Daily Threat Briefing: Critical Fortinet Auth Bypass & AI Copilot Vulnerabilities Hit Australian Shores

Executive Summary The last 24 hours have been particularly turbulent for Australian cyber defenders, marked by a critical "Act Now" alert for Fortinet appliances and a significant Patch Tuesday release from Microsoft involving exploited zero-days. As we move deeper into December, the threat landscape is dominated by the exploitation of edge devices and a worrying new trend of vulnerabilities in AI-assisted development tools.

The Australian Cyber Security Centre (ACSC) has escalated warnings regarding authentication bypass flaws in Fortinet products, while fresh data reveals Australian organisations are currently the world’s most targeted for ransomware.

Here is your deep dive into the threats impacting Healthcare, FinTech, Government, and SaaS providers over the past 24 hours.

1. Critical Vulnerability: Fortinet Authentication Bypass (CVE-2025-59718)

Severity: Critical | Status: Active Risk Sectors Impacted: Government, Education, Enterprise

Late yesterday (10 December), the ACSC released a technical alert regarding multiple critical vulnerabilities in Fortinet products. The most severe, CVE-2025-59718, allows unauthenticated attackers to bypass FortiCloud Single Sign-On (SSO) authentication.

  • The Flaw: Improper verification of cryptographic signatures in SAML responses.
  • The Risk: An attacker can forge a SAML response to gain administrative access to the device without valid credentials.
  • Affected Products: FortiOS, FortiProxy, and FortiSwitchManager.
  • Action: Patching is mandatory. If immediate patching is not feasible, disable FortiCloud login mechanisms immediately.

2. AI & Cloud Security: GitHub Copilot RCE & Microsoft Zero-Day

Severity: High to Critical Sectors Impacted: SaaS, EdTech, DevSecOps

Microsoft’s final Patch Tuesday for 2025 (released 10 December) addressed 55 vulnerabilities, but two stand out for Australian innovation sectors:

  • AI System Vulnerability (CVE-2025-64671): A Remote Code Execution (RCE) flaw in the GitHub Copilot plugin for JetBrains IDEs. As AI agents become integral to software development in our FinTech and SaaS hubs, this vulnerability exposes developer environments—often holding high-privilege secrets—to compromise.
  • Windows Zero-Day (CVE-2025-62221): An elevation of privilege flaw in the Cloud Files Mini Filter Driver (cldflt.sys). This is actively being exploited in the wild to facilitate lateral movement after initial access.

3. Sector-Specific Threat Intelligence

Government & Public Sector

Services Australia Data Breach Reforms: Following a sharp rise in data breaches involving Medicare and Centrelink identifiers (up from 7 to 82 in the last two years), reports from 10 December indicate Services Australia may soon receive new powers to compel third-party entities to disclose breaches more rapidly. The agency has identified that "extortion-only" attacks—where data is stolen but not encrypted—are becoming the primary vector against government contractors.

Healthcare & FinTech

Ransomware & Extortion Surge: New research released yesterday by Rubrik Zero Labs confirms that Australia is the #1 target globally for ransomware in 2025, with 35% of local organisations attacked in the last 12 months.

  • Healthcare: Hospitals remain in the crosshairs of groups like Space Bears and KillSec, who are weaponising the urgency of patient care to demand quick payouts.
  • FinTech: The sector is struggling with the "React2Shell" aftermath (CVE-2025-55182). Threat actors are still scanning for unpatched React/Next.js applications to inject web shells into financial portals.

IoT & Critical Infrastructure

Smart Vehicle & OT Risks: The eSafety Commissioner has issued fresh warnings regarding the weaponisation of smart vehicle features for tracking and harassment. Simultaneously, operational technology (OT) networks are seeing increased probing of ScadaBR systems, with attackers leveraging a recently disclosed vulnerability to bridge the gap between IT and OT environments.

Threat Actor Focus: The "Extortion-Only" Pivot

We are observing a tactical shift among prominent threat actors targeting Australia. Groups are increasingly bypassing the complex encryption phase of ransomware (which triggers alarms) and moving straight to data exfiltration for extortion. This "smash-and-grab" approach reduces the time-to-detect, making egress filtering and Data Loss Prevention (DLP) just as critical as your perimeter firewalls.

Strategic Recommendations

  1. Patch Fortinet Appliances: Treat CVE-2025-59718 as an emergency change request.
  2. Secure AI Workflows: Update all IDE plugins, specifically GitHub Copilot, to mitigate CVE-2025-64671.
  3. Review Outbound Traffic: With the rise of extortion-only attacks, monitor for anomalous large data transfers (exfiltration) from your environment.
  4. Validate React/Next.js Stacks: Ensure all web applications are patched against the React2Shell vulnerability (CVE-2025-55182) disclosed earlier this month.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote