Daily Threat Briefing: Australia – 29 December 2025

Executive Summary

The last 24 hours have seen a surge in targeted activity against the Australian Education and IoT sectors, with critical infrastructure devices remaining a primary entry point for threat actors. The Australian Cyber Security Centre (ACSC) has flagged active exploitation of new vulnerabilities in network edge devices, while the 'KillSec' and 'Medusa' ransomware gangs have claimed significant breaches in local organisations.

Today's briefing highlights critical flaws in AI development frameworks and widespread attacks on educational institutions, underscoring the need for urgent patching and heightened vigilance across all sectors.

Top Critical Vulnerabilities

  • WatchGuard Firebox (CVE-2025-14733): The ACSC has issued a critical alert regarding this vulnerability, which is currently being actively exploited in the wild. Attackers are using this flaw to gain unauthorised access to corporate networks. Immediate patching is non-negotiable.
  • React Server Components (CVE-2025-55182): A critical severity vulnerability has been discovered in React Server Components, a popular web development framework. This flaw could allow remote code execution (RCE) on servers hosting modern web applications.
  • LangChain Prompt Injection (AI Security): A core vulnerability has been identified in LangChain, a widely used framework for building AI applications. This flaw allows for prompt injection attacks that can lead to data exposure, posing a significant risk to SaaS providers integrating LLMs.
  • Fortinet FortiCloud SSO (CVE-2025-59718 & CVE-2025-59719): Critical authentication bypass vulnerabilities continue to be targeted. These allow attackers to bypass login protections on the FortiCloud Single Sign-On service.

Sector-Specific Threat Intelligence

Education & EdTech The education sector is currently under siege. Waverley Christian College has confirmed a cyber incident after the Fog ransomware group claimed to have exfiltrated 5GB of data. Simultaneously, the KillSec ransomware gang has claimed a breach of the Australian educational support platform "Thanks For the Help" (TFTH). These incidents highlight the vulnerability of student data and the aggressive targeting of schools and their third-party providers.

Government Following the recent ransomware incident affecting Muswellbrook Shire Council, the SafePay ransomware gang has reportedly published 175GB of stolen data, intensifying the pressure on local government bodies to review their data resiliency and backup strategies. Additionally, the ACSC is monitoring a rise in "impersonation scams" where cybercriminals pose as Australian Federal Police to target cryptocurrency wallets.

Healthcare Harbour Town Doctors has reportedly suffered a patient data breach. With the healthcare sector accounting for a significant portion of all Australian breaches this year, this incident serves as a stark reminder of the value of medical records on the dark web. Medical practices are urged to audit their access logs and secure third-party remote access points immediately.

SaaS & IoT Netstar Australia, a technology and GPS firm, has suffered an alleged cyber attack, potentially impacting fleet management and IoT tracking services. This supply chain risk reinforces the importance of securing IoT endpoints. Meanwhile, the discovery of the LangChain vulnerability puts SaaS providers utilising AI features on high alert; developers must validate inputs rigorously to prevent prompt injection.

FinTech Austin’s Financial Solutions is dealing with the fallout of a claimed breach by the Kairos ransomware group, involving sensitive financial data and employee records. The Commonwealth Bank (CommBank) has also faced regulatory scrutiny, being fined over breaches of Consumer Data Right rules, emphasising the dual pressure of security threats and compliance mandates in the FinTech space.

Adversary Watch

  • KillSec: Aggressively targeting Australian EdTech and service providers.
  • Medusa: Claimed responsibility for a massive data theft (over 800GB) from Ainsworth Game Technology, showing a pivot towards high-revenue commercial targets.
  • Pro-Russia Hacktivists: Continue to conduct opportunistic DDoS and defamation attacks against critical infrastructure, as noted in recent joint advisories.

Recommendation Organisations across Australia must prioritise patching WatchGuard and Fortinet devices immediately. Education and Healthcare providers should review their third-party risk management frameworks and ensure offline backups are immutable.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote