Executive Summary The last 24 hours have exposed significant fragility in Australia’s Healthcare and Education sectors, with a major audit revealing systemic security bypasses in NSW Health and a fresh data breach hitting the University of Sydney. Globally, critical vulnerabilities in Fortinet’s cloud infrastructure and React server components are demanding immediate patching cycles. This briefing summarises the key threats, incidents, and vulnerabilities impacting Australian organisations today.

Sector Spotlight: Healthcare & SaaS

NSW Health Audit Reveals "Normalised" Security Bypasses A concerning audit released today (19 December) has highlighted a culture of non-compliance within NSW Health districts. Driven by "clinical urgency," clinicians are routinely bypassing cybersecurity controls—saving sensitive patient data to personal devices and leaving shared terminals logged in. With the healthcare sector already the highest reporter of data breaches in Australia, this "shadow IT" behaviour significantly widens the attack surface for ransomware groups and data extortionists.

SaaS Supply Chain: Phreesia & ConnectOnCall Incident The risks of third-party SaaS integrations were underscored by the disclosure of a breach affecting Phreesia (via its subsidiary ConnectOnCall), impacting over 910,000 individuals. The compromise of this SaaS platform exposes sensitive health and personal data, reminding Australian healthcare providers to rigorously audit their digital supply chains.

Education & EdTech: Targeted Attacks

University of Sydney Code Repository Breach The University of Sydney confirmed yesterday (18 December) that threat actors breached an online IT code library. While the system was primarily for development, it contained historical files hosting the personal information of approximately 27,000 staff, students, and alumni. This incident mirrors the growing trend of attackers targeting non-production environments (DevOps infrastructure) to pivot into core systems or exfiltrate overlooked data.

Ransomware Targeting Schools The Fog ransomware gang has claimed an attack on Waverley Christian College, allegedly stealing 5GB of data. This follows a broader campaign against the education sector, including a recent hit on the "Thanks for the Help" (TFTH) support platform, emphasising that schools remain high-value targets for extortion due to the sensitivity of student data.

Critical Vulnerabilities: Web, Cloud & APIs

Fortinet FortiCloud SSO Bypass (Critical) The Australian Cyber Security Centre (ACSC) has flagged critical vulnerabilities in Fortinet products, specifically CVE-2025-59718 and CVE-2025-59719. These flaws allow for FortiCloud SSO Login Authentication Bypass, potentially granting attackers unauthorised administrative access to cloud-managed security appliances. Immediate patching is mandatory.

React Server Components (CVE-2025-55182) A critical vulnerability has been discovered in React Server Components, a framework widely used in modern web applications and SaaS platforms. Exploitation can lead to remote code execution (RCE). Australian developers and AppSec teams using React for front-end architecture must review their implementations immediately.

Government & Critical Infrastructure

Pro-Russia Hacktivist Activity A joint advisory released this week warns of renewed opportunistic attacks by pro-Russia hacktivist groups targeting Australian critical infrastructure. These groups are utilising DDoS vectors and basic exploit scripts to disrupt operations in the energy and transport sectors.

AI Systems in Government Reports from iTnews today indicate the Department of Home Affairs is preparing to deploy AI on sensitive government data. This move comes as OpenAI warns that new models present "high" cyber risks. The convergence of AI integration in government systems raises concerns about "prompt injection" attacks and data leakage, necessitating strict guardrails.

FinTech & Financial Services

Antidot Banker Malware Campaign Australian banks are currently being targeted by the Antidot Banker malware. The campaign utilises fake recruitment lures to trick victims into downloading malicious Android CRM applications. Once installed, the malware harvests banking credentials and intercepts 2FA codes. FinTech apps should enforce rigorous device integrity checks to detect such compromises.

IoT & Devices

SonicWall SSL VPN Exploitation Active exploitation of SonicWall SSL VPNs (linked to CVE-2024-40766) continues to be observed in the wild. Despite being an older CVE, unpatched legacy devices in Australian networks are serving as initial access vectors for ransomware groups like Akira.

Contact us for a quote for penetration testing service or adversary simulation.