Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Zero-day vulnerabilities often attract attention and concern because of their unpredictability. They are, by definition, weaknesses that are unknown to software vendors and therefore have no official fix at the point of discovery. When discovered and exploited by malicious actors, they allow attackers to bypass controls before organisations even realise there is a problem.

Cyber risk is often discussed in technical language, often in a way which is difficult to decipher the real business impact. CVSS scores, vulnerabilities, attack paths and threat actors all have their place but for many decision‑makers, this language doesn’t translate into real-world business outcomes. Small business leaders and non-technical executives need to understand what cyber risk means for revenue, reputation and operational continuity.

In December 2025, a critical remote code execution vulnerability was disclosed in DeepChat, an open-source desktop AI agent platform built using Electron. The issue, tracked as CVE-2025-67744, affects all DeepChat versions prior to 0.5.3 and carries a CVSS score of 9.6. The vulnerability arises from the interaction between two separate weaknesses. The first allows attacker-controlled JavaScript execution through unsafe rendering of Mermaid diagrams.

During our research into Microsoft 365 security, we discovered a flaw in Outlook on the web (OWA) that exposed information about users and their mailboxes. By manipulating certain request headers against the “/owa/service.svc” endpoint, an attacker could not only confirm whether a user account existed, but also determine if that account had a mailbox associated with it.

Incident response (IR) plans are a cornerstone of organisational resilience. Many businesses maintain policies, run tabletop exercises, and document procedures, but high-impact incidents still expose gaps in real-world response. Red team exercises provide a practical, objective-driven way to test incident response readiness.

On 29 November 2025, researcher Lachlan Davidson reported a critical React vulnerability that allows unauthenticated remote code execution via specially crafted React Server Function payloads. This vulnerability was disclosed as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) and is rated CVSS 10.0. A public proof concept has also been released so patching is of utmost importance.