(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – December 18, 2025

Author: Chase Snow

Created: Thursday, December 18, 2025 - 14:57

Categories: Cybersecurity, Security Preparedness

The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Cisco Secure Email Gateway and Cisco Secure Email and Web Manager Remote Command Execution Vulnerability
CVSS v3.1: 10.0
CVE: CVE-2025-20393
Description: A zero-vulnerability in Cisco Secure Email Gateway and Secure Email and Web Manager has been identified under exploitation by China-Nexus threat actors. Cisco is currently investigating and will update its advisory as more details become available. Access WaterISAC’s analysis here. CISA has added this vulnerability to its KEV catalog.
Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
Additional Reading:

UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager

CWP Control Web Panel OS Command Injection Vulnerability
CVSS v3.1: 10.0
CVE: CVE-2025-55182
Description: This vulnerability, also called React2Shell, has been identified by Google Threat Intelligence Group (GTIG) as exploited by several China-linked threat actors. This is a critical-severity remote code execution (RCE) vulnerability in React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0.
Source: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

SonicWall SMA1000 Missing Authorization Vulnerability
CVSS: N/A
CVE: CVE-2025-40602
Description: A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC). CISA has added this vulnerability to its KEV catalog.
Source: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019

ASUS Live Update Embedded Malicious Code Vulnerability
CVSS 4.0: 9.3
CVEs: CVE-2025-59374
Description: Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. CISA has added this vulnerability to its KEV catalog.
Source: https://www.asus.com/news/hqfgvuyz6uyayje1/

Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability
CVSS v3.1: 9.1
CVE: CVE-2025-59718
Description: A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. CISA has added this vulnerability to its KEV catalog.
Source: https://fortiguard.fortinet.com/psirt/FG-IR-25-647

Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
CVSS v4.0: 7.1
CVE: CVE-2025-14611
Description: Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise. CISA has added this vulnerability to its KEV catalog.
Source: https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability

Apple Multiple Products Use-After-Free WebKit Vulnerability
CVSS: N/A
CVE: CVE-2025-43529
Description: A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report. CISA has added this vulnerability to its KEV catalog.
Source: https://www.cve.org/CVERecord?id=CVE-2025-43529

Google Chromium Out-of-Bounds Memory Access Vulnerability
CVSS: N/A
CVE: CVE-2025-14174
Description: Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. CISA has added this vulnerability to its KEV catalog.
Source: https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html

Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
CVSS: N/A
CVE: CVE-2018-4063
Description: An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. CISA has added this vulnerability to its KEV catalog.
Source: https://talosintelligence.com/vulnerability_reports/TALOS-2018-0748

OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability
CVSS 3.1: 8.1
CVE: CVE-2025-58360
Description: GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0. CISA has added this vulnerability to its KEV catalog.
Source: https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525