Daily Brief

CISA has added a critical ASUS Live Update vulnerability to its Known Exploited Vulnerabilities catalog, citing active exploitation evidence of CVE-2025-59374 with a CVSS score of 9.3. The flaw stems from a supply chain compromise, allowing attackers to execute unintended actions on targeted devices with specific conditions met by compromised software versions. This vulnerability traces back to Operation ShadowHammer, where an APT group breached ASUS servers, embedding malicious code in software distributed between June and November 2018. The compromised software versions contained a hard-coded list of over 600 unique MAC addresses, aiming to surgically target a specific user group. ASUS addressed the issue in version 3.6.8 of the Live Update software, but the tool reached end-of-support as of December 4, 2025, with the last version being 3.6.15. CISA has urged Federal Civilian Executive Branch agencies to discontinue using the ASUS Live Update tool by January 7, 2026, to mitigate security risks. ASUS emphasizes its commitment to software security, advising users to update to version 3.6.8 or higher for enhanced protection.

Cisco identified a critical zero-day vulnerability in AsyncOS software, actively exploited by a China-linked APT group, UAT-9686, targeting email security appliances. The flaw, tracked as CVE-2025-20393, allows arbitrary command execution with root privileges, posing significant security risks to affected systems. Cisco's investigation revealed a persistence mechanism used by attackers to maintain control, utilizing tools like ReverseSSH, Chisel, and a Python backdoor named AquaShell. To mitigate risks, Cisco recommends securing appliances behind firewalls, disabling unnecessary network services, and using strong authentication methods. The U.S. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, urging federal agencies to implement mitigations by December 24, 2025. GreyNoise reported a related automated credential-based campaign targeting VPN infrastructures, with over 10,000 IPs involved in login attempts across several countries. Organizations are advised to monitor network traffic for anomalies and prepare for potential appliance rebuilds to remove any persistent threats.

The Zeroday Cloud hacking competition in London awarded $320,000 for discovering 11 zero-day vulnerabilities in cloud infrastructure components. Hosted by Wiz Research with Amazon Web Services, Microsoft, and Google Cloud, the event marks the first hacking competition focused on cloud systems. Researchers successfully exploited vulnerabilities in Redis, PostgreSQL, Grafana, and the Linux kernel, earning $200,000 on the first day alone. A container escape flaw in the Linux kernel compromised tenant isolation, a fundamental cloud security feature, demonstrating significant security risks. The second day saw $120,000 awarded for exploits in Redis, PostgreSQL, and MariaDB, databases crucial for storing sensitive cloud data. AI models vLLM and Ollama were targeted, but attempts failed due to time constraints, avoiding potential exposure of private AI data and prompts. Team Xint Code emerged victorious, securing $90,000 for exploits in Redis, MariaDB, and PostgreSQL, though the total prize pool was $4.5 million. The event underscores the need for robust cloud security measures, as several categories like AI and Kubernetes remain unexploited but vulnerable.

Cisco has disclosed a critical zero-day vulnerability, CVE-2025-20393, affecting certain Secure Email Gateway and Web Manager appliances, with no immediate patch available. The flaw allows attackers to execute arbitrary commands with root privileges on affected systems, particularly those with exposed Spam Quarantine features. Cisco's Talos unit attributes the attacks, ongoing since late November 2025, to a Chinese-linked APT group, identified as UAT-9686. The attackers use a Python-based backdoor, AquaShell, alongside tunneling tools AquaTunnel and chisel, and a log-clearing utility, AquaPurge. Cisco has issued guidance for customers to evaluate exposure and implement risk mitigation strategies, while actively developing a permanent fix. The U.S. Cybersecurity and Infrastructure Security Agency has added the vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing its critical nature. Organizations using affected Cisco appliances should urgently review security advisories and apply recommended mitigations to protect against potential exploitation.

The Tea Protocol experienced two major token farming scams, with attackers flooding npm registries with spammy packages to exploit financial incentives. The incidents prompted immediate cessation of the incentive program, affecting the project's operational plans and highlighting vulnerabilities in open source ecosystems. Attackers used worm-like scripts to automate package creation, aiming to inflate developer reputations and gain financial rewards. In response, Tea Protocol is redesigning its system to prevent abuse, including ownership checks and monitoring for Sybil attacks and suspicious patterns. Integration with PKGW will enhance security by verifying maintainers and evaluating contributions, aiming to penalize spam at registration. Future plans include automated bug bounties and SBOMs to help enterprises manage dependencies and reward developers for resolving security issues. Several banking firms have committed $250,000 each to a pilot bounty program, signaling industry support for secure open source development. These measures aim to secure code, prevent financial exploitation, and reassure stakeholders about the integrity of software supply chains.

