Cybersecurity Week in Review: December 24, 2025

Major Data Breaches

University of Phoenix Data Breach: 3.5 Million Individuals Affected

The University of Phoenix disclosed a significant data breach impacting approximately 3.5 million current and former students, employees, faculty, and suppliers. The breach, attributed to the Clop ransomware group, exploited a previously unknown vulnerability in Oracle E-Business Suite (EBS) software between August 13 and August 22, 2025. Compromised data includes names, dates of birth, Social Security numbers, and bank account details. The university first became aware of the incident in November and has since begun notifying affected individuals and regulatory bodies. This breach is part of a broader campaign targeting Oracle EBS, with other notable victims including Harvard, Tulane, and several major corporations12.

Coupang Data Breach: 33.7 Million Users Exposed

South Korean e-commerce giant Coupang revealed a breach affecting 33.7 million customers, marking one of the largest cyber incidents in the country’s history. The unauthorized access to personal data went undetected for nearly five months, raising serious questions about data protection and incident response in the region. The company has announced a $1 billion compensation plan for affected users, though critics argue the sum is more symbolic than substantive34.

Nissan Data Breach via Red Hat

Nissan Motor Co. confirmed a breach that exposed the personal information of approximately 21,000 customers in Japan. The incident stemmed from unauthorized access to Red Hat data servers, resulting in the leak of names, addresses, phone numbers, email addresses, and sales operation data. Financial data was reportedly not affected56.

Aflac Insurance Data Breach Update

Aflac, a major US insurance provider, updated the impact of a breach that occurred in June 2025, now confirming that 22.6 million individuals’ personal and health data were compromised. The data included names, dates of birth, addresses, government-issued IDs, Social Security numbers, and health insurance information. The breach is attributed to the Scattered Spider threat group26.

Baker University Breach

Baker University disclosed a breach affecting over 53,000 individuals, including students, alumni, staff, and affiliates. Stolen data varied by person but included names, Social Security numbers, financial account details, and medical records. The breach reportedly went undetected for nearly a year26.

Significant Cyberattacks

DDoS Attack on French Postal Service (La Poste)

On December 24, 2025, pro-Russian hackers claimed responsibility for a DDoS attack that disrupted central computer systems at France’s national postal service, La Poste. The attack temporarily knocked key digital services offline, impacting online parcel tracking, mail distribution, and banking services for La Banque Postale customers. No evidence of data compromise has been reported, but the incident highlights the ongoing threat of politically motivated cyberattacks against critical infrastructure76.

Ransomware Attack on Romanian Waters

Romania’s national water management authority, Romanian Waters, suffered a ransomware attack that encrypted nearly 1,000 computer systems across national and regional offices. The attack disrupted geographic information systems, databases, email, web servers, and Windows workstations. Operational technology controlling water infrastructure was not impacted, and no data leakage has been reported6.

Trust Wallet Chrome Extension Hack

Trust Wallet, a popular non-custodial cryptocurrency wallet, disclosed a cyberattack involving a compromised Chrome extension update. Attackers exfiltrated sensitive wallet data, including seed phrases, resulting in at least $7 million in losses. The incident primarily affected users of Chrome extension version 2.68.0, allowing attackers to drain wallets. Trust Wallet has urged users to update to the latest version and is offering reimbursements to affected users86.

Critical Vulnerabilities

React2Shell: React Server Components RCE (CVE-2025-55182)

A critical unauthenticated remote code execution vulnerability, dubbed React2Shell (CVE-2025-55182, CVSS 10.0), was disclosed in React Server Components. The flaw allows attackers to execute arbitrary code on vulnerable servers and has been actively exploited in the wild. Organizations are urged to patch affected deployments immediately and monitor for suspicious activity9.

Microsoft Patch Tuesday: December 2025

Microsoft’s December Patch Tuesday addressed 56 security flaws, including one zero-day (CVE-2025-62221) actively exploited in the wild. This privilege escalation vulnerability affects the Windows Cloud Files Mini Filter Driver, integral to services like OneDrive, Google Drive, and iCloud. Three critical vulnerabilities were also patched:

CVE-2025-62554 and CVE-2025-62557: Remote code execution in Microsoft Office via the Preview Pane.
CVE-2025-62562: Remote code execution in Microsoft Outlook.

Organizations are strongly advised to apply these patches promptly101112.

n8n Automation Platform RCE (CVE-2025-68613)

A critical remote code execution vulnerability (CVE-2025-68613, CVSS 9.9) was discovered in the n8n open-source workflow automation platform, exposing over 103,000 potentially vulnerable instances worldwide. The flaw allows authenticated attackers to execute arbitrary code with full process privileges. Patches have been released, and immediate updates are recommended13.

SAP Critical Vulnerabilities

SAP released patches for several critical vulnerabilities, including:

CVE-2025-42880 (CVSS 9.9): Code injection in Solution Manager.
CVE-2025-55754 and CVE-2025-55752 (CVSS 9.6): RCE in Apache Tomcat used by Commerce Cloud.
CVE-2025-42928 (CVSS 9.1): Deserialization issue in jConnect SDK for Sybase ASE.

No active exploitation has been reported, but the central role of these components in enterprise environments makes prompt patching essential14.

Government Responses

CISA Adds WinRAR Vulnerability (CVE-2025-6218) to KEV Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) added a WinRAR vulnerability (CVE-2025-6218, CVSS 7.8) to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation by multiple threat groups. The path traversal flaw allows code execution if a user opens a malicious file. The vulnerability was patched in WinRAR 7.12, but exploitation continues via spear-phishing campaigns. CISA has mandated federal agencies to apply the patch by December 30, 202515.

CISA and NSA Advisories

CISA released several industrial control systems advisories and added new vulnerabilities to its KEV catalog during the week. The NSA published technical guidance on malware analysis and secure integration of AI in operational technology, reflecting ongoing efforts to address emerging threats1617.

Miscellaneous

Ubisoft’s Rainbow Six Siege Compromised

Ubisoft confirmed a cyberattack on its live service game Rainbow Six Siege, where threat actors abused internal systems to manipulate bans, unlock all cosmetics and developer-only skins, and distribute approximately $13.33 million worth of in-game currency. The incident underscores the risks of internal system abuse in the gaming industry6.

Conclusion

This week’s cybersecurity landscape was marked by large-scale data breaches, high-impact ransomware and DDoS attacks, and the disclosure of several critical vulnerabilities affecting widely used enterprise platforms. Government agencies responded with new advisories and mandates, emphasizing the need for rapid patching and robust incident response. Organizations are urged to review their exposure to the highlighted vulnerabilities and ensure timely application of security updates.

Sources: