Daily Threat Briefing: Australia Day Cyber Risks, Active RCEs & EdTech Fallout

Executive Summary As the nation observes Australia Day, the cyber threat landscape over the last 24 hours has been anything but quiet. While many organisations are operating with skeleton staff due to the public holiday, threat actors are actively leveraging this window to exploit critical vulnerabilities in widely used infrastructure. Our analysts have observed a convergence of physical and digital threats, with heightened hacktivist chatter targeting government entities and continued fallout from the massive Victorian education sector breach.

For today’s briefing, we are issuing urgent alerts for Healthcare, Education, and Government sectors, alongside critical patch warnings for Cisco and Windows environments.

Sector-Specific Threat Intelligence

πŸ›οΈ Government & Critical Infrastructure

  • Australia Day Hacktivism: We have detected increased chatter on dark web forums and Telegram channels encouraging DDoS and defacement campaigns against Australian government portals today. This aligns with historical trends of national holiday targeting.
  • The "Salt Typhoon" Threat: Assessing the last 24 hours of telemetry, the China-backed APT group identified as Salt Typhoon is aggressively targeting authentication weaknesses in Ivanti Connect Secure gateways. They are leveraging the recently disclosed authentication bypass vulnerabilities (CVE-2025-0282) to gain initial access. Security teams should be on high alert for anomalous login activity, particularly from non-Australian IP addresses.

πŸŽ“ Education & EdTech

  • Victorian Schools Breach Fallout: The ripple effects of the Victorian Department of Education data breach (confirmed mid-January) continue to widen. Over the weekend, fresh datasets appearing to contain student contact details and parent email addresses have surfaced on breach forums.
  • SaaS Supply Chain Risk: EdTech platforms utilising the n8n workflow automation tool must urgently verify they have patched CVE-2026-21858. We have observed automated scanning for unpatched instances of this tool, which allow for Remote Code Execution (RCE).

πŸ₯ Healthcare & IoT

  • "MongoBleed" Resurgence (CVE-2025-14847): A new wave of attacks targeting unpatched MongoDB instances has been identified, specifically aiming at eHealth applications and IoT medical device gateways. Attackers are exfiltrating unstructured patient data.
  • IoT Device Gateways: With the holiday reducing on-site staff, IoT monitoring systems in hospitals are prime targets. Ensure segmentation is strictly enforced to prevent lateral movement from compromised smart devices to patient record systems.

πŸ’³ FinTech & eCommerce

  • Session Hijacking Campaigns: Retailers running extended Australia Day sales are being targeted by sophisticated phishing campaigns weaponising a new Microsoft Word RCE (CVE-2026-20944). These emails often masquerade as "Urgent Invoice" or "Order Query" attachments.
  • Cisco UC Exploitation: FinTech firms relying on Cisco Unified Communications (UC) for internal comms need to patch CVE-2026-20045 immediately. This RCE flaw (CVSS 8.2) is being exploited in the wild to gain root privileges on unpatched systems.

Vulnerability Watch: The "Must-Patch" List

Security teams should prioritise the following vulnerabilities, which have seen active exploitation in the Australian region within the last 24 hours:

  1. Cisco Unified Communications (CVE-2026-20045):

    • Type: Remote Code Execution (RCE).
    • Status: Active exploitation. Added to CISA KEV.
    • Action: Patch immediately. No workarounds available.

  2. Microsoft Windows "DWM" (CVE-2026-20805):

    • Type: Privilege Escalation (to SYSTEM).
    • Target: Corporate workstations and government endpoints.
    • Status: Exploited in the wild as a post-compromise escalation tool.

  3. Ivanti Connect Secure (CVE-2025-0282):

    • Type: Authentication Bypass / RCE.
    • Target: VPN Gateways.
    • Status: Critical. Being weaponised by ransomware groups like Qilin.

Analyst Comment

The convergence of a public holiday with critical RCE vulnerabilities creates a "perfect storm" for defenders. The reduced staffing levels today mean detection times may be slower, giving adversaries a larger window to establish persistence. We strongly recommend that SOC teams maintain heightened vigilance and that on-call engineers are prepared to mobilise for out-of-band patching of the Cisco and Windows flaws.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote