Critical Cybersecurity Threats: December 11-12 2025 Roundup for IT Professionals

The Threat Landscape Intensifies as 2025 Closes

The last weeks of 2025 have shown that threat actors do not take holiday breaks. On December 11 and 12, security teams around the world responded to active exploitation campaigns, emergency advisories for critical infrastructure, and advanced supply chain attacks aimed at developer environments.IT Directors and CISOs need to act quickly in response to this week’s developments. The most urgent tasks are fixing vulnerabilities in industrial control systems and patching the actively exploited Chrome zero-day. Advanced phishing kits and supply chain attacks are also growing threats and should be closely watched. These combined risks require a coordinated and prioritized response.

CISA Issues 12 Industrial Control Systems Advisories

On December 11, 2025, CISA released 12 Industrial Control Systems (ICS) advisories addressing vulnerabilities across multiple vendors and sectors. For organizations operating in critical manufacturing, healthcare, or energy sectors, these advisories warrant immediate review.

Johnson Controls iSTAR Access Control Systems

Two high-severity OS command injection vulnerabilities (CVE-2025-43875 and CVE-2025-43876) affect Johnson Controls's iSTAR physical access control systems, including the iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, and Edge G2 product lines. Both vulnerabilities carry a CVSS v4 score of 8.7.The flaws are remotely exploitable with low attack complexity. Successful exploitation could result in unauthorized access to the device, potentially compromising physical security infrastructure. Affected versions include iSTAR Ultra and Ultra SE versions prior to 6.9.7.CU01, and iSTAR Ultra G2, Ultra G2 SE, and Edge G2 versions prior to 6.9.3.Organizations using these access control systems should apply patches right away and review Johnson Controls Product Security Advisories JCI-PSA-2025-14 and JCI-PSA-2025-15 for detailed guidance. Important steps include patching, segmenting networks to limit unauthorized access, and reviewing current protections to find other vulnerabilities.

AzeoTech DAQFactory Vulnerabilities

Multiple memory corruption vulnerabilities affect AzeoTech DAQFactory release 20.7 (Build 2555), a widely used data acquisition and control system in industrial environments. The vulnerabilities (CVE-2025-66585 through CVE-2025-66590) include memory corruption, use-after-free, and out-of-bounds read/write conditions triggered by parsing malicious .ctl files.These flaws have CVSS scores between 7.3 and 8.4 and could let attackers run code or crash systems. Although an attacker needs a user to open a crafted file, the risk of targeted attacks on industrial operators is a serious concern.

Siemens Product Advisories

CISA published multiple advisories for Siemens products affecting critical manufacturing sectors. Notable among these are vulnerabilities in the SINEMA Remote Connect Server that allow license restriction bypass (CVE-2025-40818, CVE-2025-40819), Siemens IAM Client with a CVSS v4 score of 9.1 (CVE-2025-40800), and Siemens Gridscale X Prepay with authentication token capture-replay vulnerabilities (CVE-2025-40806, CVE-2025-40807).

Healthcare Sector: Grassroots DICOM (GDCM) Vulnerability

The medical advisory ICSMA-25-345-01 addresses an out-of-bounds write vulnerability (CVE-2025-11266) in Grassroots DICOM (GDCM), affecting versions 3.0.24 and prior. This open-source library is widely used in medical imaging applications, with dependent products including SimpleITK (versions 2.5.2 and prior) and medInria (versions 4.0 and prior).The vulnerability occurs when parsing malformed DICOM files with encapsulated PixelData fragments. Exploitation requires opening a crafted file, so healthcare organizations should update to GDCM v3.2.2 or later as soon as possible, given the sensitive nature of medical imaging and the risk of targeted attacks.

Recommended ICS Security Actions

Organizations with industrial control systems or medical devices should follow CISA’s defensive measures. Minimize network exposure so these devices are not accessible from the internet. Place control system networks and remote devices behind firewalls to keep them separate from business networks. If remote access is needed, use secure methods like VPNs and keep them updated. Focus on isolating control systems, securing remote access, and reducing network exposure to strengthen defenses.

Chrome Zero-Day Under Active Exploitation

Google released emergency security updates on December 10-11 to address a high-severity vulnerability in Chrome that is being actively exploited in the wild. The flaw resides in Google’s ANGLE (Almost Native Graphics Layer Engine) library.Google has limited details about the vulnerability until more users have patched, but Chromium commit messages show it involves improper buffer sizing in ANGLE’s Metal renderer. This buffer overflow could cause memory corruption or program crashes.Organizations should ensure Chrome browsers are updated to the latest version immediately. For enterprises managing Chrome deployments, prioritize this update in your patch management cycle due to confirmed active exploitation.

Advanced Phishing Kits Leverage AI and MFA Bypass

Zscaler ThreatLabz researchers documented four new phishing kits that represent the next evolution in credential theft capabilities: BlackForce, GhostFrame, InboxPrime AI, and Spiderman.

BlackForce: MFA Bypass at Scale

BlackForce, first detected in August 2025 and actively developed through versions 4 and 5, is designed to steal credentials and perform Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication. The kit is sold on Telegram forums for $200-$300 and has been used to impersonate over 11 brands including Disney, Netflix, DHL, and UPS.The kit uses advanced evasion techniques, such as blocklists that filter out security vendors, web crawlers, and scanners. This makes detection harder for traditional security tools.

Implications for Enterprise Security

The rise of phishing kits that can bypass MFA is a major change in the threat landscape. Organizations should use phishing-resistant MFA like FIDO2/WebAuthn hardware keys, set up browser isolation for high-risk users, and improve user training to spot impersonation attempts. These steps may require extra resources and technical work, so IT leaders should plan for these challenges to ensure smooth deployment and strong defenses.

NANOREMOTE Backdoor Uses Cloud APIs for Covert C2

Elastic Security Labs disclosed details of NANOREMOTE, a sophisticated Windows backdoor that leverages Google Drive API for command-and-control communications. The malware shares code with FINALDRAFT (also known as Squidoor), which is attributed to threat cluster REF7707.

Technical Capabilities

NANOREMOTE uses legitimate cloud services for command and control, making it hard to detect because malicious traffic looks like normal traffic. Its main features include file transfers with queuing, pausing, and resuming for ongoing data theft, payload staging through Google Drive to avoid network detection, and a task management system for complex operations.

Detection Recommendations

Organizations should watch for unusual Google Drive API usage, such as high file upload or download volumes and connections from unknown applications. Using cloud access security broker (CASB) solutions can help monitor encrypted traffic to cloud services and spot suspicious activity.

Software Supply Chain Under Siege: Malicious Extensions and Repositories

Developer-targeted attacks continued escalating in December, with multiple campaigns exploiting trusted platforms to distribute malware.

Malicious VS Code Extensions

Several campaigns have targeted developers through the Visual Studio Code Marketplace. ReversingLabs found 19 malicious VS Code extensions active since February 2025. These use real npm packages to hide harmful files and bundle malicious binaries inside archives that look like PNG images.Koi Security also found extensions called “Bitcoin Black” and “Codo AI” that use DLL-based infostealers to collect screenshots, browser sessions, WiFi passwords, clipboard data, and stored credentials. These attacks use DLL hijacking to run malicious code as if it were a trusted program, like the Lightshot screenshot tool.ReversingLabs reports a sharp rise in malicious extension detections, from 27 in 2024 to 105 in the first ten months of 2025.

Fake GitHub Repositories Spread PyStoreRAT

Morphisec researchers documented a campaign leveraging GitHub-hosted Python repositories to distribute PyStoreRAT, a modular JavaScript-based Remote Access Trojan. The repositories masquerade as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities.PyStoreRAT can run a wide range of payloads, including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. It also installs Rhadamanthys, an information-stealing payload that targets developer environments where credentials and API keys may be stored.

Gogs Zero-Day Actively Exploited

A serious unpatched vulnerability in Gogs (CVE-2025-8110, CVSS 8.7) is being actively exploited, with over 700 compromised instances found online. Attackers can overwrite files using the file update API and gain SSH access to servers. Organizations using Gogs with open registration should take immediate steps to protect their systems until a patch is released.

