Publications

Greetings, As we wrap up the final Week in Review for the year, it’s a good moment to pause and reflect on what’s been a big year across the cyber landscape. From evolving threat tactics and major breaches to new vulnerabilities and hard-won lessons, 2025 has reinforced just how quickly our environment changes. It’s important to remember the effectiveness of collaboration, vigilance, and shared knowledge as we move into 2026. We wish you a safe, restful, and well-earned break over the holiday period. We’ll be back in the New Year with more updates, insights, and analysis. Until then, happy holidays and best wishes for a secure start to the year ahead. Over 25,000 FortiCloud SSO devices exposed to remote attacks Date: 2025-12-19 Author: Bleeping Computer Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability. Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company's FortiCare support service. As cybersecurity company Arctic Wolf reported on Monday, the vulnerability is now actively exploited to compromise admin accounts via malicious single sign-on (SSO) logins. WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability Date: 2025-12-19 Author: The Hacker News WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code. Microsoft 365 accounts targeted in wave of OAuth phishing attacks Date: 2025-12-19 Author: Bleeping Computer Multiple threat actors are compromising Microsoft 365 accounts in phishing attacks that leverage the OAuth device code authorization mechanism. Attackers trick victims into entering a device code on Microsoft’s legitimate device login page, unknowingly authorizing an attacker-controlled application and granting them access to the target account without stealing credentials or bypassing multi-factor authentication (MFA). HPE Patches Critical Flaw in IT Infrastructure Management Software Date: 2025-12-18 Author: SecurityWeek Hewlett Packard Enterprise (HPE) this week announced patches for a critical-severity remote code execution vulnerability in its OneView IT infrastructure management software. Tracked as CVE-2025-37164 (CVSS score of 10), the security defect can be exploited without authentication, the company notes in a barebones advisory. HPE makes no mention of the flaw being exploited in the wild, but urges customers to update to a fixed release as soon as possible. MacSync macOS Malware Distributed via Signed Swift Application Date: 2025-12-22 Author: Security Week The developers of a macOS malware named MacSync Stealer have updated their delivery mechanism, eliminating the need for direct terminal interaction, Jamf reports. The MacSync Stealer emerged roughly half a year ago, as a rebrand of Mac.c, a macOS information stealer that was first seen in April 2025. Mac.c was a cheap alternative to established macOS stealers, and was acquired by a malware developer who quickly expanded its capabilities and turned it into a prominent threat. In addition to the information-stealing capabilities inherited from Mac.c, MacSync Stealer was retrofitted with backdoor capabilities through a fully-featured Go-based agent. ESB-2025.9344 – chromium Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. ESB-2025.9384 – F5 Products (ARX, LineRate) An attacker may be able to cause a denial-of-service (DoS) using an application that processes arbitrary PKCS#7 data. ESB-2025.9354 – Linux kernel (Real-time) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. ESB-2025.9345 – wordpress Multiple security issues were discovered in the WordPress blogging tool, which could result in cross-site scripting or information disclosure. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, audio-streaming platform SoundCloud has confirmed it suffered a significant security incident that has impacted millions of users and caused widespread service disruptions. After days of intermittent outages and virtual private network (VPN) connection errors that left users seeing “403 Forbidden” messages when trying to access the site, the company revealed that threat actors gained unauthorised access to one of its systems and exfiltrated a database containing user information. According to SoundCloud’s disclosure, the breach affected roughly 20 per cent of its global user base, equating to a potential 28 million accounts, by exposing email addresses and data already visible on public profiles. The company asserted that no sensitive information such as passwords or financial details was accessed, and its investigation has confirmed that unauthorised access has since been contained. In an effort to secure its systems quickly, SoundCloud made configuration changes that inadvertently blocked many VPN connections. While this helped stem further unauthorised access, it frustrated users in regions reliant on VPNs to reach the service, and the company has not yet provided a timeline for fully restoring that access. The cyber security incident also coincided with denial-of-service attacks that temporarily knocked SoundCloud’s web platform offline. As the service works with external experts to bolster its defences and improve monitoring, users are being urged to stay alert for phishing attempts targeting exposed email addresses. Hackers exploit newly patched Fortinet auth bypass flaws Date: 2025-12-16 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.8956.2/] Hackers are exploiting critical-severity vulnerabilities affecting multiple Fortinet products to get unauthorized access to admin accounts and steal system configuration files. The two vulnerabilities are tracked as CVE-2025-59718 and CVE-2025-59719, and Fortinet warned in an advisory on December 9 about the potential for exploitation. CVE-2025-59718 is a FortiCloud SSO authentication bypass affecting FortiOS, FortiProxy, and FortiSwitchManager. Cisco warns of unpatched AsyncOS zero-day exploited in attacks Date: 2025-12-17 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.9258/] [AUSCERT has identified the impacted members (where possible) and contacted them via email] Cisco warned customers today of an unpatched, maximum-severity Cisco AsyncOS zero-day actively exploited in attacks targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. This yet-to-be-patched zero-day (CVE-2025-20393) affects only Cisco SEG and Cisco SEWM appliances with non-standard configurations, when the Spam Quarantine feature is enabled and exposed on the Internet. Apple fixes two zero-day flaws exploited in 'sophisticated' attacks Date: 2025-12-12 Author: Bleeping Computer [AUSCERT has published security bulletins for these Apple updates] Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals. The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation. Clop ransomware targets Gladinet CentreStack in data theft attacks Date: 2025-12-18 Author: Bleeping Computer The Clop ransomware gang (also known as Cl0p) is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign. Gladinet CentreStack enables businesses to securely share files hosted on on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. According to Gladinet, CentreStack "is used by thousands of businesses from over 49 countries." GhostPoster Firefox Extensions Hide Malware in Icons Date: 2025-12-17 Author: SecurityWeek Koi Security has identified a malicious campaign targeting Firefox users via a series of extensions that rely on steganography to hide malware in their icons. The extensions pose as free VPN services, ad blockers, translation tools, and weather forecast apps, but instead deploy a multi-stage payload that monitors users’ activities, disables security protections, and enables remote code execution (RCE). ESB-2025.8956.2 – Fortinet Products: CVSS (Max): 9.8 Two critical Fortinet vulnerabilities (CVE-2025-59718 and CVE-2025-59719) affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager products are actively being exploited in the wild. ESB-2025.9131 – Apple macOS Tahoe: CVSS (Max): 8.8* Apple has released a patch for a macOS Tahoe zero-day vulnerability that was exploited in the wild. The flaw has been fixed in macOS Tahoe 26.2. ESB-2025.9180 – Nessus: CVSS (Max): 9.1 Tenable has addressed multiple critical security flaws in Nessus versions prior to 10.9.6 and 10.11.1 that were caused by vulnerable third-party components. ESB-2025.9258 – Cisco Secure Email & Secure Email and Web Manager: CVSS (Max): 10.0 Cisco is reviewing a critical, unpatched zero-day vulnerability in its AsyncOS software that is actively being exploited in attacks against Secure Email Gateway and Secure Email and Web Manager appliances. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, A severe new threat, known as React2Shell, has emerged from exploitation of CVE-2025-55182. This affects the widely used server-side features of React, and by extension many applications built on Next.js and similar frameworks. This vulnerability allows an attacker to send a specially crafted HTTP request to run arbitrary commands on the server. Within days of its disclosure on December 3, 2025, multiple threat actors abused the public exploit code. As detailed in a report by researchers at Huntress and Sysdig, attackers have leveraged React2Shell to deploy a variety of malicious payloads across diverse environments. These include a Linux backdoor dubbed PeerBlight, a reverse-proxy tunnel called CowTunnel, and a Go-based post-exploitation implant known as ZinFoq. In some cases, more advanced threats have been observed. For example, a new remote access trojan called EtherRAT, which uses blockchain-based command-and-control and supports multiple persistence mechanisms on Linux, including system services, cron jobs, shell-profile injection, and more. Defenders are urged to immediately update all React and Next.js dependencies to the patched versions (e.g. React Server DOM packages to 19.0.1, 19.1.2, or 19.2.1; Next.js to its latest safe release) and audit public-facing services for signs of compromise. Ivanti warns of critical Endpoint Manager code execution flaw Date: 2025-12-09 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] American IT software company Ivanti warned customers today to patch a newly disclosed vulnerability in its Endpoint Manager (EPM) solution that could allow attackers to execute code remotely. Ivanti delivers system and IT asset management solutions to over 40,000 companies via a network of more than 7,000 organizations worldwide. The company's EPM software is an all-in-one endpoint management tool for managing client devices across popular platforms, including Windows, macOS, Linux, Chrome OS, and IoT. Attacks pinned to critical React2Shell defect surge, surpass 50 confirmed victims Date: 2025-12-10 Author: Cyberscoop [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2025.0214.2/] Security experts have observed a steady increase in malicious activity from a widening pool of attackers seeking to exploit React2Shell, a critical vulnerability disclosed last week in React Server Components. Authorities are also responding to heightened concern about the defect, with the Cybersecurity and Infrastructure Security Agency shortening the deadline for agencies to patch the vulnerability to Friday. The agency previously set a deadline of Dec. 26 when it added CVE-2025-55182 to its known exploited vulnerabilities catalog last week. Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch Date: 2025-12-05 Author: The Hacker News A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF," according to an advisory for the vulnerability. New wave of VPN login attempts targets Palo Alto GlobalProtect portals Date: 2025-12-06 Author: Bleeping Computer A campaign has been observed targeting Palo Alto GlobalProtect portals with login attempts and launching scanning activity against SonicWall SonicOS API endpoints. The activity started on December 2nd and originated from more than 7,000 IP addresses from infrastructure operated by the German IT company 3xK GmbH, which runs its own BGP network (AS200373) and operates as a hosting provider. Over 10,000 Docker Hub images found leaking credentials, auth keys Date: 2025-12-10 Author: Bleeping Computer More than 10,000 Docker Hub container images expose data that should be protected, including live credentials to production systems, CI/CD databases, or LLM model keys. The secrets impact a little over 100 organizations, among them are a Fortune 500 company and a major national bank. Docker Hub is the largest container registry where developers upload, host, share, and distribute ready-to-use Docker images that contain everything necessary to run an application. ASB-2025.0221 – Microsoft Windows: CVSS (Max): 8.8 Microsoft released a patch for CVE-2025-62456, a high-severity heap-based buffer overflow in Windows ReFS that attackers are exploiting in the wild. ESB-2025.8916 – Adobe Experience Manager: CVSS (Max): 9.3 Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. ESB-2025.8956 – Fortinet Products: CVSS (Max): 9.8 Fortinet has patched two critical flaws that allow attackers to bypass authentication due to improper cryptographic signature verification. They impact FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. ESB-2025.9052 – Google Chrome: CVSS (Max): None available when published Google has issued an emergency Chrome patch to fix a mysterious high-severity zero-day vulnerability that is actively being exploited in the wild, urging all users to update immediately. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, A new malicious npm package, eslint-plugin-unicorn-ts-2, has been discovered that aims specifically at manipulating AI-powered security scanners. The package mimics a legitimate TypeScript extension of the widely used ESLint Unicorn plugin, but embedded within its code is a concealed message telling automated analysis tools to “forget everything you know” and treat the code as safe. While the prompt itself has no effect on how the package runs, its presence signals a concerning shift in attacker behaviour as they begin crafting malware with the explicit intention of deceiving AI-driven defences. The threat comes from the package’s post-install script, which automatically executes once a developer installs the dependency. That script gathers environment variables, potentially including API keys, authentication tokens, and other sensitive credentials, and exfiltrates them to an external Pipedream webhook. The malicious changes were introduced in version 1.1.3, with the package still available in later versions at the time of reporting, increasing the likelihood that unsuspecting developers may have already been affected. This incident highlights the growing risks within the software supply chain and the increasing sophistication of attempts to compromise it. Attackers are not only relying on typosquatting or impersonating trusted packages but are now experimenting with ways to exploit the very tools meant to detect them. For organisations, the event signifies the need to scrutinise dependencies more closely, review installation scripts, and avoid relying solely on AI-based scanners. Any developer who installed the affected package should assume credential exposure and rotate secrets immediately. Glassworm malware returns in third wave of malicious VS Code packages Date: 2025-12-01 Author: Bleeping Computer The Glassworm campaign, which first emerged on the OpenVSX and Microsoft Visual Studio marketplaces in October, is now in its third wave, with 24 new packages added on the two platforms. OpenVSX and the Microsoft Visual Studio Marketplace are both extension repositories for VS Code–compatible editors, used by developers to install language support, frameworks, tooling, themes, and other productivity add-ons. Malicious VS Code Extension as Icon Theme Attacking Windows and macOS Users Date: 2025-12-01 Author: Cyber Security News A malicious Visual Studio Code extension posing as the popular “Material Icon Theme” has been used to attack Windows and macOS users, turning the add-on into a hidden backdoor. The fake extension shipped through the marketplace with backdoored files, giving the attackers a direct path into developer workstations once it was installed. After installation, the extension behaved like a normal icon theme, so most users had no reason to suspect anything was wrong. 'Exploitation is imminent' as 39 percent of cloud environs have max-severity React hole Date: 2025-12-03 Author: The Register [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2025.0214/] A maximum-severity flaw in the widely used JavaScript library React, and several React-based frameworks including Next.js allows unauthenticated, remote attackers to execute malicious code on vulnerable instances. The flaw is easy to abuse, and mass exploitation is "imminent," according to security researchers. The React team disclosed the unauthenticated remote code execution (RCE) vulnerability in React Server Components on Wednesday. It's tracked as CVE-2025-55182 and received a maximum 10.0 CVSS severity rating. Critical King Addons Vulnerability Exploited to Hack WordPress Sites Date: 2025-12-03 Author: Security Week Tracked as CVE-2025-8489 (CVSS score of 9.8), the critical-severity bug is described as a privilege escalation issue that allows attackers to obtain administrative privileges. The vulnerability impacts versions 24.12.92 to 51.1.14. King Addons for Elementor’s maintainers patched the issue in version 51.1.35 of the plugin, which was released on September 25. Roughly a month later, threat actors started targeting the CVE in attacks, and Defiant has observed roughly 50,000 exploit attempts to date. Android Zero-Days Patched in December 2025 Security Update Date: 2025-12-02 Author: Security Week [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.8757.2/] Google warns that two out of the 107 vulnerabilities patched in Android this month have been exploited in limited, targeted attacks. The exploited zero-days, tracked as CVE-2025-48633 and CVE-2025-48572, impact the platform’s Framework component and could be exploited for information disclosure or elevation of privilege, respectively. ASB-2025.0214 – React and Next.js: CVSS (Max): 10.0 A maximum-severity flaw in the widely used JavaScript library React, and several React-based frameworks including Next.js allows unauthenticated, remote attackers to execute malicious code on vulnerable instances. The flaw is easy to abuse, and mass exploitation is "imminent," according to security researchers. ESB-2025.8758 – SUSE: Linux Kernel: CVSS (Max): 7.8 An update that solves 20 vulnerabilities, contains one feature and has five security fixes can now be installed. The SUSE Linux Enterprise 11 SP4 kernel was updated to fix various security issues. ESB-2025.8792 – Apple: Compressor: CVSS (Max): 8.8 Impact: An unauthenticated user on the same network as a Compressor server may be able to execute arbitrary code. Description: The issue was addressed by refusing external connections by default. CVE-2025-43515: CodeColorist and Pedro Tôrres(@t0rr3sp3dr0). ESB-2025.8794 – Google Chrome: CVSS (Max): 8.8* This update includes 13 security fixes addressing issues across several browser components. ESB-2025.8815 – Splunk Enterprise: CVSS (Max): 8.8 Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.0.2, 9.4.6, 9.3.8, 9.2.10, and higher. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, A new episode of the Share Today, Save Tomorrow podcast is out now! Episode 50: The Economy of Algorithms with Marek Kowalkiewicz Our host, Ivano Bongiovanni, sits down with Professor Marek Kowalkiewicz, Chair in Digital Economy at QUT and author of The Economy of Algorithms. This episode explores Marek’s RACERS framework, viewing AI as a creative partner, and why experimentation is key to managing risks. This is a conversation you won’t want to miss, and it’s available now on Spotify, Apple Podcasts, and Soundcloud! This week, it was reported that OpenAI has severed ties with Mixpanel after a security incident exposed limited data associated with some of its API users. The leak, discovered on November 9 and communicated to OpenAI on November 25, did not involve any breach of OpenAI’s own systems such as chat logs, API requests, API keys, payment information or personal IDs. However, the compromised data set included account-holder names, email addresses, broad location information, referring websites, and internal user or organisation IDs. In response, OpenAI removed Mixpanel from its production systems, initiated a full vendor-security audit, and began notifying impacted users and organisations directly. While the company asserted that there is “no evidence of any effect on systems or data outside Mixpanel’s environment,” it cautioned users to watch out for phishing or social-engineering attempts using the exposed information. OpenAI emphasised that regular users of its consumer products, such as ChatGPT, were not impacted, as the breach pertained only to its API-platform analytics. Critical 7 Zip Vulnerability With Public Exploit Requires Manual Update Date: 2025-11-23 Author: Hackread A vulnerability has been found in the very popular, free file-compressing tool 7-Zip. The flaw, tracked as CVE-2025-11001, has a public exploit, leading to a high-risk warning from the UK’s NHS England Digital. While the NHS confirmed active exploitation has not been observed in the wild, the public PoC means the risk of future attacks is extremely high. The vulnerability was discovered by Ryota Shiga of GMO Flatt Security Inc., with help from their AI tool AppSec Auditor Takumi. CISA warns Oracle Identity Manager RCE flaw is being actively exploited Date: 2025-11-21 Author: Bleeping Computer [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2025.0185.2/] The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning government agencies to patch an Oracle Identity Manager tracked as CVE-2025-61757 that has been exploited in attacks, potentially as a zero-day. CVE-2025-61757 is a pre-authentication RCE vulnerability in Oracle Identity Manager, discovered and disclosed by Searchlight Cyber analysts Adam Kues and Shubham Shahflaw. Popular Forge library gets fix for signature verification bypass flaw Date: 2025-11-26 Author: Bleeping Computer A vulnerability in the ‘node-forge’ package, a popular JavaScript cryptography library, could be exploited to bypass signature verifications by crafting data that appears valid. The flaw is tracked as CVE-2025-12816 and received a high severity rating. It arises from the library’s ASN.1 validation mechanism, which allows malformed data to pass checks even when it is cryptographically invalid. Gainsight Cyber-Attack Affect More Salesforce Customers Date: 2025-11-26 Author: Infosecurity Magazine The cyber-attack targeting Gainsight has affected more Salesforce customers than initially expected. In a customer FAQ, first posted on November 20 and regularly updated since, the customer support platform provider said Salesforce initially provided a list of three customers impacted by the breach. Microsoft Teams Flaw in Guest Chat Exposes Users to Malware Attacks Date: 2025-11-26 Author: HackRead Microsoft Teams has become the main tool for communication in businesses globally. Due to this, security teams spend a lot of time and money on protection services like Microsoft Defender for Office 365 to guard against dangers like phishing emails, malicious links, and malware. However, new research from the security firm Ontinue, released on Wednesday, November 26, shows a huge security flaw in the standard setup of Microsoft Teams collaboration with outside partners, known as B2B Guest Access, which lets attackers entirely bypass a company’s Microsoft Defender protections. ASB-2025.0185.2 – Oracle Fusion Middleware: CVSS (Max): 9.8 This Critical Patch Update contains 20 new security patches, plus additional third party patches noted below, for Oracle Fusion Middleware. 17 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. ESB-2025.8534 – F5 BIG-IP DNS: CVSS (Max): 7.5 In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1. (CVE-2025-40780). ESB-2025.8648 – Ubuntu: H2O: CVSS (Max): 7.5 H2O could be made to crash if it received specially crafted network traffic. It was discovered that H2O exhibited poor server resource management in its HTTP/2 protocol. An attacker could possibly use this issue to cause H2O to crash, resulting in a denial of service. ESB-2025.8662 – Splunk SOAR: CVSS (Max): 8.8 Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk SOAR version 7.0.0, and higher. ESB-2025.8673 – GitLab Community and Enterprise Edition: CVSS (Max): 7.7 Several GitLab CE/EE vulnerabilities were identified, including high-severity race condition and denial-of-service flaws, along with medium-severity authentication bypass, DoS, and authorization issues. A low-severity information disclosure bug in the Terraform registry was also reported. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 50: The Economy of Algorithms with Marek Kowalkiewicz In this episode of Share Today, Save Tomorrow, Ivano sits down with Professor Marek Kowalkiewicz, Chair in Digital Economy at QUT and author of The Economy of Algorithms. We explore his RACERS framework, the shift from viewing AI as a mere tool to treating it as a creative partner, and why experimentation is key to managing risks. From surprising real-world applications to global policy gaps, this conversation offers practical insights for leaders navigating the AI revolution. This episode was hosted by Ivano Bongiovanni. The AUSCERT podcast can also be found on Spotify and Apple Podcasts.

