19 Dec 2025
Week in review
Greetings,
This week, audio-streaming platform SoundCloud has confirmed it suffered a significant security incident that has impacted millions of users and caused widespread service disruptions. After days of intermittent outages and virtual private network (VPN) connection errors that left users seeing “403 Forbidden” messages when trying to access the site, the company revealed that threat actors gained unauthorised access to one of its systems and exfiltrated a database containing user information.
According to SoundCloud’s disclosure, the breach affected roughly 20 per cent of its global user base, equating to a potential 28 million accounts, by exposing email addresses and data already visible on public profiles. The company asserted that no sensitive information such as passwords or financial details was accessed, and its investigation has confirmed that unauthorised access has since been contained.
In an effort to secure its systems quickly, SoundCloud made configuration changes that inadvertently blocked many VPN connections. While this helped stem further unauthorised access, it frustrated users in regions reliant on VPNs to reach the service, and the company has not yet provided a timeline for fully restoring that access.
The cyber security incident also coincided with denial-of-service attacks that temporarily knocked SoundCloud’s web platform offline. As the service works with external experts to bolster its defences and improve monitoring, users are being urged to stay alert for phishing attempts targeting exposed email addresses.
Hackers exploit newly patched Fortinet auth bypass flaws
Date: 2025-12-16
Author: Bleeping Computer
[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.8956.2/]
Hackers are exploiting critical-severity vulnerabilities affecting multiple Fortinet products to get unauthorized access to admin accounts and steal system configuration files.
The two vulnerabilities are tracked as CVE-2025-59718 and CVE-2025-59719, and Fortinet warned in an advisory on December 9 about the potential for exploitation.
CVE-2025-59718 is a FortiCloud SSO authentication bypass affecting FortiOS, FortiProxy, and FortiSwitchManager.
Cisco warns of unpatched AsyncOS zero-day exploited in attacks
Date: 2025-12-17
Author: Bleeping Computer
[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.9258/]
[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Cisco warned customers today of an unpatched, maximum-severity Cisco AsyncOS zero-day actively exploited in attacks targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.
This yet-to-be-patched zero-day (CVE-2025-20393) affects only Cisco SEG and Cisco SEWM appliances with non-standard configurations, when the Spam Quarantine feature is enabled and exposed on the Internet.
Apple fixes two zero-day flaws exploited in 'sophisticated' attacks
Date: 2025-12-12
Author: Bleeping Computer
[AUSCERT has published security bulletins for these Apple updates]
Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals.
The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation.
Clop ransomware targets Gladinet CentreStack in data theft attacks
Date: 2025-12-18
Author: Bleeping Computer
The Clop ransomware gang (also known as Cl0p) is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign.
Gladinet CentreStack enables businesses to securely share files hosted on on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. According to Gladinet, CentreStack "is used by thousands of businesses from over 49 countries."
GhostPoster Firefox Extensions Hide Malware in Icons
Date: 2025-12-17
Author: SecurityWeek
Koi Security has identified a malicious campaign targeting Firefox users via a series of extensions that rely on steganography to hide malware in their icons.
The extensions pose as free VPN services, ad blockers, translation tools, and weather forecast apps, but instead deploy a multi-stage payload that monitors users’ activities, disables security protections, and enables remote code execution (RCE).
ESB-2025.8956.2 – Fortinet Products: CVSS (Max): 9.8
Two critical Fortinet vulnerabilities (CVE-2025-59718 and CVE-2025-59719) affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager products are actively being exploited in the wild.
ESB-2025.9131 – Apple macOS Tahoe: CVSS (Max): 8.8*
Apple has released a patch for a macOS Tahoe zero-day vulnerability that was exploited in the wild. The flaw has been fixed in macOS Tahoe 26.2.
ESB-2025.9180 – Nessus: CVSS (Max): 9.1
Tenable has addressed multiple critical security flaws in Nessus versions prior to 10.9.6 and 10.11.1 that were caused by vulnerable third-party components.
ESB-2025.9258 – Cisco Secure Email & Secure Email and Web Manager: CVSS (Max): 10.0
Cisco is reviewing a critical, unpatched zero-day vulnerability in its AsyncOS software that is actively being exploited in attacks against Secure Email Gateway and Secure Email and Web Manager appliances.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