French law enforcement arrested a 22-year-old suspect linked to a cyberattack on the Ministry of the Interior, highlighting ongoing cybersecurity challenges faced by government entities. The suspect, previously convicted of similar offenses, faces charges of unauthorized access to a state data processing system, which carries a potential 10-year prison sentence. The cyberattack, detected between December 11 and 12, compromised internal email servers and allowed access to certain document files, though data theft remains unconfirmed. In response, the Ministry of the Interior enhanced security protocols and access controls to safeguard its information systems against future breaches. A BreachForums administrator claimed responsibility for the attack, alleging it was retaliation for previous arrests of forum members by French authorities. The forum post threatens to release data on over 16 million individuals unless negotiations with the French government occur within a week, though official verification is pending. The incident underscores the persistent threat posed by cybercriminal groups and the importance of robust cybersecurity measures in protecting sensitive government data.

Amazon's AWS GuardDuty has identified an ongoing crypto-mining campaign targeting EC2 and ECS services using compromised IAM credentials. The campaign began on November 2nd, leveraging a Docker Hub image with over 100,000 pulls to initiate mining operations. Attackers exploited valid credentials rather than vulnerabilities, initiating mining within 10 minutes of access after assessing EC2 quotas and IAM permissions. Crypto-mining tasks were configured with significant computational resources, straining AWS infrastructure and impacting customer operations. A novel persistence method involved disabling remote termination of instances, delaying incident response and maximizing mining profits. Amazon has alerted affected customers to rotate compromised credentials and removed the malicious Docker image, though similar threats may re-emerge. The incident underscores the critical need for robust IAM practices to prevent unauthorized access and mitigate potential financial and operational impacts.

Cybercriminals are leveraging WhatsApp's device-linking feature in a campaign named GhostPairing to hijack user accounts, gaining full access to conversations and shared media. The attack begins with a deceptive message from a known contact, leading victims to a fake Facebook page that initiates the device-pairing process. Victims unwittingly provide a pairing code, allowing attackers to link their browser to the victim's WhatsApp account without needing authentication. The campaign, initially detected in Czechia, has the potential to spread globally, using compromised accounts to target additional victims. Gen Digital advises users to regularly check for unauthorized linked devices and activate two-factor authentication to enhance account security. Users are warned to scrutinize unexpected messages and verify the identity of contacts before taking action to prevent falling victim to such scams. This tactic has been previously used by Russian threat actors to compromise accounts on other messaging platforms, indicating a broader trend of exploiting device-linking features.

Cisco has identified a critical zero-day vulnerability (CVE-2025-20393) in its Secure Email Gateway and Secure Email and Web Manager appliances, exploited by a Chinese threat group. The vulnerability affects appliances with non-standard configurations when the Spam Quarantine feature is internet-exposed, allowing attackers to execute arbitrary commands with root access. Attackers have deployed AquaShell backdoors, AquaTunnel, Chisel reverse SSH tunnels, and AquaPurge log-clearing tools, linking the activity to Chinese state-sponsored groups like UNC5174 and APT41. Cisco advises restricting internet access to vulnerable appliances, using firewalls, and implementing strong authentication to mitigate the risk until a patch is available. Administrators are urged to monitor web logs for anomalies, retain logs for investigations, and follow Cisco's guidance for restoring secure configurations. The company recommends contacting Cisco Technical Assistance Center if compromise is suspected, with rebuilding appliances as the only current option to remove persistent threats. This incident emphasizes the importance of proactive security measures and the need for organizations to regularly update and secure their systems against emerging threats.

SonicWall released patches for CVE-2025-40602 in SMA 100 appliances, a vulnerability actively exploited in the wild, allowing local privilege escalation through the appliance management console. The vulnerability, with a CVSS score of 6.6, is linked to insufficient authorization, potentially enabling attackers to pair it with CVE-2025-23006 for remote code execution. CVE-2025-23006, a more severe flaw with a CVSS score of 9.8, was addressed in January 2025, highlighting the ongoing need for timely patch management. Discovery and reporting of CVE-2025-40602 were credited to Clément Lecigne and Zander Work from Google's Threat Intelligence Group, emphasizing collaboration in threat detection. Google is monitoring a threat actor cluster, UNC6148, targeting end-of-life SonicWall devices with a backdoor named OVERSTEP, though its relation to the current vulnerability is unclear. SonicWall urges immediate application of the patches to mitigate risks, underscoring the importance of proactive cybersecurity measures for affected users. The incident serves as a reminder of the critical need for organizations to maintain up-to-date security protocols and patch management strategies.