Greetings, AUSCERT recently received Shadowserver’s latest Special Report containing intelligence from Operation Endgame, the international law enforcement effort announced on 13 November 2025. The dataset reveals historical infections linked to the Rhadamanthys information-stealing malware, covering activity between March and November 2025. Unlike Shadowserver’s routine daily feeds, these Special Reports provide rare, high-value insights drawn from long-term forensic investigations, helping organisations understand compromises that may have otherwise gone unnoticed. Rhadamanthys is a credential-harvesting malware known for targeting browser data, system details, and sensitive login information. Shadowserver classified every entry in this dataset as CRITICAL due to the potential severity of exposure. While exact timestamps weren’t available, the dataset includes “first seen” and “last seen” indicators to show likely periods of infection. Upon receiving the report, AUSCERT Analysts immediately processed the data through internal systems to identify any potentially affected members. Each affected organisation was contacted directly with tailored details to support rapid awareness and remediation. Several members have since expressed appreciation for the proactive outreach, reinforcing the importance of timely, actionable threat intelligence in responding to long-running malware activity. IBM AIX Vulnerability Lets Remote Attackers Execute Arbitrary Commands Date: 2025-11-17 Author: Cyber Press IBM has released urgent security patches addressing four severe vulnerabilities in AIX and VIOS systems that enable remote attackers to execute arbitrary commands, intercept credentials, and compromise system integrity. The vulnerabilities span multiple AIX versions and demand immediate remediation from affected organizations. PoC Exploit Tool Released for FortiWeb WAF Vulnerability Exploited in the Wild Date: 2025-11-15 Author: Cyber Security News [AUSCERT has published security bulletins for FortiWeb updates – https://portal.auscert.org.au/bulletins/ESB-2025.8364] A proof-of-concept (PoC) exploit tool for CVE-2025-64446 has been publicly released on GitHub. This vulnerability, affecting FortiWeb devices from Fortinet, involves a critical path traversal flaw that has already been observed in real-world attacks, allowing unauthorized access to sensitive CGI endpoints. Security researchers warn that the tool’s availability could accelerate exploitation attempts against unpatched systems worldwide. Fortinet warns of new FortiWeb zero-day exploited in attacks Date: 2025-11-18 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.8401/] Today, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability that threat actors are actively exploiting in attacks. Tracked as CVE-2025-58034, this web application firewall security flaw was reported by Jason McFadyen of Trend Micro's Trend Research team. W3 Total Cache WordPress plugin vulnerable to PHP command injection Date: 2025-11-19 Author: Bleeping Computer A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload. The vulnerability, tracked as CVE-2025-9501, affects all versions of the W3TC plugin prior to 2.8.13 and is described as an unauthenticated command injection. GlobalProtect VPN portals probed with 2.3 million scan sessions Date: 2025-11-20 Author: Bleeping Computer Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals has increased 40 times in 24 hours, indicating a coordinated campaign. Real-time intelligence company GreyNoise reports that activity began climbing on November 14 and hit its highest level in 90 days within a week. "GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals," reads the bulletin. ESB-2025.8360 – Red Hat: lasso: CVSS (Max): 9.8 Red Hat Product Security has rated this update as having a security impact of Critical. The lasso packages provide the Lasso library that implements the Liberty Alliance Single Sign-On standards, including the SAML and SAML2 specifications. It allows handling of the whole life-cycle of SAML-based federations and provides bindings for multiple languages. ESB-2025.8364 – Fortinet FortiWeb: CVSS (Max): 9.8 A relative path traversal vulnerability [CWE-23] in FortiWeb may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. ESB-2025.8412 – Linux Kernel (Live Patch 61 for SUSE Linux Enterprise 12 SP5): CVSS (Max): 8.8 Security update for the Linux Kernel (Live Patch 61 for SUSE Linux Enterprise 12 SP5) that solves 58 vulnerabilities and has eight security fixes. ESB-2025.8446 – Atlassian Products: CVSS (Max): 10.0 The vulnerabilities reported in this Security Bulletin include 34 high-severity vulnerabilities and 5 critical-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. ESB-2025.8463 – Linux kernel (Oracle): CVSS (Max): 9.1 The Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS. ( CVE-2025-40300 ) Stay safe, stay patched and have a good weekend! The AUSCERT team

Over the past six months, AUSCERT has been working closely with ETHIO-CERT, Ethiopia’s national Cyber Emergency Response Team. The goal of this collaboration was to help ETHIO-CERT enhance and expand their cyber security capabilities, ultimately strengthening their ability to protect Ethiopia’s digital infrastructure. This initiative forms part of AUSCERT’s ongoing commitment to fostering international collaboration and sharing operational expertise between CERTs around the world. By working together, teams can accelerate capability-building, share lessons learned and contribute to a more resilient global cyber security community. Through fortnightly knowledge-sharing sessions, the AUSCERT and ETHIO-CERT teams collaborated to design, develop and implement a service that mirrors AUSCERT’s Member Services Incident Notifications (MSIN). This service provides clients and members with timely alerts and actionable insights about relevant cyber threats and vulnerabilities, enabling faster responses across networks and systems. The AUSCERT team provided guidance across every stage of the process, including service architecture, planning, technical configuration, and deployment. This included sessions focused on data acquisition software installation, data flow design, and email infrastructure setup. The teams also worked on designing client-facing messages that provide clear context and actionable information, helping ETHIO-CERT deliver an efficient and reliable service to its stakeholders. This partnership has been an invaluable opportunity for mutual learning and knowledge exchange. While AUSCERT shared its technical and operational experience, ETHIO-CERT provided valuable insights into the regional cyber security landscape. As a result, ETHIO-CERT is now positioned to deliver proactive and responsive incident notifications, empowering its community to make informed security decisions and improve their resilience to cyber threats. At AUSCERT, we’re proud to support initiatives like this that strengthen cyber security collaboration across borders. By working together, we can build a safer, more secure digital future for all.

Greetings, This week, we released an exciting episode of the Share Today, Save Tomorrow podcast! Episode 49 – AUSCERT2026: Game On and Win! As we prepare to mark the 25th anniversary of the AUSCERT Cyber Security Conference in 2026, we’re counting down with a special giveaway. Hidden within this episode is a codeword, which you can enter using the form linked in the episode description. Entering the correct codeword will put you in the running to win a free registration to AUSCERT2026! This episode is available now on Spotify, Apple Podcasts, and Soundcloud. Researchers at Palo Alto Networks’ Unit 42 uncovered a sophisticated commercial-grade spyware campaign targeting users of Samsung Galaxy smartphones across 2024 and into early 2025. The malware, named “LANDFALL”, exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s image-processing library, allowing attackers to execute code via malicious DNG (Digital Negative) image files delivered through WhatsApp. Active for at least seven months, the campaign specifically targeted devices including the Galaxy S24, Z Fold 4 and Z Flip 4. Once infected, LANDFALL enabled extensive surveillance by harvesting audio, phone calls, SMS messages, camera photos and real-time location data. The infrastructure points to a commercial surveillance-tool vendor working with government clients, rather than a traditional cyber-crime gang. The discovery signals a growing trend of “zero-click” or minimal-interaction attacks that leverage vulnerabilities in image parsing libraries. Organisations and individuals should remain vigilant by applying patches promptly, restrict app permissions where possible and monitor for unusual device behaviour. Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws Date: 2025-11-11 Author: Bleeping Computer [AUSCERT has published security bulletins for these Microsoft updates] Today is Microsoft's November 2025 Patch Tuesday, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability. This Patch Tuesday also addresses four "Critical" vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges, and the fourth is an information disclosure flaw. Hackers exploited Citrix, Cisco ISE flaws in zero-day attacks Date: 2025-11-12 Author: Bleeping Computer [See AUSCERT Bulletins: https://portal.auscert.org.au/bulletins/ESB-2025.4160.4/ https://portal.auscert.org.au/bulletins/ESB-2025.4041.2/] An advanced threat actor exploited the critical vulnerabilities “Citrix Bleed 2" (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware. Amazon’s threat intelligence team, analyzing “MadPot” honeypot data, found that hackers leveraged the two security issues before the security issues were disclosed publicly and patches became available. Critical Triofox Vulnerability Exploited in the Wild Date: 2025-11-11 Author: Security Week [AUSCERT has shared IoCs related to CVE-2025-12480 via its MISP instance] A threat actor has exploited a critical vulnerability in Triofox to obtain remote access to a vulnerable server and then achieve code execution, Google warns. Designed to ease remote work and data management, Gladinet’s Triofox is a secure file sharing and remote access solution that can be integrated with existing IT infrastructure. Critical Cisco Firewall Flaws Exploited for Denial-of-Service Attacks Date: 2025-11-09 Author: Cyberwarzone [See AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2025.6814.2/ & https://portal.auscert.org.au/bulletins/ESB-2025.6813.2/] Cisco firewalls, widely deployed across enterprises for their security infrastructure, are now facing a new wave of attacks exploiting previously identified critical vulnerabilities to launch denial-of-service (DoS) campaigns. This development intensifies concerns surrounding two security flaws for which Cisco released patches in late September. Have I Been Pwned Adds 1.96B Accounts From Synthient Credential Data Date: 2025-11-11 Author: Hackread Have I Been Pwned (HIBP), the popular breach notification service, has added another massive dataset to its platform. This time, 1.96 billion accounts connected to the Synthient Credential Stuffing Threat Data, in collaboration with the threat-intelligence firm Synthient. Users who subscribe to HIBP alerts, including this writer, received an email notification stating: “You’ve been pwned in the Synthient Credential Stuffing Threat Data data breach.” ESB-2025.8191 – Intel CIP Software: CVSS (Max): 8.8 Intel has addressed high-severity flaws in its Computing Improvement Program (CIP) software that could allow privilege escalation or information disclosure. ESB-2025.8224 – Zoom: CVSS (Max): 8.1 A high-severity CVE-2025-62484 vulnerability in Zoom Workplace clients allowed an unauthenticated network attacker to escalate privileges. Zoom recommends updating to version 6.5.10 or later on iOS/Android. ESB-2025.8281 – runc: CVSS (Max): 7.8 Dangerous flaws in runC could let attackers escape Docker containers and gain root access on the host. Fixes are available in updated runC versions. ASB-2025.0213 – Microsoft Windows: CVSS (Max): 9.8 Microsoft patched CVE-2025-62215, a Windows Kernel race-condition flaw that allowed authorized attackers to locally elevate privileges to SYSTEM. The zero-day was actively exploited. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 49: AUSCERT2026: Game On and Win! In this episode, we’re joined by AUSCERT’s Principal Analyst, Mark Carey-Smith, and Business Manager, Bek Cheb. Together, they discuss the upcoming AUSCERT2026 Cyber Security Conference, celebrating its 25th anniversary, and explore what “Game On!” means for the cyber security community. Competition Alert! As a way of thanking you for your continued support, we’ve got a special giveaway just for our listeners: 1. Listen out for the secret codeword in this episode. 2. Enter it in this form for your chance to win a free AUSCERT2026 registration! This episode was hosted by Bek Cheb.   The AUSCERT podcast can also be found on Spotify and Apple Podcasts.

Greetings, Time is running out to submit a tutorial proposal for AUSCERT2026! Submissions close Monday November 10, so be sure to get in now before it’s too late. If you have practical experience or a unique perspective on cyber security practices, this is your chance to lead an in-depth session and share your insights with peers from across the industry. We encourage submissions from professionals of all backgrounds and experience levels, whether you're a seasoned trainer or a first-time presenter. All successful applicants will receive complimentary conference registration, plus costs covered for flights and accommodation. In a recent update, SonicWall has confirmed that the September security breach involving unauthorised access to firewall configuration backup files was the work of a state-sponsored threat actor. The company enlisted cyber security firm Mandiant, to investigate the incident, which has now concluded with findings that the breach was limited to a specific cloud environment accessed via an API call. Mandiant determined that SonicWall’s core products, firmware, systems, tools, source code, and customer networks remained unaffected. The breach, first disclosed on September 17, exposed sensitive data stored in certain MySonicWall accounts. These configuration files contained credentials and tokens that could potentially simplify exploitation of customer firewalls. In response, SonicWall urged affected users to reset various credentials linked to their accounts and network configurations. By October 9, SonicWall clarified that all customers utilising its cloud backup service were impacted, though the breach was contained and did not compromise the integrity of its broader infrastructure. The company also emphasised that this incident was unrelated to separate attacks by the Akira ransomware gang, which targeted MFA-protected VPN accounts later that month. Critical WordPress Post SMTP Plugin Vulnerability Puts 400,000 Sites at Risk of Account Takeover Date: 2025-11-04 Author: GBHackers A critical vulnerability has been discovered in the Post SMTP WordPress plugin, affecting over 400,000 active installations across the web. The vulnerability, identified as CVE-2025-11833 with a CVSS score of 9.8, allows unauthenticated attackers to access sensitive email logs and execute account takeover attacks on vulnerable WordPress sites. Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks Date: 2025-11-05 Author: Security Week Software supply chain security firm JFrog has disclosed the details of a critical vulnerability affecting a popular React Native NPM package. React Native is an open source framework designed for creating applications that work across mobile, desktop and web platforms. The vulnerability discovered by JFrog researchers, tracked as CVE-2025-11953 and assigned a CVSS score of 9.8, impacts the React Native Community CLI NPM package (@react-native-community/cli), which provides command-line tools for building apps and which has roughly two million downloads every week. Australia warns of BadCandy infections on unpatched Cisco devices Date: 2025-10-31 Author: Bleeping Computer The Australian government is warning about ongoing cyberattacks against unpatched Cisco IOS XE devices in the country to infect routers with the BadCandy webshell. The vulnerability exploited in these attacks is CVE-2023-20198, a max-severity flaw that allows remote unauthenticated threat actors to create a local admin user via the web user interface and take over the devices. Hackers Exploit WSUS Flaw to Spread Skuld Stealer Despite Microsoft Patch Date: 2025-11-01 Author: Hackread A vulnerability in the Windows Server Update Service (WSUS) is being actively exploited by cybercriminals to plant Skuld Staler malware, according to new research from the cybersecurity firm Darktrace. This service, which helps companies manage Microsoft updates in a centralised manner across corporate networks, contains a flaw, identified as CVE-2025-59287, which Microsoft disclosed in October 2025. Because WSUS servers hold key permissions within a network, they are considered high-value targets. Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) Date: 2025-11-04 Author: Zscaler Zscaler uncovered a vulnerability in Keras that exposed AI and machine learning environments to file access and network exploitation risks, highlighting the urgent need to secure the AI model supply chain. Through responsible disclosure and ongoing research, Zscaler helps enterprises stay protected from emerging AI threats with a Zero Trust approach. ESB-2025.7991/ – Apple iOS and iPadOS 18.7.2: CVSS (Max): 8.8 Apple has released iOS 18.7.2 and iPadOS 18.7.2 to address multiple security vulnerabilities—including several high-severity issues (up to CVSS 8.8)—that could allow data exposure, privilege escalation, or remote code execution. ESB-2025.7983 – Cisco Unified Contact Center Express: CVSS (Max): 9.8 Cisco has released critical patches for Unified Contact Center Express to fix two remote code execution and authentication bypass vulnerabilities (CVE-2025-20354, CVE-2025-20358) that could allow unauthenticated attackers to gain root privileges or execute arbitrary scripts remotely. ESB-2025.7947 – Radiometrics VizAir: CVSS (Max): 10.0 CISA has issued an advisory for multiple critical (CVSS 10.0) vulnerabilities in Radiometrics VizAir that allow unauthenticated remote attackers to alter weather and runway data, potentially disrupting airport operations and flight safety. ESB-2025.7914 – Tenable Identity Exposure: CVSS (Max): 9.9 Tenable has released Identity Exposure version 3.77.14 to address multiple high and critical vulnerabilities (up to CVSS 9.9) in third-party components including .NET, SQL Server, and curl. ESB-2025.7911/ – Google Android: CVSS (Max): 9.8* Google has released the November 2025 Android Security Bulletin addressing critical vulnerabilities, including a remote code execution flaw in the System component (CVSS 9.8), which could be exploited without user interaction. