Weekly Threat Briefing: Zero-Days Hit Apple & SolarWinds, NSW Health Under Pressure

Executive Summary

This week in Australian cyber security, the threat landscape is dominated by critical zero-day exploitations affecting widely used infrastructure. Federal agencies and private sector organisations are on high alert following CISA’s inclusion of new vulnerabilities in the Known Exploited Vulnerabilities (KEV) catalogue. Locally, the healthcare sector remains under intense scrutiny following the release of a concerning audit of NSW Health’s cyber posture, while SaaS and AI-driven threats continue to evolve.

Sector Spotlight

Healthcare: Systemic Risks Exposed

The Australian healthcare sector is facing a "sustained cyber risk" environment. Following the recent audit tabled in NSW Parliament, which identified systemic non-compliance with cyber security controls across NSW Health, industry experts are warning that the sector remains critically exposed.

  • Key Insight: A January 2026 report by Gallagher highlighted that Australian health service providers lodged over 200 data breach notifications in the past 12 months.
  • Threat Vector: The convergence of IT and OT (Operational Technology) in hospitals, combined with legacy systems, makes clinical operations a prime target for ransomware. The audit revealed that many Local Health Districts (LHDs) are struggling to meet the NSW Government’s mandatory Cyber Security Policy (CSP) requirements.

Government & Critical Infrastructure

Federal agencies are urged to prioritise patching immediately following the detection of active exploitation of SolarWinds and Apple vulnerabilities.

  • SolarWinds Web Help Desk (WHD): The US cyber security agency (CISA) has warned that CVE-2025-40536 (CVSS 8.1), a security control bypass, is being exploited in the wild. This flaw allows unauthenticated attackers to access restricted functionality, potentially leading to Remote Code Execution (RCE). Australian government bodies using WHD for IT service management must assume compromise if unpatched.
  • Supply Chain Risks: The "PolarEdge" botnet, which compromised thousands of Cisco routers globally earlier this year, remains a persistent threat to critical infrastructure edge devices.

SaaS & Tech Providers

The SaaS landscape is grappling with "Shadow AI" and API vulnerabilities.

  • Apple Zero-Day: A new buffer overflow vulnerability in Apple systems, tracked as CVE-2026-20700, has been patched after being exploited in highly sophisticated attacks. This serves as a reminder that even the most secure ecosystems are vulnerable to targeted zero-day campaigns.
  • Shadow AI: With the rapid adoption of AI agents in the enterprise, organisations are struggling to govern "Shadow AI"—unauthorised AI tools used by employees. Vendors like Okta have released new governance tools this week to help CISOs detect these hidden risks, which often bypass traditional DLP (Data Loss Prevention) controls.

Vulnerability Watch: The "Must-Patch" List

Our penetration testing team has identified the following vulnerabilities as high-priority for Australian organisations this week:

  1. Apple Core Systems (CVE-2026-20700)

    • Type: Buffer Overflow
    • Status: Exploited in the wild.
    • Impact: Arbitrary code execution on iOS and macOS devices.
    • Action: Update to the latest OS versions immediately.

  2. SolarWinds Web Help Desk (CVE-2025-40536)

    • Type: Authentication Bypass
    • Status: Exploited in the wild (Zero-day).
    • Impact: Allows attackers to create internal proxy users and pivot to RCE.
    • Action: Apply the latest hotfix or isolate the WHD instance from the internet.

  3. Notepad++ (CVE-2025-15556)

    • Type: Update Integrity Verification
    • Status: Active exploitation attempts observed.
    • Impact: Attackers can compromise the update mechanism to deliver malware.
    • Action: Verify the authenticity of all open-source tool updates.

Emerging Threat: The AI Attack Surface

As we move further into 2026, "AI-driven ransomware" is becoming a tangible reality. Reports this week suggest that threat actors are increasingly using LLMs to automate the generation of phishing campaigns that are indistinguishable from legitimate internal communications. For the Education and FinTech sectors, this means the "human firewall" is being tested like never before.

Recommendation: Review your email security gateways and conduct fresh adversary simulation exercises that mimic these AI-enhanced social engineering tactics.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote