Daily Threat Briefing: Australia – 27 December 2025

Executive Summary

The last 24 hours have highlighted significant volatility in Australia’s cyber threat landscape, with critical infrastructure, healthcare, and education sectors facing intensified pressure. Of particular concern today is the active exploitation of critical vulnerabilities in widely used network security devices and a surge in ransomware activity targeting Australian schools. This briefing breaks down the most urgent threats, exploited vulnerabilities, and strategic risks for Australian organisations observed over the past day.

Top Critical Vulnerabilities (Active Exploitation)

  • WatchGuard Firebox (CVE-2025-14733): The Australian Cyber Security Centre (ACSC) has escalated its warning regarding this critical vulnerability. Threat actors are actively exploiting it to gain unauthorised access to corporate networks. If your organisation utilises WatchGuard Firebox devices, immediate patching is mandatory.
  • Fortinet FortiCloud (CVE-2025-59718 & CVE-2025-59719): These critical flaws allow for a Single Sign-On (SSO) authentication bypass, potentially granting attackers administrative control over cloud-managed security appliances. Exploits are now being observed in the wild targeting Australian government and enterprise networks.
  • React Server Components (CVE-2025-55182): A severe Remote Code Execution (RCE) vulnerability has been discovered in this popular web framework. This poses a massive risk to SaaS providers and modern web applications, particularly those utilizing server-side rendering.

Sector-Specific Threat Intelligence

1. Healthcare & SaaS Providers The healthcare sector remains a primary target. A significant supply chain breach involving Phreesia (via its subsidiary ConnectOnCall) has reportedly impacted over 910,000 individuals. This incident underscores the fragility of the SaaS supply chain; attackers compromised a third-party integration to access sensitive patient data. Additionally, a recent audit of NSW Health revealed that clinicians have been bypassing security controls to expedite workflows, creating internal vulnerabilities that attackers are eager to exploit.

2. Education / EdTech Australian schools are currently in the crosshairs of the Fog ransomware gang. The group has claimed responsibility for an attack on Waverley Christian College, allegedly exfiltrating 5GB of sensitive data. This follows a broader campaign against the education sector, including a breach at the University of Sydney and the "Thanks for the Help" support platform. Educational institutions must urgently review their data egress monitoring and backup immutability.

3. FinTech & Banking The Antidot Banker malware campaign is aggressively targeting Australian financial institutions. The malware is being distributed via fake recruitment emails and SMS lures, tricking users into downloading malicious Android CRM applications. Once installed, it intercepts 2FA codes and harvests banking credentials. FinTech applications should enforce rigorous device integrity checks to detect these compromised environments.

4. Government & Critical Infrastructure A joint advisory has warned of renewed activity by pro-Russia hacktivist groups targeting Australian critical infrastructure. These attacks are largely opportunistic, utilising DDoS vectors and basic exploit scripts to disrupt energy and transport operations. Concurrently, concerns are mounting over the Department of Home Affairs' deployment of AI systems on sensitive data, with experts warning of "prompt injection" attacks that could lead to data leakage.

5. AI Systems & Emerging Tech A new vulnerability has been identified in Vincent AI (vLex), a legal AI assistant used by law firms. The flaw allows for "AI phishing," where attackers use hidden HTML code in documents to steal user credentials. This highlights a growing trend of "adversarial machine learning" where AI models themselves become the attack vector.

Key Recommendations

  • Patch Immediately: Prioritise WatchGuard and Fortinet updates.
  • Audit Supply Chains: SaaS providers must rigorously assess third-party integrations (like the Phreesia incident).
  • Harden Web Apps: Developers using React must review their implementation against CVE-2025-55182 immediately.
  • User Awareness: Alert staff to the Antidot Banker recruitment scams and verify the authenticity of job-related communications.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote