December Security Roundup

From Kocho’s Security Operations Centre (SOC)

Published: 19 December 2025

Holiday leave may be starting, but attacker activity isn’t slowing down. A council cyber incident, a critical React flaw, and ransomware timed for shutdown windows show how reduced coverage turns routine operations into attack paths.

Our SOC team break down what matters and the actions to take before reduced coverage becomes a liability.

Headlines:

Shared services cyber incident hits multiple London councils
Critical React vulnerability allows unauthenticated RCE
Holiday shutdowns amplify ransomware and detection risk
News: Messaging app phishing hits UK MPs
Blog: Why patching habits still leave gaps

Shared services cyber incident hits multiple London councils

Several London boroughs are continuing to recover from a cyber incident that affected shared IT services, including internal systems and customer-facing platforms. Councils confirmed that systems were taken offline as a precaution, digital services were disrupted for an extended period, and investigations are ongoing into whether data was accessed during the intrusion.

What’s the risk?

Shared service architectures increase blast radius when a core platform is compromised
Extended recovery windows increase exposure to follow-on phishing and impersonation
Incident communications create cover for fraudulent “support” and account takeover attempts

Recommended actions

Treat shared platforms as high-impact assets in incident response planning.

Increase monitoring for service desk impersonation and MFA reset abuse.

Review segmentation and trust boundaries between shared services and tenants.

Action point

Plan for recovery timelines measured in weeks, not days.

Critical React vulnerability allows unauthenticated RCE | CVE-2025-55182

A critical unauthenticated remote code execution vulnerability has been disclosed in React Server Components, rated CVSS 10.0. The flaw affects how React decodes payloads sent to Server Function endpoints and allows an attacker to execute arbitrary code on the server via a crafted HTTP request.

Importantly, applications may be vulnerable even if they do not explicitly implement React Server Functions, as long as they support React Server Components. The issue affects multiple React server packages and common frameworks, including Next.js and React Router. Patches were released on 3 December, and immediate upgrading is strongly advised.

What’s the risk?

Unauthenticated attackers can achieve remote code execution on affected servers
Exposure exists even where Server Functions are not intentionally used
Widely used frameworks and bundlers expand the potential blast radius

Recommended actions

Identify use of React Server Components and affected server packages.

Upgrade immediately to patched versions of React and relevant frameworks.

Do not rely on temporary hosting provider mitigations as a long-term control.

Action point
If you run React Server Components, patch now and validate exposure assumptions. Find the full set of update instructions on the React dev site.

Holiday shutdowns amplify ransomware and detection risk

Ransomware groups routinely time attacks for weekends and public holidays, when monitoring, escalation, and recovery are slower. Industry data shows that around 78% of organisations significantly reduce SOC coverage over holiday periods, while ransomware and phishing activity remains elevated.

That imbalance leaves fewer analysts validating alerts, greater reliance on automation, and temporary or elevated access persisting longer than intended, creating ideal conditions for attackers to escalate before containment can begin.

What’s the risk?

Ransomware completes before detection or containment
Alert backlogs delay investigation during reduced coverage
Excess or temporary privileges enable rapid escalation

Recommended actions

Validate 24/7 monitoring and escalation across the holiday period.

Reduce alert noise before coverage drops to prioritise high-signal activity.

Expire temporary and contractor access before shutdowns begin.

Confirm backups are isolated, tested, and restorable without specialist staff.

Action point

Holiday ransomware succeeds when coverage drops and access persists.

in the news

Messaging app phishing targets UK MPs

UK parliamentary authorities have warned of a sustained rise in phishing attacks targeting WhatsApp and Signal accounts used by MPs, peers, and officials.

The campaigns impersonate messaging platform support teams and attempt to trick users into sharing access codes, scanning QR codes, or linking attacker-controlled devices. Once successful, attackers can silently read messages, harvest contact lists, and monitor activity without obvious signs of compromise.

The NCSC has confirmed awareness of Russia-based actors targeting commercial messaging platforms, with activity continuing despite new protective guidance issued earlier this year.

As these messaging apps invariably sit outside most enterprise monitoring, there’s a high risk of slower verification over the holiday season, with reduced cover making a single compromise easier to miss and harder to contain.

From our blog

Why outdated patching habits are leaving organisations exposed

Patching is meant to be one of the simplest defensive controls, yet outdated habits continue to stretch exposure windows. This blog looks at the patching antipatterns still common in Microsoft-first environments and why slow, risk-averse processes now create more danger than protection.

It also explores how modern patching approaches, using tools many organisations already have, can reduce real-world risk by keeping pace with both software updates and attacker activity.