Daily Threat Briefing: Australia – 31 December 2025

Executive Summary

As we close out 2025, the Australian cyber threat landscape remains volatile. The last 24 hours have been dominated by the rapid exploitation of the "MongoBleed" vulnerability, with the Australian Cyber Security Centre (ACSC) and global agencies issuing urgent warnings. Simultaneously, the education sector is grappling with fresh data breaches, and critical infrastructure supply chains remain under siege from ransomware syndicates.

Below is a deep dive into the threats impacting Australian organisations today.

Sector-Specific Threat Intelligence

SaaS & Cloud Providers

  • The "MongoBleed" Crisis (CVE-2025-14847): A critical unauthenticated memory-read vulnerability in MongoDB servers is being actively exploited globally. Attackers are weaponising this flaw to read uninitialized memory, potentially scraping API keys, session tokens, and credentials without logging in. Australian SaaS providers utilising MongoDB for backend data storage are at high risk. The ACSC has observed active scanning against local IP addresses.
  • React Framework Exploitation: The "React2Shell" vulnerabilities (CVE-2025-55182 & CVE-2025-66478) continue to plague developers. Over 500 Australian organisations remain vulnerable to this Remote Code Execution (RCE) flaw, which Chinese-affiliated threat actors are using to compromise web applications via crafted HTTP requests.

Education & EdTech

  • University of Sydney Data Breach: Reports have confirmed a significant breach impacting over 13,000 individuals, including staff, students, and alumni. This incident follows a broader trend of targeted attacks against the tertiary education sector this month.
  • RipperSec Activity: The hacktivist group RipperSec has been observed targeting Australian university networks with DDoS attacks and defacement campaigns, likely exploiting unpatched edge devices during the holiday shut-down period.

Healthcare

  • Rhysida Ransomware Fallout: The Rhysida group continues to pressure the Australian healthcare sector. Following the attack on a Queensland medical centre earlier this month, the group is threatening to auction sensitive patient data—including pathology reports and health summaries—if ransoms are not paid. This highlights the critical need for network segmentation in medical environments.
  • General Threat: With 102 breaches reported in the last six months alone, healthcare remains the number one target for data extortion in Australia.

IoT & Critical Infrastructure

  • Netstar Australia Incident: A cyber attack on the technology and GPS tracking firm Netstar has raised concerns regarding fleet management and IoT supply chains. Disruption to IoT telemetry data can have cascading effects on logistics and transport sectors.
  • Edge Device Targeting: The WatchGuard Firebox zero-day (CVE-2025-14733) is being ruthlessly exploited. Threat actors are using this RCE vulnerability to gain initial access to corporate networks, bypassing perimeter defences.

Government & Defence

  • Supply Chain Risks: The breach of defence contractor IKAD Engineering, resulting in the exfiltration of 800GB of data, serves as a stark warning. Threat actors are increasingly pivoting from third-party suppliers to primary targets.
  • Local Council Ransomware: The SafePay ransomware gang has escalated its double-extortion tactics, recently publishing 175GB of data stolen from the Muswellbrook Shire Council.

Critical Vulnerabilities Exploited in the Wild

Penetration testers and defenders must prioritise the following vulnerabilities, which are currently seeing active exploitation in the Australian region:

  1. MongoDB Server (CVE-2025-14847) - "MongoBleed"

    • Type: Information Disclosure / Memory Leak
    • Impact: Allows unauthenticated attackers to read sensitive data (tokens, keys) from memory.
    • Action: Patch immediately to the latest fixed release or restrict internet access to the database port.

  2. WatchGuard Firebox (CVE-2025-14733)

    • Type: Remote Code Execution (RCE)
    • Impact: Unauthenticated remote takeover of the firewall appliance.
    • Action: Apply the latest Fireware OS patch or implement strict access control lists (ACLs) for management interfaces.

  3. React Server Components (CVE-2025-55182)

    • Type: Remote Code Execution
    • Impact: Allows attackers to execute arbitrary code on the server via malformed "Flight" protocol payloads.
    • Action: Update React and Next.js frameworks to non-vulnerable versions immediately.

Active Threat Actors

  • Rhysida: Financially motivated ransomware-as-a-service (RaaS). Known for double-extortion and targeting the healthcare sector.
  • KillSec: Recently active against Australian IT service providers, focusing on stealing credentials and client data.
  • SafePay: A ransomware group targeting local government and public sector entities, using data publication as leverage.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote