Daily Brief

Microsoft released security updates addressing 56 vulnerabilities, with three rated Critical and 53 Important, including one actively exploited and two zero-day vulnerabilities. CVE-2025-62221, an actively exploited flaw, allows privilege escalation via the Windows Cloud Files Mini Filter Driver, affecting systems regardless of installed cloud storage apps. The U.S. CISA added CVE-2025-62221 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by December 30, 2025. CVE-2025-54100 involves a command injection vulnerability in Windows PowerShell, potentially allowing arbitrary code execution through crafted commands. CVE-2025-64671 is part of the IDEsaster vulnerabilities, exploiting AI agents in IDEs for information disclosure or command execution. Microsoft’s proactive identification and patching efforts underscore the importance of timely updates to mitigate security risks. Organizations are advised to prioritize patching these vulnerabilities to prevent potential exploitation and maintain system integrity.

Fortinet addressed vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, with CVSS scores of 9.8, potentially allowing authentication bypass via crafted SAML messages. The FortiCloud SSO login feature, which is not enabled by default, poses a risk if not disabled by administrators until patches are applied. Ivanti released updates for Endpoint Manager, fixing a critical bug (CVE-2025-10573) that could allow remote JavaScript execution in administrator sessions. The Ivanti vulnerability requires user interaction for exploitation, with no known attacks reported. Patches are included in EPM version 2024 SU4 SR1. SAP's December updates resolved 14 vulnerabilities, including critical flaws in SAP Solution Manager, which could lead to remote code execution with elevated privileges. Organizations are urged to promptly apply these patches to safeguard against potential exploitation, as vulnerabilities in these products are frequently targeted. Security teams should prioritize these updates to maintain the integrity and security of their systems and prevent unauthorized access.

Microsoft released patches for 57 CVEs, including a zero-day in Windows Cloud Files Mini Filter Driver, which allows privilege escalation and is currently exploited in the wild. Critical updates were issued for Notepad++, addressing a flaw exploited by attackers in China to hijack update traffic and deliver malware. Fortinet fixed two critical vulnerabilities in its products, allowing unauthenticated attackers to bypass FortiCloud SSO login authentication via crafted SAML messages. Ivanti's Endpoint Manager received a patch for a critical cross-site scripting vulnerability, potentially allowing attackers to execute malicious code across multiple client devices. Security teams are advised to prioritize patching these vulnerabilities to prevent exploitation, especially given the potential for reverse engineering and subsequent attacks. The vulnerabilities highlight the ongoing need for robust patch management and monitoring to protect against escalating cyber threats.

SAP's December security update addresses 14 vulnerabilities, including three critical flaws, affecting various enterprise products crucial for system management and e-commerce operations. The most severe vulnerability, CVE-2025-42880, involves a code injection flaw in SAP Solution Manager ST 720, potentially granting attackers full system control. SAP Commerce Cloud faces significant risks from multiple Apache Tomcat vulnerabilities, collectively identified as CVE-2025-55754, impacting large-scale online retail platforms. A deserialization issue in SAP jConnect, CVE-2025-42928, poses a remote code execution threat under certain conditions, affecting database connectivity for Java applications. Additional fixes cover high and medium-severity issues, including memory corruption and cross-site scripting, underscoring the need for timely patch deployment. SAP products are integral to enterprise environments, managing sensitive operations and data, making them attractive targets for cyber threats. Despite no active exploitation reports, administrators are urged to implement these updates promptly to safeguard against potential attacks.

As AI agents gain traction in enterprise environments, identity management vendors like Okta and Microsoft Entra ID are focusing on security and governance challenges. Okta's Auth0 for AI Agents provides comprehensive auditability, ensuring all agent activities are logged and integrated with existing security systems. The complexity of managing AI agents stems from their autonomy and nondeterministic actions, presenting unique identity and access management challenges. Forrester analysts recommend minimizing AI agents' autonomy and implementing continuous risk management within existing IAM frameworks. Organizations are advised to adopt a unified IAM architecture to accommodate all agent types, enhancing security and operational efficiency. The Model Context Protocol is suggested as a foundational element for AI agent communication, supporting secure and scalable deployment. Okta's approach includes a token vault to securely connect agents to applications, simplifying infrastructure management for developers. The rise of AI agents in workplaces is anticipated, driven by improved security measures and increasing consumer acceptance.

Microsoft has updated Windows PowerShell 5.1 to include warnings for scripts using the Invoke-WebRequest cmdlet, addressing a high-severity remote code execution vulnerability (CVE-2025-54100). The update primarily impacts enterprise environments where PowerShell scripts are used for automation, as these scripts can inadvertently execute risky code. A new security prompt advises users to employ the '-UseBasicParsing' parameter to prevent script execution from web pages, enhancing security without disrupting existing workflows. The KB5074204 update requires IT administrators to modify scripts to avoid manual confirmation prompts, ensuring automation processes remain efficient. The 'curl' command in PowerShell, aliased to Invoke-WebRequest, will also trigger these warnings, necessitating similar script adjustments. Microsoft assures that most scripts will function with minimal changes, particularly those that handle content as text or data without executing scripts. This proactive measure aims to bolster security in enterprise settings, reducing the risk of unauthorized code execution and potential system compromises.

Microsoft has issued the KB5071546 security update, addressing 57 vulnerabilities, including three critical zero-day flaws, for Windows 10 Enterprise LTSC and ESU program participants. The update is mandatory and will automatically install, requiring users to restart their devices to complete the installation process. Among the fixed vulnerabilities is a remote code execution flaw in PowerShell, CVE-2025-54100, which could allow malicious scripts to run via the "Invoke-WebRequest" command. Users are advised to use the -UseBasicParsing argument with the "Invoke-WebRequest" command to mitigate script execution risks from untrusted pages. The update advances Windows 10 to build 19045.6691 and Windows 10 Enterprise LTSC 2021 to build 19044.6691, focusing solely on security improvements and bug fixes. Microsoft has provided an advisory detailing the safe use of PowerShell commands to prevent potential security breaches. No known issues have been reported with this update, ensuring a smooth transition for users implementing the security patches.

Fortinet released updates to fix two critical vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, which could allow attackers to bypass FortiCloud SSO authentication. The vulnerabilities, CVE-2025-59718 and CVE-2025-59719, exploit weaknesses in cryptographic signature verification via malicious SAML messages. FortiCloud SSO is not enabled by default unless devices are registered with FortiCare, potentially limiting exposure to unregistered devices. Administrators are advised to disable the FortiCloud login feature temporarily until systems are updated to secure versions. Fortinet also patched vulnerabilities allowing unauthorized password changes and hash-based authentication, posing significant security risks. Fortinet's vulnerabilities have been targets in past cyber-espionage and ransomware attacks, emphasizing the need for timely patching. The company has a history of vulnerabilities being exploited, including by the Chinese Volt Typhoon group, highlighting ongoing risks.

Microsoft's December 2025 Patch Tuesday addresses 57 security flaws, including three zero-day vulnerabilities, enhancing system protection across various platforms. An actively exploited zero-day, CVE-2025-62221, involves a privilege elevation flaw in Windows Cloud Files Mini Filter Driver, allowing attackers to gain SYSTEM privileges. Two publicly disclosed zero-days include a GitHub Copilot remote code execution vulnerability and a PowerShell command injection flaw, both posing significant security risks. The GitHub Copilot vulnerability, CVE-2025-64671, allows unauthorized code execution via command injection, affecting Jetbrains users. The PowerShell vulnerability, CVE-2025-54100, could execute scripts embedded in web pages, prompting Microsoft to implement a warning system for safer usage. These patches underscore the importance of timely updates to mitigate potential exploitation and maintain robust security postures. Organizations are advised to prioritize these updates to protect against potential threats and ensure system integrity.

North Korean-linked threat actors are exploiting the React2Shell vulnerability in React Server Components to deliver a new remote access trojan named EtherRAT. EtherRAT employs Ethereum smart contracts for command-and-control operations and utilizes five Linux persistence mechanisms, enhancing its resilience against detection. The campaign, known as Contagious Interview, targets blockchain and Web3 developers through fake job offers on platforms like LinkedIn, Upwork, and Fiverr. Attackers exploit CVE-2025-55182, a critical RSC vulnerability, to execute a Base64-encoded shell command, deploying a JavaScript implant via a shell script. EtherRAT's unique C2 mechanism uses consensus voting across nine Ethereum RPC endpoints, preventing single-point failures and enhancing operational security. The malware's self-update feature allows it to overwrite itself with new code from the C2 server, complicating static detection methods. The campaign has shifted from npm to targeting Visual Studio Code users, leveraging malicious repositories on GitHub, GitLab, and Bitbucket. This development signals a sophisticated evolution in tactics, presenting significant challenges for defenders in mitigating long-term, stealthy access attempts.