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, A new episode of the Share Today, Save Tomorrow podcast is out now! Episode 48: Cyber Resilience and AI Risk: Insurance, Regulation & Boardroom Strategy. Our host, Bek Cheb, is joined by two of WTW’s Cyber and Technology Risk team, Ben Di Marco & Leah Mooney, to expertly unpack the evolving landscape of AI governance, cyber risk, and insurance. They explore how voluntary guardrails are shaping future regulation, why cyber insurance is now essential (not optional), and the practical steps SMEs and large enterprises can take to boost resilience. This episode is available now on Spotify, Apple Podcasts, and YouTube! This week, it was reported that several Tasmanian government agencies have been affected by a cyber attack on a third-party system used to manage student data. The breach stems from VETtrak, a student management software platform developed by ReadyTech, which provides services to the Department for Education, Children and Young People, the state’s fire and emergency services, and the health department. ReadyTech first disclosed the incident to the ASX on October 17, confirming that the affected platform had been isolated while an investigation was underway. Although the Tasmanian government has stated there is currently no evidence that sensitive student information was accessed, ReadyTech later confirmed that cybercriminals had posted a small number of documents containing personal data online. The company has reported the breach to the Australian Federal Police and advised the public not to attempt to view or download the stolen material. Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation Date: 2025-10-24 Author: The Hacker News [AUSCERT has published security bulletins for these Microsoft updates] Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. QNAP warns of critical ASP.NET flaw in its Windows backup software Date: 2025-10-27 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2025.0173/] QNAP warned customers to patch a critical ASP.NET Core vulnerability that also impacts the company's NetBak PC Agent, a Windows utility for backing up data to a QNAP network-attached storage (NAS) device. Tracked as CVE-2025-55315, this security bypass flaw was found in the Kestrel ASP.NET Core web server and enables attackers with low privileges to hijack other users' credentials or bypass front-end security controls via HTTP request smuggling. 10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux Date: 2025-10-29 Author: The Hacker News Cybersecurity researchers have discovered a set of 10 malicious npm packages that are designed to deliver an information stealer targeting Windows, Linux, and macOS systems. "The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS," Socket security researcher Kush Pandya said. Chrome Zero-Day Exploitation Linked to Hacking Team Spyware Date: 2025-10-27 Author: Security Week The exploited Chrome vulnerability, tracked as CVE-2025-2783 and described as a sandbox escape issue, was caught in the wild in a sophisticated cyberespionage campaign attributed to a state-sponsored APT. Firefox was affected by a similar flaw, tracked as CVE-2025-2857. Dubbed Operation ForumTroll, the campaign targeted education, finance, government, media, research, and other organizations in Russia and used phishing emails masquerading as forum invitations to deliver personalized, short-lived links taking victims to websites containing the exploit for CVE-2025-2783. WordPress security plugin exposes private data to site subscribers Date: 2025-10-29 Author: Bleeping Computer The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows subscribers to read any file on the server, potentially exposing private information. The plugin provides malware scanning and protection against brute-force attacks, exploitation of known plugin flaws, and against database injection attempts. Identified as CVE-2025-11705, the vulnerability was reported to Wordfence by researcher Dmitrii Ignatyev and affects versions of the plugin 4.23.81 and earlier. ESB-2025.7820 – Splunk: Splunk AppDynamics Private Synthetic Agent: CVSS (Max): 9.8 Splunk remedied common vulnerabilities and exposures (CVE-2022-48622, CVE-2024-45159) in Third Party Packages in Splunk AppDynamics Private Synthetic Agent version 25.7.0 and higher. ESB-2025.7801 – Ubuntu: Squid: CVSS (Max): 10.0 Leonardo Giovannini discovered that Squid failed to redact HTTP Authentication credentials in a default configuration. An attacker could possibly use this issue to obtain sensitive information. ESB-2025.7733 – SUSE: MozillaFirefox: CVSS (Max): 9.8 The Firefox Extended Support Release 140.4.0 ESR update addresses multiple security vulnerabilities, including use-after-free, out-of-bounds access, information leaks, and potential code execution issues. It also includes fixes for several memory safety bugs in Firefox and Thunderbird. ESB-2025.7722 – SUSE: govulncheck-vulndb: CVSS (Max): 9.9 This update adds or updates a large set of new Go CVE Numbering Authority (CNA) identifiers each mapped to corresponding CVE and/or GHSA aliases, expanding the vulnerability database index for Go modules. ESB-2025.7712 – Debian: thunderbird: CVSS (Max): 9.8 Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. Stay safe, stay patched and have a good weekend! The AUSCERT team