Daily Threat Briefing: Australia - 20 December 2025

Executive Summary

The Australian cyber threat landscape has seen significant volatility in the last 24 hours. The primary focus for security teams today is the catastrophic "React2Shell" vulnerability (CVE-2025-55182), which is actively being exploited to deploy cryptocurrency miners and backdoors across Australian cloud environments. Simultaneously, the healthcare and education sectors are under heavy fire, with a major breach disclosed by the University of Sydney and a confirmed ransomware attack on fertility provider Genea.

Here is your daily deep dive into the threats impacting Australian organisations.

Critical Vulnerability Alert: "React2Shell" (CVE-2025-55182)

  • Severity: Critical (CVSS 10.0)
  • Affected Systems: React Server Components (versions 19.x), Next.js, and downstream web frameworks.
  • The Threat: A maximum-severity remote code execution (RCE) flaw allows unauthenticated attackers to execute arbitrary code via malicious HTTP requests.
  • Status: Active Exploitation. Threat actors are currently scanning for vulnerable Australian SaaS and eCommerce platforms. We have observed the deployment of XMRig miners and the 'COMPOOD' backdoor. With 39% of global cloud environments estimated to be vulnerable, this is a "patch now" event.
  • Action: Immediate patching of React and Next.js instances is mandatory. WAF rules should be tuned to block suspicious serialised payloads.

Sector Highlights

Healthcare: Ransomware & Insider Negligence

  • Genea Breach: One of Australia’s largest fertility service providers, Genea, has confirmed a cyber attack. The Termite ransomware gang has claimed responsibility, allegedly stealing 700GB of sensitive patient data, including medical histories and diagnostic results. This group is known for using a modified version of the Babuk ransomware.
  • NSW Health Audit: A concerning audit released yesterday revealed that clinicians in NSW are routinely bypassing cyber security controls to save time. The report highlighted a "normalisation of non-compliance," with staff sharing passwords and using personal devices for patient data—a significant vector for potential credential harvesting attacks.

Education / EdTech: Code Repository Compromise

  • University of Sydney: Yesterday (19 December), the University of Sydney disclosed a data breach affecting over 20,000 staff and affiliates. Hackers accessed an internal code library used by IT teams. While the breach was contained to a single platform, it exposed historical personal data. This incident highlights the growing trend of targeting non-production environments (DevOps pipelines) to pivot into core systems.

Government & Defence: Supply Chain Woes

  • Supply Chain Risks: Following the recent updates on the IKAD Engineering breach, the Australian Signals Directorate (ASD) continues to warn of "KillSec" and other groups targeting the defence supply chain.
  • Fortinet Alert: The ACSC has issued a critical alert regarding CVE-2025-59718 and CVE-2025-59719. These vulnerabilities allow authentication bypass in FortiCloud SSO. Government agencies and contractors utilising Fortinet edge devices must review their networks for unauthorised access immediately.

FinTech & SaaS

  • API Security: With the React2Shell vulnerability, FinTech platforms utilising modern JavaScript frameworks are at heightened risk. We are seeing increased scanning activity targeting API endpoints that utilise server-side rendering.
  • Vroom by YouX: The sector remains on high alert following the Vroom incident, with regulators pushing for stricter third-party risk management as "fintechs are being breached" through their vendors.

Technical Focus: Web & Cloud

  • Windows Zero-Day: Microsoft’s December patch Tuesday addressed CVE-2025-62221, a privilege escalation flaw in the Windows Cloud Files Mini Filter Driver. Attackers are chaining this with RCE bugs to gain SYSTEM privileges.
  • Chrome WebGPU: Google has patched CVE-2025-14765, a use-after-free vulnerability in the WebGPU API. Staff browsing the web can trigger this exploit simply by visiting a malicious page, making browser updates critical for corporate fleets.

Threat Actor Profile: Termite

  • Origin: Likely financially motivated; tools suggest overlap with Babuk source code.
  • Tactics: Double extortion (encryption + data leak). They target sectors with high uptime pressure (Healthcare, Utilities).
  • Current Status: Actively leaking data from Australian healthcare victims on the dark web.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote