End-of-Day report
Timeframe: Donnerstag 18-12-2025 18:00 - Freitag 19-12-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
News
Kritische Zero-Day-Lücke in Cisco Secure Email-Lösungen aktiv ausgenutzt
Cisco warnt in einer am 17. Dezember veröffentlichten Meldung vor einer kritischen, bislang ungepatchten Sicherheitslücke (CVE-2025-20393) in seinen auf AsyncOS basierenden E-Mail-Sicherheitslösungen. Die Schwachstelle ist mit einem maximalen CVSS-Score von 10.0 bewertet und erlaubt es entfernten Angreifer:innen, beliebige Befehle mit Root-Rechten auf den betroffenen Systemen auszuführen. Laut Cisco wird die Lücke bereits seit mindestens November 2025 aktiv ausgenutzt.
https://www.cert.at/de/aktuelles/2025/12/kritische-zero-day-lucke-in-cisco-secure-email-losungen-aktiv-ausgenutzt
Kritische Sicherheitslücken in mehreren Fortinet-Produkten (FortiCloud SSO) - aktiv ausgenutzt - Updates verfügbar
19. Dezember 2025 Beschreibung In mehreren Fortinet-Produkten existieren kritische Sicherheitslücken im FortiCloud SSO-Login-Mechanismus. Die Schwachstellen ermöglichen es unauthentifizierten Angreifern, die FortiCloud SSO-Authentifizierung durch manipulierte SAML-Nachrichten zu umgehen und administrativen Zugriff zuerlangen. Die Lücken werden bereits aktiv ausgenutzt.
https://www.cert.at/de/warnungen/2025/12/kritische-sicherheitslucken-in-mehreren-fortinet-produkten-forticloud-sso-aktiv-ausgenutzt-updates-verfugbar
Amazon: Nordkoreanischer Fake-ITler dank Tastatur-Lag enttarnt
Ein nordkoreanischer Betrüger ist offenbar über einen Dienstleister an einen Job bei Amazon gelangt. Dass seine Eingaben um die halbe Welt mussten, fiel auf.
https://www.golem.de/news/amazon-nordkoreanischer-fake-itler-dank-tastatur-lag-enttarnt-2512-203445.html
Über deutsche IP-Adressen: Hacker attackieren massenhaft VPN-Zugänge
VPN-Zugänge von Cisco und Palo Alto Networks werden angegriffen. Die Attacken scheinen primär über einen deutschen Hoster zu laufen.
https://www.golem.de/news/ueber-deutsche-ip-adressen-hacker-attackieren-massenhaft-vpn-zugaenge-2512-203459.html
Yet another DCOM object for lateral movement
Kaspersky expert describes how DCOM interfaces can be abused to load malicious DLLs into memory using the Windows Registry and Control Panel.
https://securelist.com/lateral-movement-via-dcom-abusing-control-panel/118232/
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware
A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023.
https://thehackernews.com/2025/12/china-aligned-threat-group-uses-windows.html
Your car-s web browser may be on the road to cyber ruin
Study finds built-in browsers across gadgets often ship years out of date Web browsers for desktop and mobile devices tend to receive regular security updates, but that often isnt the case for those that reside within game consoles, televisions, e-readers, cars, and other devices. These outdated, embedded browsers can leave you open to phishing and other security vulnerabilities.
https://www.theregister.com/2025/12/18/web_browsers_in_devices_security_vulnerabilities/
Bundestrojaner: BND soll zur Spyware-Installation in Wohnungen eindringen dürfen
Kanzleramt reformiert BND-Gesetz: Mehr Befugnisse, inklusive Eindringen in Wohnungen zur Installation von Spionagesoftware.
https://www.heise.de/news/Bundestrojaner-BND-soll-zur-Spyware-Installation-in-Wohnungen-eindringen-duerfen-11121838.html
CISA warns ASUS Live Update backdoor is still exploitable, seven years on
Seven years after the original attack, CISA has added the ASUS Live Update backdoor to its Known Exploited Vulnerabilities catalog.
https://www.malwarebytes.com/blog/news/2025/12/cisa-warns-asus-live-update-backdoor-is-still-exploitable-seven-years-on
ESET Threat Report H2 2025
Ein Blick auf die Bedrohungslandschaft im zweiten Halbjahr 2025 aus Sicht von ESET Telemetrie und -Experten
https://www.welivesecurity.com/de/eset-research/eset-threat-report-h2-2025/
Austria-s high court orders Meta to change its personalized ad practices
Austrias Supreme Court ruled that Meta-s personalized advertising model is illegal - a ruling that will set legal precedent across the European Union.
https://therecord.media/austria-court-meta-ruling
Iranian APT -Prince of Persia- Resurfaces With New Tools and Targets
SafeBreach reports the resurgence of the Iranian APT group Prince of Persia (Infy). Discover how these state-sponsored hackers are now using Telegram bots and Thunder and Lightning malware to target victims globally across Europe, India, and Canada.
https://hackread.com/iran-apt-prince-of-persia-resurfaces/
Lazarus Group Embed New BeaverTail Variant in Developer Tools
North Korea-s Lazarus Group deploys a new BeaverTail variant to steal credentials and crypto using fake job lures, dev tools, and smart contracts.
https://hackread.com/lazarus-embed-beavertail-variant-developer-tools/
CISA and Partners Release Update to Malware Analysis Report BRICKSTORM Backdoor
Today, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canadian Centre for Cyber Security released an update to the Malware Analysis Report BRICKSTORM Backdoor with indicators of compromise (IOCs) and detection signatures for additional BRICKSTORM samples. This update provides information on additional samples, including Rust-based samples.
https://www.cisa.gov/news-events/alerts/2025/12/19/cisa-and-partners-release-update-malware-analysis-report-brickstorm-backdoor
I got hacked, my server started mining Monero this morning
My first thought was -I-m completely fucked.- My host had been running a crypto miner for a week, the whole think was borked. Time to just nuke it from orbit and rebuild.
https://blog.jakesaunders.dev/my-server-started-mining-monero-this-morning/
Vulnerabilities
New critical WatchGuard Firebox firewall flaw exploited in attacks
WatchGuard has warned customers to patch a critical, actively exploited remote code execution (RCE) vulnerability in its Firebox firewalls.
https://www.bleepingcomputer.com/news/security/watchguard-warns-of-new-rce-flaw-in-firebox-firewalls-exploited-in-attacks/
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards
Certain motherboard models from vendors like ASRock, ASUSTeK Computer, GIGABYTE, and MSI are affected by a security vulnerability that leaves them susceptible to early-boot direct memory access (DMA) attacks across architectures that implement a Unified Extensible Firmware Interface (UEFI) and input-output memory management unit (IOMMU).
https://thehackernews.com/2025/12/new-uefi-flaw-enables-early-boot-dma.html
HPE tells customers to patch fast as OneView RCE bug scores a perfect 10
Maximum-severity vuln lets unauthenticated attackers execute code on trusted infra management platform Hewlett Packard Enterprise has told customers to drop whatever theyre doing and patch OneView after admitting a maximum-severity bug could let attackers run code on the management platform without so much as a login prompt.
https://www.theregister.com/2025/12/19/hpe_oneview_rce_bug/
Windows-Notfall-Update korrigiert Message-Queuing-Probleme
Windows-Sicherheitsupdates führen zu Störungen des Message Queuing (MSMQ) von Windows 10 und Server bis 2019. Notfallupdates lösen das.
https://www.heise.de/news/Update-ausser-der-Reihe-Microsoft-fixt-Message-Queuing-Probleme-11120586.html
Security updates for Friday
Security updates have been issued by Debian (roundcube), Fedora (checkpointctl, containernetworking-plugins, mingw-libpng, NetworkManager, php, python3-docs, python3.13, and webkitgtk), Oracle (kernel, keylime, and libssh), and SUSE (apache2, clair, colord, flannel, gnutls, golang-github-prometheus-alertmanager, grafana, grub2, helm, ImageMagick, libpng16, netty, openssl-3, postgresql13, postgresql14, postgresql15, python36, salt, uyuni-tools, and venv-salt-minion).
https://lwn.net/Articles/1051384/
CISA Releases Nine Industrial Control Systems Advisories
CISA released nine Industrial Control Systems (ICS) Advisories. Affected Products are: Inductive Automation Ignition, Schneider Electric EcoStruxure Foxboro DCS Advisor, National Instruments LabView, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electrics Products, Siemens Interniche IP-Stack, Advantech WebAccess/SCADAm, Rockwell Automation (Micro820, Micro850, Micro 870), Axis Communications (Camera Station Pro, Camera Station, and Device Manager) and Mitsubishi Electric CNC Series (Update C)
https://www.cisa.gov/news-events/alerts/2025/12/18/cisa-releases-nine-industrial-control-systems-advisories
ZDI-25-1140: (0Day) Hugging Face Accelerate Deserialization of Untrusted Data Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-1140/
ZDI-25-1152: (0Day) NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-1152/
ZDI-25-1147: (0Day) Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-1147/
ZDI-25-1164: RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-1164/