News

Android Patched Two Zero-Day Vulnerabilities Under Active Attack

Google released its December security update for Android, fixing 107 vulnerabilities across the operating system. Two of these were zero-day flaws that attackers had already exploited in targeted campaigns.

The zero-day vulnerabilities carry the identifiers CVE-2025-48633 and CVE-2025-48572. The first permits unauthorized access to sensitive information, while the second enables privilege escalation. Both affect Android versions 13 through 16.

Per Google's official security bulletin, attackers exploited both vulnerabilities in limited, targeted attacks before the patches became available. Google followed its standard practice of withholding technical exploit details to prevent additional threat actors from weaponizing the flaws. Based on historical patterns, zero-day vulnerabilities like these typically appear in commercial spyware operations and campaigns attributed to state-sponsored groups and intelligence services.

The December update also addressed CVE-2025-48631, the month's most severe issue. This flaw in the Android Framework component could trigger denial-of-service conditions.

Google structured the December update across two patch levels. The first level (2025-12-01) resolves 51 vulnerabilities in Android Framework components and system modules. The second level (2025-12-05) fixes 56 issues in the OS kernel and third-party proprietary components.

Security teams should prioritize four critical privilege escalation vulnerabilities in the Pkvm and UOMMU kernel subsystems. Additionally, Qualcomm-based devices face two critical bugs: CVE-2025-47319 and CVE-2025-47372. Qualcomm and MediaTek published separate bulletins with detailed information on fixes for their proprietary components.

Aisuru Botnet Shatters DDoS Records with 29.7 Tbps Attack

A massive botnet dubbed Aisuru has set a new record for distributed denial-of-service attacks, reaching 29.7 terabits per second (Tbps) in peak traffic volume. The attack, which lasted only 69 seconds, demonstrates how compromised IoT devices and routers can be weaponized to generate unprecedented levels of malicious network traffic.

Critical React Vulnerability Achieves Perfect 10 CVSS Score, Enables Unauthenticated Remote Code Execution

A critical vulnerability in React has received a perfect 10.0 CVSS score, allowing attackers to execute code remotely on servers without authentication. The flaw, tracked as CVE-2025-55182 and dubbed "React2Shell," threatens millions of applications built on React and Next.js frameworks. React, Meta's open-source JavaScript

New Outlook Fails to Open Excel Attachments with Non-ASCII Characters

Microsoft is working to fix a bug preventing Excel files from opening in the new Outlook client. The issue surfaced on November 23, 2025, affecting some Exchange Online users. Per advisory EX1189359, developers have deployed a fix and identified the root cause: incorrect encoding processing in file names containing non-ASCII

Read next