The December 8th, 2025 Threat Intelligence Report from Check Point Research details multiple high-impact cyber threats and vulnerabilities discovered during the week. Foremost among these is the exploitation of zero-day vulnerabilities in Oracle E-Business Suite servers, which led to data breaches at the University of Pennsylvania and the University of Phoenix, affecting thousands of individuals including students, staff, and suppliers. The Cl0p ransomware gang is suspected to be behind these attacks, which form part of a broader campaign targeting Oracle products. Concurrently, the Akira ransomware group exploited vulnerabilities in SonicWall firewalls to breach over 74 US banks and credit unions, exposing sensitive customer data. Additional ransomware attacks by Qilin and TridentLocker targeted pharmaceutical and postal services, respectively, resulting in significant data leaks. The report also highlights critical vulnerabilities such as React2Shell (CVE-2025-55182), which allows unauthenticated remote code execution in React 19.x and Next.js 15.x/16.x frameworks, posing a severe risk to web applications. Another notable vulnerability was found in OpenAI Codex CLI, enabling remote code execution via malicious local configuration files, patched in version 0.23.0. The report further discusses sophisticated cyber-espionage campaigns like Salt Typhoon and BRICKSTORM, which leverage complex attack chains to infiltrate telecom providers and government networks. Additionally, the emergence of Albiriox, an Android banking trojan distributed as Malware-as-a-Service, demonstrates evolving threats targeting financial and crypto applications through social engineering and technical evasion techniques. Protection against these threats is available through Check Point's IPS, Threat Emulation, and Harmony Endpoint products, which provide detection and mitigation capabilities for the identified ransomware families and vulnerabilities. The report underscores the importance of timely patching, threat intelligence sharing, and layered security controls to defend against these multifaceted threats.

European organizations face substantial risks from these threats due to widespread use of Oracle E-Business Suite in enterprise resource planning and financial operations, as well as the growing adoption of React-based web applications across industries. Data breaches involving personal, financial, and operational information can lead to regulatory penalties under GDPR, reputational damage, and operational disruptions. The ransomware campaigns threaten availability by encrypting critical data and demanding ransom payments, potentially crippling essential services such as healthcare, education, and logistics. The React2Shell vulnerability enables attackers to execute arbitrary code remotely without authentication, increasing the risk of full system compromise and lateral movement within networks. Supply chain attacks, such as the compromise of developer signing keys in the SmartTube incident, highlight risks to software integrity and trust. The presence of advanced persistent threat campaigns targeting telecom and government sectors indicates a heightened espionage risk, which could impact national security and critical infrastructure in Europe. Financial institutions are particularly vulnerable to banking trojans like Albiriox, which use sophisticated evasion and fraud techniques to steal credentials and funds. Overall, these threats can disrupt business continuity, expose sensitive data, and undermine trust in digital services across European markets.

European organizations should prioritize immediate patching of Oracle E-Business Suite servers and React framework components to remediate zero-day vulnerabilities such as those exploited in the reported attacks. Deploy advanced intrusion prevention systems (IPS) and endpoint detection and response (EDR) solutions like Check Point Threat Emulation and Harmony Endpoint to detect and block ransomware payloads and exploit attempts. Implement strict network segmentation to limit lateral movement in case of compromise, especially isolating critical financial and operational systems. Enhance monitoring of firewall and VPN logs to detect anomalous access patterns indicative of exploitation attempts, particularly for SonicWall and similar devices. Conduct regular threat hunting exercises focused on indicators of compromise related to Cl0p, Akira, Qilin, and TridentLocker ransomware groups. Strengthen supply chain security by validating software signing keys and monitoring for unauthorized updates or code changes. Educate employees on phishing and smishing tactics used to distribute banking trojans like Albiriox, and enforce multi-factor authentication (MFA) on all critical systems. Collaborate with national cybersecurity agencies and share threat intelligence to stay informed about emerging campaigns such as Salt Typhoon and BRICKSTORM. Finally, perform comprehensive backups with offline storage to ensure data recovery capabilities in ransomware scenarios.