Developer Security Recommendations

Development teams should set up policies that require approval before installing extensions, keep allowlists of trusted publishers and extensions, regularly check installed extensions on developer workstations, monitor networks for command and control communications from development environments, and verify that repositories are authentic before using third-party code.

CISA Releases 2025 CWE Top 25 and CPG 2.0

December 11 brought two significant releases from CISA that will shape security strategy into 2026 and beyond.

2025 CWE Top 25 Most Dangerous Software Weaknesses

In collaboration with MITRE, CISA published the annual ranking of software weaknesses most frequently exploited by adversaries. The list, based on analysis of 39,080 CVE records from June 2024 through June 2025, highlights familiar threats while revealing emerging patterns.Cross-site scripting (CWE-79) remains the top weakness, followed by SQL injection and cross-site request forgery (CSRF). Six new entries appeared on this year’s list: Classic Buffer Overflow (CWE-120), Stack-based Buffer Overflow (CWE-121), Heap-based Buffer Overflow (CWE-122), Improper Access Control (CWE-284), Authorization Bypass Through User-Controlled Key (CWE-639), and Allocation of Resources Without Limits or Throttling (CWE-770).Ongoing memory-safety issues show the urgent need to use safer programming languages, strengthen compilers, and apply thorough fuzzing practices.

Cybersecurity Performance Goals 2.0

CISA also released updated Cross-Sector Cybersecurity Performance Goals (CPG 2.0), giving critical infrastructure owners and operators clear, measurable security practices. Key updates include alignment with the NIST Cybersecurity Framework, a new focus on accountability and risk management, and simpler practices to address the most common threats.

WIRTE APT Deploys New AshTag Espionage Backdoor

Unit 42 attributed attacks targeting government and diplomatic entities across the Middle East to the WIRTE APT group (tracked as Ashen Lepus), using a previously undocumented malware suite dubbed AshTag. Active since 2020, the campaign has expanded operations to target entities in Oman and Morocco, beyond previously known targets in the Palestinian Authority, Jordan, Iraq, Saudi Arab. The threat actor uses AshenLoader side-loading techniques to install the AshTag backdoor, showing ongoing and widespread espionage against government and diplomatic organizations in the region. in the region.

Strategic Recommendations for IT Professionals

The cybersecurity threats in December 2025 require a coordinated response across different areas.

Immediate Actions

Security teams should update Chrome across the enterprise, given confirmed active exploitation; review CISA ICS advisories for affected industrial control systems; audit VS Code and IDE extensions installed on developer workstations; and verify that Gogs installations are not publicly exposed with open registration.

Short-Term Initiatives

Organizations should implement phishing-resistant MFA for high-value accounts, establish developer tool governance policies and extension allowlists, deploy cloud access security broker solutions to provide visibility into cloud API usage, and integrate the CWE Top 25 into application security testing programs. To effectively track progress and demonstrate value to stakeholders, IT leaders should consider establishing key performance indicators (KPIs) such as patch compliance rate, MFA adoption percentage, the number of detected and mitigated supply chain vulnerabilities, and the effectiveness of cloud service API usage monitoring. These metrics will provide insight into the organization's cybersecurity posture and help ensure alignment with overall strategic goals.

Strategic Planning

Leaders should ensure security programs meet CISA CPG 2.0 requirements, consider using memory-safe languages for new projects, implement a zero-trust architecture for development environments, and establish supply chain security programs for third-party dependencies and developer tools.

Conclusion

As 2026 approaches, organizations that fix these vulnerabilities and build strong defenses against new attack methods will be better able to protect their critical assets. The real question is not if your organization will face these threats, but if you will be ready when they come.IT leaders who need to brief executives or boards should clearly explain the urgency and business impact of these threats. Stress that the threat landscape is becoming more complex and that strong security is not just an IT issue but a key business need. Point out that proactive risk management and ongoing security improvements are vital to protect the organization's reputation, finances, and customer trust.