24 Dec 2025
Week in review
Greetings,
As we wrap up the final Week in Review for the year, it’s a good moment to pause and reflect on what’s been a big year across the cyber landscape. From evolving threat tactics and major breaches to new vulnerabilities and hard-won lessons, 2025 has reinforced just how quickly our environment changes. It’s important to remember the effectiveness of collaboration, vigilance, and shared knowledge as we move into 2026.
We wish you a safe, restful, and well-earned break over the holiday period. We’ll be back in the New Year with more updates, insights, and analysis. Until then, happy holidays and best wishes for a secure start to the year ahead.
Over 25,000 FortiCloud SSO devices exposed to remote attacks
Date: 2025-12-19
Author: Bleeping Computer
Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability.
Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company's FortiCare support service.
As cybersecurity company Arctic Wolf reported on Monday, the vulnerability is now actively exploited to compromise admin accounts via malicious single sign-on (SSO) logins.
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability
Date: 2025-12-19
Author: The Hacker News
WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks.
Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code.
Microsoft 365 accounts targeted in wave of OAuth phishing attacks
Date: 2025-12-19
Author: Bleeping Computer
Multiple threat actors are compromising Microsoft 365 accounts in phishing attacks that leverage the OAuth device code authorization mechanism.
Attackers trick victims into entering a device code on Microsoft’s legitimate device login page, unknowingly authorizing an attacker-controlled application and granting them access to the target account without stealing credentials or bypassing multi-factor authentication (MFA).
HPE Patches Critical Flaw in IT Infrastructure Management Software
Date: 2025-12-18
Author: SecurityWeek
Hewlett Packard Enterprise (HPE) this week announced patches for a critical-severity remote code execution vulnerability in its OneView IT infrastructure management software.
Tracked as CVE-2025-37164 (CVSS score of 10), the security defect can be exploited without authentication, the company notes in a barebones advisory.
HPE makes no mention of the flaw being exploited in the wild, but urges customers to update to a fixed release as soon as possible.
MacSync macOS Malware Distributed via Signed Swift Application
Date: 2025-12-22
Author: Security Week
The developers of a macOS malware named MacSync Stealer have updated their delivery mechanism, eliminating the need for direct terminal interaction, Jamf reports.
The MacSync Stealer emerged roughly half a year ago, as a rebrand of Mac.c, a macOS information stealer that was first seen in April 2025.
Mac.c was a cheap alternative to established macOS stealers, and was acquired by a malware developer who quickly expanded its capabilities and turned it into a prominent threat.
In addition to the information-stealing capabilities inherited from Mac.c, MacSync Stealer was retrofitted with backdoor capabilities through a fully-featured Go-based agent.
Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.
ESB-2025.9384 – F5 Products (ARX, LineRate)
An attacker may be able to cause a denial-of-service (DoS) using an application that processes arbitrary PKCS#7 data.
ESB-2025.9354 – Linux kernel (Real-time)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
Multiple security issues were discovered in the WordPress blogging tool, which could result in cross-site scripting or information disclosure.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
