Executive Summary

The Australian cyber threat landscape for the last 24 hours has been dominated by a coordinated international response to resilient cybercrime infrastructure and the escalation of attacks against edge devices. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), in conjunction with global partners (CISA, FBI, NCSC-UK), released pivotal guidance yesterday targeting "Bulletproof Hosting" providers. Meanwhile, critical vulnerabilities in Fortinet and Cisco appliances are seeing active exploitation, posing severe risks to Australian organisations relying on these perimeter defence technologies.

Top Strategic Development: Crackdown on Bulletproof Hosting

Sectors Impacted: Government, FinTech, Critical Infrastructure

In a major release on 19 November 2025, the ACSC joined international agencies to publish "Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers." Bulletproof hosting (BPH) services are the backbone of the cybercrime economy, allowing ransomware gangs and phishing operators to host malicious content with impunity.

• The Threat: BPH providers knowingly ignore abuse complaints and facilitate high-volume phishing campaigns and C2 (Command and Control) infrastructure.
• Action Required: Australian network defenders and ISPs are urged to review the new guidance to identify and block traffic to and from known BPH IP ranges. This is a critical step for Government and FinTech sectors to reduce the attack surface for ransomware and fraud.

Critical Vulnerabilities Under Active Exploitation

Organisations using web application firewalls (WAFs) and secure gateways must urgently review the following exploits highlighted in the last 24 hours:

1. Fortinet FortiWeb – Critical Authentication Bypass

• CVE: CVE-2025-64446 (CVSS 9.1)
• Status: Active Exploitation Confirmed (Added to CISA KEV on 14 Nov 2025, widely targeted in the last 24 hours).
• Impact: This critical vulnerability allows unauthenticated remote attackers to bypass authentication and gain administrative control over FortiWeb appliances.
• Relevance: High risk for SaaS providers and eCommerce platforms using FortiWeb to protect customer data.
• Recommendation: Patch immediately. If patching is not possible, restrict management interface access to trusted internal IPs only.

2. Cisco ASA & FTD – State-Sponsored Targeting

• CVEs: CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362
• Threat Actor: Linked to UAT4356/Storm-1849 (State-sponsored activity).
• Context: Despite patches being available, telemetry indicates approximately 48,000 appliances globally remain unpatched. Threat actors are chaining these vulnerabilities to establish persistent footholds in corporate networks.
• Sector Risk: Government and Education networks are frequent targets for this type of espionage-focused campaign.

3. WatchGuard Firebox & IoT Risks

• Observation: Security researchers have identified over 54,000 exposed WatchGuard Firebox devices as of mid-November 2025.
• IoT Threat: A new botnet is aggressively recruiting end-of-life GeoVision devices.
• Takeaway: IoT and edge security remains a weak point. Organisations with distributed branches (e.g., Healthcare clinics, retail chains) must audit their perimeter footprint for unmanaged or end-of-life devices.

Sector-Specific Threat Intelligence

• Healthcare: Following the trend of high-impact ransomware attacks (such as the MediSecure incident earlier in the decade), the sector remains a priority target. The new BPH guidance is crucial here—blocking BPH infrastructure can prevent the initial callback of ransomware payloads often used against hospitals.
• Education (EdTech): With the academic year wrapping up, schools and universities are facing increased phishing attempts disguised as administrative notices. The exploitation of Cisco VPN vulnerabilities is a specific vector being used to penetrate university research networks.
• FinTech: A new alert from the ACSC (13 Nov 2025) regarding scammers impersonating police to steal cryptocurrency remains highly relevant. FinTech platforms should warn users about this social engineering tactic, which often involves "urgent" requests to move funds to "safe" wallets.

Penetration Tester’s Perspective

From an offensive security standpoint, the current environment is volatile. Attackers are moving faster than defenders can patch. The FortiWeb bypass (CVE-2025-64446) is particularly dangerous because it compromises the very device meant to secure your web applications.

During our recent engagements, we have observed that API security remains a blind spot. With the rise of AI-driven attacks, automated scripts are now capable of probing APIs for logic flaws much faster than human analysts. Ensure your APIs are not just behind a WAF, but also rigorously tested for Broken Object Level Authorisation (BOLA) and other logic vulnerabilities.

Contact us for a quote for penetration testing service or adversary simulation.