Hundreds of Porsche vehicles in Russia became immobile due to loss of satellite connectivity, triggering engine immobilizers as a theft prevention measure. Local dealership chain Rolf identified the issue, but Porsche's headquarters could not diagnose the problem, attributing it to local systems. Porsche ceased exports and after-sales services in Russia following sanctions related to the Ukraine conflict, complicating resolution efforts. Speculation about a cyberattack arose, but experts found no evidence of hacking activity, suggesting technical or service-related causes instead. The incident raises concerns about the reliance of luxury vehicles on external services, which can be disrupted by sanctions, misconfigurations, or contract issues. Experts warn that connected vehicle features, while enhancing security, may also introduce vulnerabilities if network dependencies fail. The situation underscores the broader implications of connected car technologies, including potential misuse by hackers or authoritarian regimes.

Organizations face challenges in maintaining IT infrastructure visibility and control, risking exposure to vulnerabilities through outdated software, unauthorized services, and malicious extensions. Wazuh, an open-source security platform, offers an IT hygiene capability that provides centralized monitoring and management of system configurations across enterprise endpoints. The platform's IT hygiene feature includes file integrity monitoring, configuration assessment, and vulnerability detection, enabling proactive identification and resolution of security gaps. Security teams can leverage Wazuh's dashboard to efficiently audit user accounts, manage software patches, and monitor browser extensions, reducing manual effort and error risks. Effective IT hygiene practices help prevent unauthorized access, malware infections, and data exfiltration, safeguarding organizational compliance and reputation. Organizations are encouraged to integrate Wazuh's findings into existing workflows, automate alerts for deviations, and maintain thorough documentation of security actions. Regular audits and training for security personnel are recommended to ensure ongoing alignment with security policies and to address potential configuration drifts.

Ivanti has issued a warning to patch a critical vulnerability in its Endpoint Manager (EPM), identified as CVE-2025-10573, which could allow remote code execution. The flaw affects Ivanti's EPM, a widely used tool for managing client devices across various platforms, including Windows and macOS. Exploitation requires low-complexity cross-site scripting attacks with user interaction, allowing execution of arbitrary JavaScript in admin sessions. Despite EPM not being intended for online exposure, hundreds of Internet-facing instances are tracked, primarily in the U.S., Germany, and Japan. Ivanti has released updates for three high-severity vulnerabilities, emphasizing the need for user interaction to exploit these flaws. No current evidence suggests exploitation of these vulnerabilities, which were responsibly disclosed, but past EPM flaws have been targeted. CISA previously flagged several EPM vulnerabilities as exploited, urging U.S. federal agencies to patch them promptly.

Spanish authorities have arrested a 19-year-old in Barcelona, accused of stealing 64 million records from nine companies, with intentions to sell the data online. The stolen data included sensitive personal information such as full names, addresses, email addresses, phone numbers, DNI numbers, and IBAN codes. The investigation began in June when authorities detected breaches at unnamed firms, leading to the suspect's identification and arrest in Igualada, Barcelona. The suspect allegedly used six accounts and five pseudonyms on hacker forums to attempt the sale of the stolen data. During the arrest, police seized computers and cryptocurrency wallets, which contained funds believed to be proceeds from data sales. In a separate case, Ukrainian cyberpolice arrested a 22-year-old for using custom malware to hack social media accounts, primarily targeting users in the U.S. and Europe. The Ukrainian hacker faces severe legal consequences, including up to 15 years in prison and restrictions on future professional activities.

Recorded Future's Insikt Group has identified four distinct threat clusters utilizing the CastleLoader malware, attributed to the threat actor GrayBravo, previously known as TAG-150. GrayBravo operates under a malware-as-a-service model, offering tools like CastleRAT and CastleBot, which include components for downloading and executing various payloads. The CastleBot framework supports multiple malware families, including DeerStealer and RedLine Stealer, highlighting its versatility and appeal to cybercriminals. GrayBravo's infrastructure features multi-tiered command-and-control servers, with victim-facing and backup VPS servers, enhancing operational resilience and effectiveness. Phishing campaigns by GrayBravo exploit freight-matching platforms, using fraudulent accounts to impersonate logistics firms and increase the credibility of their attacks. The expansion of GrayBravo's user base demonstrates the rapid proliferation of effective and technically advanced malware within the cybercriminal ecosystem. The activity suggests a sophisticated understanding of industry operations, particularly in the transportation and logistics sectors, to enhance deception and impact.