Google Patches Actively Exploited Sandbox Escape Zero-Day CVE-2025-6558 in Chrome
Friday, December 5, 2025
Top 5 Cybersecurity Stories You Should Know
-
Google Patches Actively Exploited Sandbox Escape Zero-Day CVE-2025-6558 in Chrome — tl;dr: Google has released a critical security update for Chrome, addressing multiple vulnerabilities, including a high-severity zero-day flaw (CVE-2025-6558) that is actively being exploited. This vulnerability allows attackers to escape the browser's sandbox by executing arbitrary code via a specially crafted HTML page. Users are urged to update to version 138.0.7204.157 or .158 immediately to protect against potential exploits. This marks the fifth actively exploited flaw fixed in Chrome this year, emphasizing the importance of keeping software up to date to mitigate security risks.
↪ https://www.bleepingcomputer.com/news/security/google-fixes-actively-exploited-sandbox-escape-zero-day-in-chrome/ -
Marquis Software Solutions Ransomware Breach Exposes Data of 400,000 Customers — tl;dr: A ransomware attack on Marquis Software Solutions, a fintech vendor for over 700 US banks and credit unions, has compromised sensitive data of at least 400,000 individuals. The breach, detected on August 14, 2025, exploited a zero-day vulnerability in the company's SonicWall firewall, allowing attackers to access personal and financial information, including Social Security numbers and bank details. The incident highlights the risks associated with supply chain vulnerabilities and the need for robust security measures. Affected individuals should monitor their financial accounts and consider identity theft protection services.
↪ https://www.cybernewscentre.com/5th-december-2025-cyber-update-us-banking-vendor-breach-exposes-hundreds-of-thousands-to-fraud/ -
Microsoft Patches Long-Exploited Windows Shortcut Flaw (CVE-2025-9491) — tl;dr: Microsoft has addressed a critical vulnerability in Windows shortcut files, tracked as CVE-2025-9491, which has been exploited by state-sponsored and cybercriminal groups for years. This flaw allowed malicious .lnk files to conceal harmful command-line arguments, facilitating hidden code execution. The recent patch, part of the November 2025 update, reveals the full command in the shortcut properties, thwarting attackers' obfuscation tactics. Users are advised to ensure their systems are updated and remain cautious when opening files from unknown sources, as many systems may still be compromised.
↪ https://www.theregister.com/2025/12/04/microsoft_lnk_bug_fix/ -
Critical RCE Flaw in React and Next.js (CVE-2025-55182, CVE-2025-66478) Exposed — tl;dr: A severe vulnerability in React Server Components and Next.js, identified as CVE-2025-55182 and CVE-2025-66478, allows unauthenticated attackers to execute remote code on affected servers. This critical flaw, resulting from insecure deserialization, impacts default configurations and is prevalent in 39% of cloud environments, with Next.js being notably affected. Developers are urged to upgrade to the latest patched versions immediately to mitigate risks. Temporary mitigations have been implemented by hosting providers, but they should not replace the urgency of patching vulnerable applications.
↪ https://gbhackers.com/critical-react-and-next-js-flaw/ -
Exploit Code for IngressNightmare Vulnerabilities (CVE-2025-1097, CVE-2025-1098) — tl;dr: A new proof-of-concept (PoC) exploit has been released targeting critical unauthenticated Remote Code Execution vulnerabilities in the Ingress NGINX Controller for Kubernetes, known as IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974). These vulnerabilities can lead to unauthorized access to Kubernetes secrets and potential cluster takeover. Affected users are urged to upgrade to patched versions (1.12.1 or 1.11.5) immediately, restrict access to admission webhooks, and consider temporarily disabling the admission controller if necessary.
↪ https://darkwebinformer.com/poc-code-to-exploit-the-ingressnightmare-vulnerabilities-cve-2025-1097-cve-2025-1098-cve-2025-24514-and-cve-2025-1974/
Featured LufSec Resource
Cybersecurity Career Guide (Free eBook) — Actionable playbook to land your first role.
Explore →
Connect with LufSec
- YouTube: https://www.youtube.com/@lufsec
- Instagram: https://www.instagram.com/lufsec
