Black Arrow Cyber Advisory 10 December 2025 - Security Updates from Microsoft, SAP, Adobe, Fortinet, Google Android, Ivanti, React.js
Executive Summary
This month’s Patch Tuesday brings a very busy close to the year, with Microsoft fixing 57 vulnerabilities, SAP issuing 14 new security notes, Adobe addressing nearly 140 issues, and Google Android resolving 107 flaws including two actively exploited zero days. Fortinet, Ivanti and React have all released targeted updates for critical remotely exploitable weaknesses in network infrastructure, endpoint management and widely used web frameworks. Organisations should prioritise internet facing services, identity and SSO paths, and any platform exposed to untrusted content or code.
Vulnerabilities by Vendor
Microsoft: 57 vulnerabilities, affecting Windows client and server, Office, Azure components, developer tooling (including GitHub Copilot for JetBrains) and PowerShell.
SAP: 14 vulnerabilities, affecting Solution Manager, Commerce Cloud, jConnect, Web Dispatcher and Internet Communication Manager, NetWeaver, Business Objects, S/4HANA Private Cloud, SAPUI5 and Enterprise Search.
Adobe: At least 138 vulnerabilities across ColdFusion, Adobe Experience Manager (AEM), DNG SDK, Acrobat/Reader and Creative Cloud Desktop. ColdFusion and AEM carry multiple critical or high severity issues, including arbitrary code execution and extensive cross site scripting in AEM.
Fortinet: At least 4 vulnerabilities, affecting FortiOS, FortiProxy, FortiWeb and FortiSwitchManager, including two critical flaws in FortiCloud SSO login that allow administrative authentication bypass, plus additional weaknesses in password handling and credential reset flows.
Google Android: 107 vulnerabilities, affecting Android Framework and System components (51 flaws) and kernel and closed source vendor components (56 flaws) across Android 13 to 16. Two high severity issues are under active exploitation, with an additional critical denial of service flaw in the Android Framework and multiple critical elevation of privilege bugs in kernel subcomponents and chipset drivers.
Ivanti: 1 vulnerability, affecting Ivanti Endpoint Manager (EPM) 2024, disclosed as part of Ivanti’s December 2025 security update. Public commentary indicates a critical stored cross site scripting issue that can lead to remote code execution within the management console.
React: 1 vulnerability, affecting React Server Components in React 19 (react-server and related packages) and widely used frameworks that integrate the same protocol. This unauthenticated remote code execution flaw, widely referred to as React2Shell, is already under active exploitation and carries maximum severity. Prioritise updating to the patched React and framework versions recommended in the React advisory, with particular urgency for internet facing applications and multi tenant environments. Please see our specific advisory on this vulnerability for more information: https://www.blackarrowcyber.com/blog/advisory-08-december-2025-react2shell
What’s the risk to me or my business?
The presence of actively exploited zero-days and critical RCE/privilege escalation vulnerabilities across major enterprise platforms significantly elevates the risk of data breaches, lateral movement, malware deployment, and full system compromise.
What can I do?
Black Arrow recommends promptly applying the available security updates for all affected products. Prioritise patches for vulnerabilities that are actively exploited or rated as critical or high severity. Regularly review and update your organisation's security policies and ensure that all systems are running supported and up-to-date software versions.
Sources:
1 Microsoft — https://msrc.microsoft.com/update-guide/releaseNote/2025-Dec
2 SAP — https://support.sap.com/en/my-support/knowledge-base/security-notes-news/december-2025.html
3 Adobe — https://helpx.adobe.com/security.html
4 Fortinet — https://fortiguard.fortinet.com/psirt/FG-IR-25-647
5 Google Android — https://source.android.com/docs/security/bulletin/2025-12-01
6 Ivanti — https://www.ivanti.com/blog/december-2025-security-update
7 React — https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components