Daily Threat Briefing: Australia – 06 December 2025

Executive Summary

The Australian cyber threat landscape has seen a critical escalation over the last 24 hours. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has issued urgent alerts regarding a maximum-severity vulnerability in widely used web frameworks, while ransomware groups continue to aggressively target the nation’s supply chains. Today's briefing analyses the immediate risks to Healthcare, FinTech, and Government sectors, alongside critical vulnerabilities in AI and cloud infrastructure.

Critical Web & SaaS Vulnerability: The "React" Crisis

Vulnerability: CVE-2025-55182 (React Server Components) & Next.js RCE Severity: Critical (CVSS 10.0) Sector Impact: SaaS, eCommerce, EdTech

In what is shaping up to be the most significant web security event of late 2025, a critical Remote Code Execution (RCE) vulnerability has been disclosed in React Server Components and Next.js (versions 15.x/16.x).

  • The Threat: Unauthenticated attackers can execute arbitrary code on servers processing specific "Flight" requests (a protocol used for streaming data).
  • SaaS Implication: Modern SaaS platforms built on these frameworks are immediately vulnerable to complete server takeover.
  • Action: Verify if your application uses react-server-dom-webpack or related packages. Google Cloud and Cloudflare have released WAF rules to mitigate exploitation, but patching to React 19.2.1+ is mandatory.

AI & Cloud Security: Agents Under Fire

Vulnerability: CVE-2025-34291 (Langflow AI Agent Platform) Severity: Critical (CVSS 9.4)

As Australian organisations race to integrate AI, security gaps are widening. Researchers have identified a critical flaw in Langflow, a popular open-source AI workflow platform.

  • The Exploit: A chain of vulnerabilities involving overly permissive CORS and missing CSRF protections allows attackers to achieve Account Takeover and RCE simply by tricking a user into visiting a malicious webpage.
  • Strategic Risk: Successful exploitation exposes all API keys (AWS, OpenAI, Azure) stored within the AI agent, potentially granting attackers lateral movement into your cloud environment.

Sector-Specific Threat Intelligence

Government & Defence

Supply chain risks have manifested severely with the breach of IKAD Engineering. The J Group ransomware gang claims to have exfiltrated 800GB of sensitive data, including naval contract details for the Hunter Class frigate program. Additionally, Muswellbrook Shire Council is dealing with the fallout of a SafePay ransomware attack, with 175GB of data reportedly leaked after ransom negotiations failed.

Healthcare

The sector remains under siege. The Morpheus ransomware group has claimed responsibility for a significant breach at DBG Health (including Arrotex Pharmaceuticals). Threat actors have released proofs containing employee passport scans and business plans. This incident highlights the persistent threat of "double extortion" where data theft precedes encryption.

FinTech

Two major incidents highlight the divergence in threat vectors:

  1. Ransomware: Wealth management firm Austin’s Financial Solutions was hit by the Kairos group, with 147GB of payroll and client data compromised.
  2. API Security: A critical API exposure was discovered in Vroom by YouX, a FinTech lender. A non-password-protected database left thousands of driver's licences and loan documents exposed to the public internet—a stark reminder that simple configuration errors remain as dangerous as sophisticated malware.

Critical Infrastructure & IoT

Following the release of joint guidance by CISA and the ACSC on Securely Integrating AI in Operational Technology (OT), nine new advisories were released yesterday for Industrial Control Systems (ICS), affecting vendors like Mitsubishi Electric and Johnson Controls. Operators must urgently review these to prevent AI-driven attacks on physical infrastructure.

Recommendations

  1. Patch Immediately: Prioritise updating React and Next.js environments to mitigate CVE-2025-55182.
  2. Review AI Permissions: Audit AI agents (like Langflow) for excessive API permissions and ensure internal tools are not exposed to the public web without strict access controls.
  3. Validate Supply Chain Security: Defence and Government contractors must urgently assess the security posture of their third-party vendors in light of the IKAD breach.
  4. Secure APIs: FinTechs should implement automated scanning for unauthenticated API endpoints to prevent data leaks.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote