As we wrap up the year, the Australian cyber threat landscape has intensified significantly over the last 24 hours. Critical vulnerabilities in widely used network appliances and targeted ransomware campaigns against key sectors—specifically Education, Healthcare, and SaaS providers—demand immediate attention from security teams.

Here is your daily briefing on the most critical threats impacting Australian organisations.

🚨 Critical Vulnerability Alert: WatchGuard Firebox (CVE-2025-14733)

Severity: Critical (CVSS 9.3) Status: Active Exploitation

A critical Remote Code Execution (RCE) vulnerability has been discovered in WatchGuard Firebox appliances. The flaw, tracked as CVE-2025-14733, resides in the iked process responsible for IKEv2 VPN negotiations.

The Threat: Unauthenticated, remote attackers can exploit an out-of-bounds write condition to execute arbitrary code with root privileges. No user interaction is required.
Impact: Full system compromise, allowing attackers to pivot into internal networks, intercept VPN traffic, or deploy ransomware.
Action Required: Patch immediately to Fireware OS versions 2025.1.4, 12.11.6, or 12.5.15. CISA added this to its Known Exploited Vulnerabilities (KEV) catalog on 19 December, mandating urgent remediation.

Sector-Specific Threat Intelligence

🎓 Education / EdTech: University of Sydney Breach

The University of Sydney has confirmed a significant data breach impacting over 13,000 individuals, including current staff, alumni, and donors.

Attack Vector: Threat actors accessed an internal online code library used for software development. While the system was non-critical, it contained historical datasets that were improperly stored.
Exfiltrated Data: Names, dates of birth, residential addresses, phone numbers, and employment details.
Analysis: This incident highlights the risk of "shadow data" in development environments. DevOps teams must ensure production data is never used in testing or coding repositories without sanitisation.

☁️ SaaS & Government: Netstar Australia Ransomware Attack

Melbourne-based Netstar Australia, a major provider of GPS telematics and fleet management solutions, has been hit by the Blackshrantac ransomware group.

The Incident: The group claims to have exfiltrated 800GB of sensitive data and has listed the company on their dark web leak site.
Criticality: Netstar’s client base includes government agencies and critical infrastructure operators. The compromise of real-time location data and fleet telemetry poses a severe national security and operational risk.
Threat Actor Profile: Blackshrantac is a newer, aggressive group first observed in late 2025, known for double-extortion tactics and targeting mid-sized technology providers.

🏥 Healthcare: Harbour Town Doctors Data Leak

The Rhysida ransomware gang has claimed responsibility for an attack on Harbour Town Doctors, a Queensland medical centre.

Status: The group has published samples of patient summaries, referral letters, and administrative records, demanding a ransom of 5 Bitcoin (~AUD 200,000).
Sector Trend: Healthcare remains a primary target due to the high value of medical records (PHI) and the critical need for uptime. Small to medium clinics are increasingly targeted as "soft" entry points into the broader health ecosystem.

🛍️ eCommerce / Retail: BECKS Jewellery

Australian luxury jeweller BECKS has confirmed a cyber incident after the SafePay ransomware group listed them as a victim.

Impact: Preliminary investigations suggest customer data and internal designs may have been compromised. Retailers are reminded that high-value brand reputation is a key lever used by extortionists.

Emerging Vulnerabilities & Exploits

Beyond WatchGuard, security teams should be vigilant regarding:

Fortinet FortiCloud (CVE-2025-59718): A critical authentication bypass vulnerability allowing attackers to hijack sessions. Ensure all Fortinet SaaS integrations are reviewed.
AI System Exploitation: We are observing an uptick in "prompt injection" attacks against customer-facing AI chatbots in the FinTech sector, used to bypass controls and elicit unauthorised account details.

Recommendations for the Weekend

Audit Edge Devices: specifically WatchGuard and Fortinet appliances. If you cannot patch immediately, disable IKEv2 VPN services where possible.
Review Code Repositories: Scan GitHub/GitLab instances for hardcoded secrets or production data (as seen in the USYD breach).
Supplier Risk Management: If you utilise Netstar for fleet tracking, assess the sensitivity of the data they hold and prepare for potential operational visibility loss.

Contact us for a quote for penetration testing service or adversary simulation.