for non-Google Chromium browsers
Security Recommendations
- Update Chrome to version 143.0.7499.109 or higher
- Monitor availability of updates for other Chromium based browsers like Edge, Brave, Opera, and Vivaldi
- Managed SIEM to detect abnormal Chrome child processes or exploitation patterns
- Remove unnecessary browser extensions and enforce least privilege
- Enable automatic browser updates in managed environments
Microsoft Patch Tuesday: Active Exploitation and Two Additional Zero Days
Microsoft released fixes for 56 vulnerabilities, including CVE-2025-62221, a privilege escalation flaw that is already exploited in the wild. The weakness exists in the Windows Cloud Files Mini Filter Driver, which is present even if cloud storage applications are not installed. Two additional issues, CVE-2025-54100 in PowerShell and CVE-2025-64671 in GitHub Copilot for JetBrains, have publicly available proof of concept code. Many of the patched vulnerabilities continue the trend of post compromise privilege escalation opportunities.
Risks Identified
- Active exploitation of CVE-2025-62221 for SYSTEM level access
- Broad exposure due to the minifilter driver being widely deployed
- High potential for exploit chaining with initial access methods like phishing
- PowerShell command injection enabling remote execution
Security Recommendations
- Apply all December 2025 patches, prioritizing CVE-2025-62221
- Update IDE environments that use GitHub Copilot or JetBrains tools
- Review PowerShell usage and enable constrained language mode where possible
- Internal penetration testing with a focus on privilege escalation paths
- Managed SIEM to monitor PowerShell activity, driver anomalies, and exploit behavior
- Review PowerShell usage and enable constrained language mode where possible
- Microsoft 365 and Windows security configuration assessments
- Rotate credentials if PowerShell exploitation is suspected
Fortinet FortiCloud SSO Authentication Bypass
Fortinet disclosed two critical vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager when FortiCloud SSO is enabled. The flaws stem from improper SAML signature verification, allowing forged SAML messages to bypass authentication and grant full administrative access. FortiCloud SSO is enabled automatically when devices are registered with FortiCare unless administrators disable it.
Risks Identified
- Full administrative access without credentials
- Exposure across multiple product lines that often serve as perimeter security
- Potential for misuse by ransomware and nation state operators
- Elevated lateral movement risk once administrative access is obtained
Security Recommendations
- Disable FortiCloud SSO until patched
- Apply Fortinet firmware updates to the fixed versions
- Firewall and appliance configuration assessments
- External penetration testing with a focus on discovering management interfaces
- Restrict administrative interfaces to trusted networks
- Review SAML related logs for irregularities
- Continuous vulnerability scanning to monitor Fortinet patch status
- Validate device registration workflows and remove unused FortiCare associations
React2Shell Exploitation and EtherRAT Malware Deployment
Exploitation of the critical React2Shell vulnerability (CVE-2025-55182) continues to expand. Multiple threat groups, including North Korea linked actors, have leveraged the flaw to deploy a new malware family named EtherRAT. The implant uses Ethereum smart contracts for command and control, including five persistence layers on Linux hosts, and deploys its own Node.js runtime. The activity aligns with earlier Contagious Interview campaigns targeting developers through fake job opportunities.
nGuard recently published a detailed advisory on React2Shell.
Risks Identified
- Rapid adoption of the vulnerability by state aligned actors
- Remote code execution leading to credential theft, cryptomining, or long-term access
- Distributed blockchain based C2 that is resistant to takedown
- Strong persistence designed to survive reboots and forensic cleanup
- Exposure for organizations running React Server Components or Next.js
- Risk of spreading within developer environments
Security Recommendations
- Refer to nGuard’s prior coverage on this to see a full breakdown of security recommendations
- Application penetration testing for Node.js, React, and Next.js environments
Wrap
This week’s activity underscores the need for timely patching, careful review of authentication exposures, and close monitoring of systems that rely on widely deployed frameworks or cloud integrated components. Organizations should validate that updates have been applied, confirm SSO and administrative access paths are securely configured, and review logging and detection coverage for signs of exploitation. Continued attention to browser, operating system, appliance, and application layer vulnerabilities remains essential as threat actors rapidly adopt new exploit paths.