The Kimwolf botnet has compromised 1.8 million Android devices, including TVs and tablets, to launch large-scale DDoS attacks, according to QiAnXin XLab's recent findings. Between November 19 and 22, 2025, Kimwolf executed 1.7 billion DDoS commands, with its C2 domain briefly surpassing Google in Cloudflare's top 100 domains list. The botnet targets TV boxes in residential networks globally, with significant infection rates in Brazil, India, the U.S., Argentina, South Africa, and the Philippines. Kimwolf integrates advanced features such as proxy forwarding, reverse shell, and file management, indicating a sophisticated threat vector. XLab's intervention included seizing a C2 domain and discovering Kimwolf's use of Ethereum Name Service (ENS) to enhance infrastructure resilience against takedowns. The botnet shares ties with the AISURU botnet, suggesting shared code and potential collaboration, complicating attribution and mitigation efforts. Recent malware versions employ EtherHiding, leveraging ENS domains to obfuscate C2 infrastructure, showcasing adaptive capabilities to evade detection. Over 96% of Kimwolf's commands exploit compromised devices for proxy services, highlighting attackers' focus on monetizing bandwidth and maximizing profits.

SonicWall has issued a warning about a zero-day vulnerability in the SMA1000 Appliance Management Console, urging users to apply the latest hotfix to prevent privilege escalation attacks. The vulnerability, CVE-2025-40602, was identified by Google Threat Intelligence Group and affects local privilege escalation, not impacting SSL-VPN on SonicWall firewalls. Attackers have been exploiting this flaw in conjunction with a critical deserialization vulnerability, CVE-2025-23006, to achieve remote code execution with root privileges. Over 950 SMA1000 appliances are currently exposed online, posing significant risks to enterprises, government, and critical infrastructure if left unpatched. SonicWall has linked previous security breaches to state-backed actors, highlighting the importance of timely patching and robust security measures. Recent updates have addressed other vulnerabilities, including a firmware update to remove OVERSTEP rootkit malware from SMA 100 series devices. Organizations are advised to prioritize patching and review their security protocols to mitigate potential exploitation risks associated with unpatched devices.

A critical vulnerability, React2Shell (CVE-2025-55182), was exploited by cybercriminals to deploy ransomware, impacting corporate networks with rapid file encryption. React2Shell is an insecure deserialization flaw in the React Server Components 'Flight' protocol, enabling remote JavaScript code execution without authentication. Within hours of its disclosure, the vulnerability was targeted by nation-state actors for cyberespionage and by criminals for cryptocurrency mining and ransomware attacks. S-RM researchers observed the Weaxor ransomware strain exploiting React2Shell, a rebranded version of Mallox, known for targeting MS-SQL servers with opportunistic attacks. Attackers used an obfuscated PowerShell command to deploy a Cobalt Strike beacon for C2 communication, disabled Windows Defender, and launched ransomware within a minute of access. The attack was confined to the vulnerable endpoint, with no lateral movement detected, and included wiping shadow copies and clearing logs to hinder forensic analysis. System administrators are advised to monitor for suspicious process creation and network activity, as patching alone is insufficient to mitigate the threat. The incident underscores the need for comprehensive security measures beyond patching to address vulnerabilities like React2Shell effectively.

PwC emphasizes the importance of embedding security and compliance in AI systems to mitigate risks as AI becomes integral to enterprise operations. Alex Cherones from PwC warns that neglecting AI vulnerabilities is akin to leaving security doors open, as threat actors exploit AI to automate attacks. Marianne Olsen highlights that trust in AI is crucial for adoption, advocating for security and governance from the outset to enable confident innovation. PwC assists clients by implementing governance frameworks and compliance controls early, ensuring that security becomes an enabler rather than a hindrance. Large organizations face challenges in maintaining consistent governance; PwC recommends flexible guardrails to balance innovation with protection. PwC supports clients at various AI maturity stages, focusing on continuous compliance and real-time visibility to streamline processes and reduce costs. Demonstrating secure and compliant AI systems can provide a competitive edge, potentially influencing business success and regulatory approvals.

The FTC has reached a proposed settlement with Illusory Systems, trading as Nomad, following a 2022 cyberattack that resulted in $186 million being stolen. Nomad is required to repay approximately $37.5 million to affected users, addressing losses from the breach, with payments due within a year post-agreement or after related litigation. The cyberattack exploited a vulnerability introduced by inadequately tested code in a June 2022 update, leading to significant financial losses for Nomad's customers. A "white hat" bounty program was initiated by Nomad, incentivizing attackers to return stolen funds in exchange for legal immunity and a 10% reward. The FTC's settlement demands Nomad implement a robust security program, conduct regular third-party assessments, and cease misleading security claims. Allegations against Nomad include failure to adopt secure coding practices and implement effective incident response strategies, contributing to the breach's impact. Nomad has agreed to the settlement terms, pending a public comment period and a final FTC vote, emphasizing the need for companies to uphold security commitments.