CyberNews: 17/12/2025 Edition

Today’s roundup

Summary

Cisco has warned of an unpatched, maximum-severity zero-day vulnerability in its AsyncOS software, which is actively exploited in attacks targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Organizations using these products are advised to monitor for indicators of compromise.

SonicWall has issued an urgent advisory for customers to patch CVE-2025-40602, a local privilege escalation zero-day flaw in the SMA1000 Appliance Management Console. This vulnerability is actively exploited and reportedly chained with CVE-2025-23006 (CVSS 9.8) to achieve unauthenticated root remote code execution.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Fortinet's critical authentication bypass vulnerability, CVE-2025-59718 (CVSS 9.1), to its Known Exploited Vulnerabilities catalog. Threat actors are actively exploiting this flaw in multiple Fortinet products to gain unauthorized access to admin accounts and steal system configuration files. Federal agencies are mandated to remediate by December 23, 2025.

A critical React2Shell flaw, identified as CVE-2025-55182, is being actively exploited by a ransomware group. This vulnerability provides initial access to corporate networks, enabling the rapid deployment of file-encrypting malware.

Amazon Threat Intelligence has disclosed a multi-year cyber campaign (2021-2025) by Russian state-backed GRU hackers (also known as Sandworm, APT44, and Seashell Blizzard) targeting Western critical infrastructure, particularly in the energy sector. The attackers shifted tactics from exploiting known vulnerabilities to abusing misconfigured network edge devices for persistent access and credential theft within cloud infrastructures hosted on AWS.

Check Point Research has published a detailed analysis of GachiLoader, a new heavily obfuscated Node.js malware distributed via the YouTube Ghost Network, which delivers infostealers like Rhadamanthys. The malware's Kidkadi component utilizes a novel PE injection technique named "Vectored Overloading," designed to evade detection by manipulating Windows' Vectored Exception Handling during payload loading.

A new distributed denial-of-service (DDoS) botnet, dubbed Kimwolf, has reportedly hijacked approximately 1.8 million Android-based devices, including TVs, set-top boxes, and tablets. Researched by QiAnXin XLab, the NDK-compiled botnet is launching large-scale DDoS attacks and may be connected to another botnet known as AISURU.

An Infoblox study indicates that over 90% of visits to parked domains, including expired or typosquatted names, now result in redirects to malicious content such as scams, scareware, or malware. This widespread malvertising employs sophisticated visitor profiling through complex redirection chains, exemplified by lookalike domains targeting major brands and government entities.

Japanese e-commerce and logistics firm Askul has confirmed a data breach affecting over 700,000 records following an October 19 ransomware attack executed by the RansomHouse group. The incident led to the theft and subsequent leakage of approximately 1 TB of sensitive data, including customer, partner, and employee information, alongside significant service disruptions.

French prosecutors are investigating a suspected state-linked cyberattack on the GNV ferry Fantastic, initiated after alerts from Italian intelligence. The probe, focusing on a potential remote hijack attempt, resulted in a Latvian sailor being charged with conspiracy to serve a foreign power, believed to be Russia, and attempted computer system intrusion.

Want to dig deeper?

Vulnerabilities

Cyber Groups

Malware Families