Weekly threat intelligence digest: December 22 - 28, 2025

Executive summary

This week tracked 1 curated intelligence items and 1 newly published CVEs. The risk profile remained acute, with 1 critical and 0 high severity disclosures in public reporting. Priority themes were vulnerability and active exploitation pressure around internet-exposed enterprise software.

Critical & high priority

1. Log4Shell Successor: Critical RCE in Apache Commons Text Exploitation Surges

• What happened: A critical remote code execution vulnerability in Apache Commons Text is being actively exploited in mass attacks as the year closes. The vulnerability exists in the library's string interpolation functionality, which allows code execution through specially crafted strings processed by applications using the library. Similar to the Log4Shell vulnerability in its widespread impact, the flaw affects any Java application that passes user-controlled input through Commons Text's string lookup features. Exploitation campaigns are deploying cryptominers, web shells, and ransomware.
• Who's affected: Any Java application that uses Apache Commons Text for string processing and passes user-controlled input through the StringSubstitutor or StringLookup classes. Enterprise web applications, middleware, and SaaS platforms built on Java are commonly affected. The library's presence as a transitive dependency means many application developers may not be aware they are using it.
• What to do: Patch or mitigate affected systems on an expedited timeline, validate exposure from external attack paths, and add targeted detections for known exploitation behavior.

Notable developments

Most tracked items this week were critical/high vulnerability stories, with no major medium or informational shifts requiring separate strategic treatment.

Vulnerability landscape

This week saw 1 newly published CVEs in NVD-aligned tracking for the reporting window.

• Critical: 1
• High: 0
• Medium: 0
• Low: 0
• Top affected vendors: Apache (1), Java (1)

Priority CVEs observed in this window included:

• CVE-2025-49301 (Critical): Vendor advisory lists a high-priority issue requiring review.

Recommended actions

1. Prioritize internet-facing patching: Resolve critical and high-severity items first, with strict SLA enforcement for edge systems.
2. Harden identity and admin pathways: Require phishing-resistant MFA, reduce standing privileges, and audit privileged sessions.
3. Operationalize detections: Convert this week's CVEs and campaign behaviors into SIEM/SOAR detections and threat hunts.
4. Protect recovery paths: Isolate and test backups, then validate restoration workflows against ransomware and destructive attack scenarios.

Looking ahead

For December 29 - January 4, 2025, expect continued exploitation attempts against newly disclosed enterprise software flaws, plus copycat scanning after proof-of-concept publication. Teams should maintain elevated monitoring for externally exposed assets and review compensating controls where patch windows are delayed.