Sign in Subscribe

TLDR Security — Sunday, December 28, 2025

5 min read

Gooooood morning everyone! Sorry I missed last week - the weekend got away from me with the family but here we are. I hope everyone has been having some time well spent with their families!

Edge devices are under siege. This week brought another wave of actively exploited zero-days hitting firewalls and VPN appliances from WatchGuard, SonicWall, Cisco, and Fortinet all in what researchers describe as a coordinated campaign against network infrastructure from multiple vendors.

.\ WatchGuard Firebox zero-day under active exploitation with 125,000 devices exposed

WatchGuard disclosed CVE-2025-14733 (CVSS 9.3) on December 18, and CISA added it to KEV the following day with an accelerated one-week deadline—December 26. The out-of-bounds write vulnerability in the Fireware OS iked process enables unauthenticated remote code execution on Firebox appliances configured with IKEv2 VPN. WatchGuard confirmed threat actors are exploiting this flaw "as part of a wider attack campaign against edge networking equipment and exposed infrastructure from multiple vendors." The Shadowserver Foundation reports roughly 125,000 vulnerable devices exposed globally, with 35,000 in the United States alone. Administrators should update to Fireware OS v2025.1.4, v12.11.6, or v12.5.15 immediately and check for indicators of compromise published in WatchGuard's advisory.

.\ Source shelf: WatchGuard Advisory · Dark Reading · BleepingComputer

.\ Cisco AsyncOS zero-day exploited by Chinese APT to deploy custom backdoors

Cisco disclosed a critical zero-day (CVE-2025-20393, CVSS 10) in AsyncOS on December 17 after discovering active exploitation during a TAC support case. The flaw affects Cisco Secure Email Gateway and Secure Email and Web Manager appliances with the Spam Quarantine feature enabled and exposed to the internet. Cisco Talos attributes the campaign to UAT-9686, assessed with moderate confidence to be a China-affiliated threat actor. Attackers deployed AquaShell, a Python-based backdoor, along with reverse SSH tunneling tools AquaTunnel and Chisel for persistent access. CISA added the vulnerability to KEV with a December 24 deadline. Because rebuilding appliances is currently the only way to remove the persistence mechanism, organizations should treat any exposure as a confirmed compromise and contact Cisco TAC.

.\ Source shelf: Cisco Advisory · Help Net Security · Arctic Wolf

.\ SonicWall SMA1000 zero-day chained for unauthenticated root access

SonicWall patched CVE-2025-40602 (CVSS 6.6) on December 17 after Google Threat Intelligence Group reported the flaw was being chained with CVE-2025-23006 (CVSS 9.8) to achieve unauthenticated remote code execution with root privileges. The local privilege escalation vulnerability in the SMA1000 Appliance Management Console requires authentication when exploited alone, but combined with the January deserialization bug, attackers bypass authentication entirely. CISA added it to KEV with a December 24 deadline. Administrators should upgrade to version 12.4.3-03245 or 12.5.0-02283 and restrict AMC access to trusted sources.

.\ Source shelf: SonicWall Advisory · The Register · Tenable

.\ Fortinet FortiCloud SSO bypass exploited within days of patch release

Arctic Wolf observed malicious SSO logins on FortiGate appliances starting December 12, just three days after Fortinet released patches for CVE-2025-59718 and CVE-2025-59719 (both CVSS 9.8). The authentication bypass flaws allow attackers to forge SAML messages and bypass FortiCloud SSO authentication without credentials—if the feature is enabled. The wrinkle: while FortiCloud SSO is disabled by default, it's automatically enabled when administrators register devices to FortiCare through the GUI unless explicitly toggled off. Attackers are authenticating as admin and immediately downloading configuration files containing hashed credentials. CISA added CVE-2025-59718 to KEV on December 16 with a December 23 deadline. Organizations should disable FortiCloud SSO login immediately while patching FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, and assume credential exposure if any indicators of compromise are present.

.\ Source shelf: Fortinet Advisory · Arctic Wolf · Rapid7

.\ Apple patches two WebKit zero-days exploited in "extremely sophisticated" targeted attacks

Apple released emergency updates on December 12 for CVE-2025-43529 and CVE-2025-14174 after confirming both were exploited in highly targeted attacks against specific individuals running iOS versions prior to iOS 26. CVE-2025-43529 is a use-after-free vulnerability enabling arbitrary code execution, while CVE-2025-14174 causes memory corruption—both triggered by processing malicious web content. Notably, CVE-2025-14174 also affected Chrome and Edge through the shared ANGLE graphics library; Google patched it on December 10. The joint discovery by Apple SEAR and Google TAG, combined with the targeting language, points strongly to commercial spyware. Updates are available for iOS/iPadOS 26.2 and 18.7.3, macOS Tahoe 26.2, Safari 26.2, tvOS 26.2, watchOS 26.2, and visionOS 26.2. CISA added CVE-2025-43529 to KEV with a January 5, 2026 deadline.

.\ Source shelf: Apple Security Updates · SecurityWeek · The Hacker News

.\ Trust Wallet Chrome extension compromised in supply chain attack—$7 million drained on Christmas

Attackers compromised Trust Wallet's Chrome extension in a supply chain attack that drained approximately $7 million from hundreds of users over the Christmas holiday. The malicious version 2.68, released December 24, contained JavaScript that harvested wallet seed phrases and transmitted them to an attacker-controlled domain (metrics-trustwallet[.]com) registered December 8. On-chain investigator ZachXBT flagged suspicious outflows December 25; Trust Wallet confirmed the breach December 26. Stolen funds—including $3 million in Bitcoin and $3 million in Ethereum—were laundered through ChangeNOW, FixedFloat, and KuCoin. Binance co-founder Changpeng Zhao hinted at possible insider involvement, though the company also suggested nation-state actors may have compromised developer devices or deployment credentials. Trust Wallet has committed to reimbursing affected users through Binance's SAFU fund. Users should upgrade to version 2.69 immediately and migrate any exposed seed phrases to fresh wallets.

.\ Source shelf: BleepingComputer · The Hacker News · CoinDesk

.\ Aflac confirms 22.6 million affected in June breach—Scattered Spider suspected

Insurance giant Aflac disclosed this week that a June cyberattack exposed personal and health data for approximately 22.65 million people—nearly half its customer base. Stolen data includes names, dates of birth, Social Security numbers, driver's license numbers, passport numbers, and medical/health insurance information. In filings with state attorneys general, Aflac indicated the attackers "may be affiliated with a known cyber-criminal organization" targeting the insurance industry. The timing and targeting align with Scattered Spider, the English-speaking collective behind the 2023 MGM and Caesars attacks. Aflac detected the intrusion June 12 and says no ransomware was deployed and operations weren't disrupted. The company is offering 24 months of credit monitoring and identity protection through April 2026.

.\ Source shelf: TechCrunch · Aflac Newsroom · SiliconANGLE

.\ Also Notable

.\ Ops Bench

Edge device patching is critical this week. The coordinated campaign hitting WatchGuard, SonicWall, Cisco, and Fortinet appliances means attackers are systematically working through firewall and VPN infrastructure. Prioritize the WatchGuard Firebox update (deadline passed December 26), verify Fortinet FortiCloud SSO is disabled until patched, and audit any internet-exposed management interfaces.

.\ Source shelf: CISA KEV Catalog

React2Shell (CVE-2025-55182) CISA deadline was December 26. If you haven't already patched React 19.x and Next.js 15.x/16.x deployments, treat this as overdue. Wiz reports 39% of cloud environments contain vulnerable instances, and exploitation has expanded from cryptominers to ransomware operators including Weaxor.

.\ Source shelf: Wiz Research · Microsoft Security Blog

Catch y'all at the end of the week! Happy New Year!