Threat Advisories

Top Middle East Cyber Threats – December 10th, 2025

By Help AG

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.  

UDPGangster Campaigns Target Multiple Countries in the region.

UDPGangster is a UDP-based backdoor linked to the MuddyWater threat group, has been used for cyber-espionage across the Middle East. This sophisticated malware allows attackers to remotely execute commands, steal files, and deploy additional payloads over UDP channels effectively bypassing traditional defenses.

Recent research has uncovered multiple campaigns in the region, delivered through malicious Word documents embedded with VBA macros. These documents are equipped with anti-analysis features to evade sandbox detection.

In one phishing attempt, while the email was written in a regional language, the decoy image referenced a different country. A deeper investigation revealed other macro-based campaigns similarly distributing UDPGangster to targets across the Middle East, further highlighting the breadth of the threat.

RECOMMENDATIONS

Apply the principle of least privilege to minimize access to sensitive systems and data.

Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.

Regularly patch and update internet-facing systems to mitigate vulnerability exploits.

Conduct awareness programs to educate users about phishing attacks and social engineering tactics.

Monitor your network for abnormal behaviors.

Cloudflare Global Outage Triggered by Emergency React2Shell (CVE-2025-55182)

Cloudflare experienced a global outage on December 5, 2025, causing millions of websites to return 500 Internal Server Error messages. The incident lasted several minutes and affected services including the Cloudflare Dashboard and Cloudflare APIs.

The cause of the outage was not a cyberattack but rather an emergency update to the Web Application Firewall (WAF) rules, which was intended to mitigate the React2Shell vulnerability (CVE-2025-55182). This high-severity remote code execution (RCE) flaw affects React Server Components (RSC) and associated frameworks like Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and RedwoodSDK.

This vulnerability arises from the React Server Components (RSC) Flight protocol, which allows unauthenticated attackers to execute remote remote code execution by sending specially crafted HTTP requests to Server Function endpoints. Affected versions include React 19.0, 19.1.0, 19.1.1, and 19.2.0.

Within hours of the vulnerability being disclosed, security teams observed active exploitation attempts, attributed to threat groups in East Asia, with publicly available proof-of-concept (PoC) exploits heightening the risk of widespread attacks.

Cloudflare’s mitigation attempt inadvertently caused the outage; however, services were quickly restored.

RECOMMENDATIONS

Patch React to a safe version immediately (avoid 19.0 → 19.2.0) along with dependent frameworks: Next.js, React Router, RedwoodSDK, Waku, @parcel/rsc, @vitejs/plugin-rsc.

Validate RSC Flight protocol exposure and restrict publicly exposed endpoints.

Apply WAF rulesets designed specifically for React2Shell (vendor guidance).

Monitor for exploitation attempts targeting RSC function endpoints.

Review server/application logs for signs of malicious crafted RSC requests.

Deploy compensating controls (reverse proxies, strict request validation).

Track attacker activity linked to Earth Lamia and Jackpot Panda.

Microsoft Patches UI Spoofing in Edge for iOS.

Microsoft has rolled out a security update to address a medium-severity vulnerability in Microsoft Edge for iOS. The update fixes CVE-2025-62223, a user interface (UI) spoofing flaw in the Chromium-based browser.

k.This vulnerability allows an unauthorized attacker to manipulate the display of critical information in Microsoft Edge, potentially deceiving users into believing they are interacting with legitimate content, thereby enabling spoofing attacks over a network.

The update aims to mitigate this risk, ensuring the integrity of UI elements and protecting users from potential exploitation.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Splunk Fixes 9 Vulnerabilities Across Windows and Cloud.

Splunk has released 9 security fixes: 2 High, 4 Medium and 3 Low.

Splunk has released security fixes addressing 9 vulnerabilities across different severity levels: 2 High, 4 Medium, and 3 Low. Below are the details:

High Severity:

CVE-2025-20387 – Incorrect Windows Forwarder Permissions
New or upgraded installs incorrectly assign permissions to the Windows Forwarder directory, allowing non-admin users to access the directory and all its contents.
CVE-2025-20386 – Incorrect Windows Enterprise Permissions
Splunk Enterprise for Windows may assign incorrect directory permissions during installation, allowing non-admin users full access to the directory.

Medium Severity:

CVE-2025-20384 – Log Injection (ANSI Escape Codes)
Insufficient validation allows attackers to inject ANSI escape codes into log files via crafted HTTP requests. This can poison or obfuscate logs, negatively impacting detection accuracy.
CVE-2025-20383 – Unauthorized Alert Metadata Disclosure
Low-privileged mobile users may receive push notifications revealing alert or report titles, exposing restricted metadata even without access to the underlying reports.
CVE-2025-20381 – MCP SPL Allowlist Bypass
Users with MCP query permissions can embed SPL sub-searches that bypass allowlist controls, enabling unauthorized queries outside the intended restrictions.
CVE-2025-20389 – Client-Side DoS via Malicious Label Field
Low-privileged users can insert malicious payloads into device label fields, potentially causing a client-side denial of service (DoS) in the Secure Gateway app.

Low Severity:

CVE-2025-20388 – Internal Network Enumeration
Users with change authentication privileges can enumerate internal IPs and ports when adding new search peers in distributed environments, exposing internal network information.
CVE-2025-20385 – JavaScript Execution via Navigation Payload
High-privileged users can craft malicious href attributes in navigation collections, enabling the execution of unauthorized JavaScript in victims’ browsers.
CVE-2025-20382 – Unvalidated Redirect via Dashboard Background
Low-privileged users can create dashboards that bypass URL warnings using crafted image URLs, potentially redirecting victims to malicious sites if phished into triggering the request.

RECOMMENDATIONS

Ensure all systems are patched and updated.

Google Chrome Patches Side-Channel Information Leak.

Google Chrome has released 1 security fix with a Medium severity vulnerability.

The update addresses [Medium] CVE-2025-13992: Chrome, which is a side-channel information leakage in Navigation and Loading in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

RECOMMENDATIONS

Ensure all systems are patched and updated.

Rapidly Spreading Mirai-Based Botnet ShadowV2 Targets IoT Devices.

A newly identified Mirai-based botnet variant, named ShadowV2, has been rapidly targeting vulnerable IoT devices across the globe. Researchers have linked its activity to widespread AWS connectivity issues observed in late October 2025. The botnet exploits multiple known vulnerabilities in IoT hardware from manufacturers such as DD-WRT, D-Link, DigiEver, TBK, and TP-Link, affecting routers, NAS devices, DVRs, and other connected devices.

Once these devices are compromised, they are infected via a downloader script that deploys the ShadowV2 payload. This payload allows the infected devices to communicate with a command-and-control (C2) server, enabling them to conduct distributed denial-of-service (DDoS) attacks over UDP, TCP, and HTTP protocols.

RECOMMENDATIONS