CyberNews: 19/12/2025 Edition

Published by Dunateo on 2025-12-19

Today’s roundup

  • China-linked APT UAT-9686 is targeting Cisco Secure Email Gateway and Secure Email and Web Manager
  • WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability
  • Hewlett Packard Enterprise (HPE) fixed maximum severity OneView flaw
  • ASRock, ASUS, GIGABYTE, MSI Boards vulnerable to pre-boot memory attacks
  • CLOP targets Gladinet CentreStack servers in large-scale extortion campaign
  • Denmark blames Russia for destructive cyberattack on water utility
  • China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware
  • New password spraying attacks target Cisco, PAN VPN gateways
  • US Charges 54 in Massive ATM Jackpotting Conspiracy
  • Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

    • Summary

    Cisco disclosed a critical zero-day, CVE-2025-20393, in Secure Email Gateway and Secure Email and Web Manager, actively exploited by China-linked APT UAT-9686. The group uses Python-based backdoors like "AquaShell" for root-level command execution and persistence on exposed appliances since late November 2025.

    WatchGuard urged customers to patch critical, actively exploited RCE vulnerability CVE-2025-14733 (CVSS 9.3) in Firebox firewalls. The out-of-bounds write in the iked process allows remote unauthenticated arbitrary code execution.

    Hewlett Packard Enterprise (HPE) fixed a maximum-severity security flaw, CVE-2025-37164 (CVSS 10.0), in OneView Software. This allows remote unauthenticated RCE on versions through v10.20; exploitation in the wild is unconfirmed.

    A new UEFI vulnerability affects select ASRock, ASUS, GIGABYTE, and MSI motherboards, enabling early-boot DMA attacks by bypassing IOMMU protections due to improper firmware initialization. Vendors have issued firmware updates for the identified CVEs (CVSS 7.0).

    The Clop ransomware group is conducting a large-scale data theft and extortion campaign targeting internet-exposed Gladinet CentreStack file servers. Exploiting an unknown CVE (n-day or zero-day), over 200 targets have been identified, with a workaround available for unpatched systems.

    Danish intelligence officials attributed destructive cyberattacks, including against a water utility, to Russia, characterizing them as part of Moscow's hybrid attacks targeting Western nations.

    A newly documented China-aligned threat cluster, "LongNosedGoblin," is conducting cyber espionage against governmental entities in Southeast Asia and Japan, using Windows Group Policy to deploy malware since September 2023, as reported by ESET.

    An automated password spraying campaign is actively targeting multiple VPN platforms, including Palo Alto Networks GlobalProtect and Cisco SSL VPN gateways, using credential-based methods for unauthorized access.

    US authorities charged 54 individuals in a massive ATM jackpotting conspiracy linked to the Venezuelan crime syndicate Tren de Aragua, accused of stealing millions.

    Nigerian law enforcement arrested three high-profile internet fraud suspects, including the main developer of the RaccoonO365 Phishing-as-a-Service (PhaaS) scheme, which targeted major corporations like Microsoft 365 users.

    Want to dig deeper?

    Vulnerabilities

    CVE-2025-20393 Medium
    CVE-2025-14733 Critical
    CVE-2025-37164 High