Daily CISO Briefing Note | December 9, 2025

Welcome reader, here’s today’s Cyber Briefing Note.

Brought to you by:

👣 Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 📊 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

Full access to CybersecurityHQ’s deep-dive intelligence, weekly executive cyber briefings, premium research, and analytic tools — $299/year.
Enterprise and team licenses available.

Summary

The past 48 hours included disclosures across enterprise resource planning systems, document processing frameworks, consumer networking appliances, commercial spyware ecosystems, and web-based malware distribution infrastructure. These signals arose from unrelated sectors and appeared within the same reporting window through monthly vendor patch cycles, government vulnerability catalog updates, security research publication schedules, and multinational investigative journalism coordination.

Theme 1: Enterprise application vendor releases monthly security update addressing code injection vulnerability in centralized management platform

SAP published its December 2025 Security Patch Day on December 9, addressing fourteen new security notes across Solution Manager, NetWeaver, Commerce Cloud, and adjacent products. The most severe disclosure, CVE-2025-42880, affects SAP Solution Manager with a CVSS rating of 9.9 and enables authenticated low-privilege users to inject arbitrary code through a remote-enabled function module lacking input sanitization. Three vulnerabilities in this release carry CVSS scores exceeding 9.0. Federal agencies operating SAP environments face compliance timelines under applicable security directives. Source category: vendor security bulletin.

Theme 2: Document processing framework disclosure expands scope of maximum-severity XML injection vulnerability affecting content analysis pipelines

Apache Tika maintainers published CVE-2025-66516 on December 4, a maximum-severity XML external entity injection vulnerability carrying a CVSS rating of 10.0. The disclosure supersedes and expands CVE-2025-54988 from August 2025, clarifying that the underlying vulnerability resides in tika-core rather than the PDF parser module alone. Organizations that previously patched only the PDF module remain exposed. The vulnerability enables unauthenticated attackers to trigger file disclosure or server-side request forgery by submitting crafted PDF files containing malicious XFA content to document ingestion endpoints. Internet-facing exposure analysis identified over 565 potentially vulnerable Tika Server instances. Source category: vendor security advisory.

Theme 3: United States cybersecurity agency adds end-of-life consumer router vulnerability to active exploitation catalog

CISA added CVE-2022-37055 to its Known Exploited Vulnerabilities catalog on December 8, confirming active exploitation of a buffer overflow vulnerability in D-Link Go-RT-AC750 routers. The affected product line reached end-of-life status and will not receive vendor patches. The vulnerability enables unauthenticated remote code execution through improper memory management in the device's HNAP interface. Federal agencies face a December 29, 2025 remediation deadline under Binding Operational Directive 22-01, with discontinuation of affected devices as the primary recommended action. Source category: government vulnerability catalog update.

Theme 4: Security vendor analysis documents multi-stage malware framework using compromised websites to distribute remote administration tooling

Securonix published technical analysis on December 3 describing a campaign designated JS#SMUGGLER that distributes NetSupport RAT through compromised websites. The attack chain employs heavily obfuscated JavaScript loaders containing large volumes of randomized comment text to evade static analysis, followed by HTML Application payloads executed through mshta.exe, and encrypted PowerShell stagers that retrieve the final payload from attacker-controlled infrastructure. The malware establishes persistence through Startup folder shortcuts disguised as Windows Update components. Attribution to specific threat actors remains undetermined. Source category: security vendor threat research.

Theme 5: Multinational investigation documents continued operations of United States-sanctioned commercial spyware vendor

Amnesty International, Recorded Future, and investigative journalism outlets published coordinated research on December 3-4 documenting ongoing operations by Intellexa, the consortium behind Predator commercial spyware sanctioned by the United States Treasury Department in March 2024. Researchers identified new evidence of spyware deployment in Iraq and indicators associated with activity linked to Pakistan, including a confirmed attack attempt against a human rights lawyer in Balochistan province during summer 2025. The investigation documented a previously unknown advertising-based infection vector designated Aladdin that delivers spyware through malicious digital advertisements without requiring target interaction. Source category: security research and investigative journalism.

Synthesis

Multiple unrelated sectors appeared within the same reporting window through monthly vendor patch cycles, government vulnerability catalog updates, security research publication schedules, and multinational investigative journalism coordination. (8 themes excluded—covered in prior 48-hour briefings.)

Author
Daniel Michan is the founder of CybersecurityHQ, a CISO-grade intelligence platform read weekly across the Fortune 100. He analyzes identity-centric risk, machine identity failures, SaaS integration breakdowns, and emerging AI-speed threats, producing executive briefings and deep-dive research used by enterprise security leaders for decision support.