Critical Cybersecurity Threats: December 15-17, 2025 Roundup for IT Leaders

Francois

8 min read
Critical Cybersecurity Threats: December 15-17, 2025 Roundup for IT Leaders

Nation-State Actors and Rapid Exploitation Define Mid-December Threats

The cybersecurity landscape continues to intensify as we approach year-end. Between December 15-17, 2025, organizations faced active exploitation of newly disclosed Fortinet vulnerabilities within days of patch release, sophisticated Apple zero-days linked to spyware campaigns, and Amazon's disclosure of a years-long Russian GRU operation targeting Western critical infrastructure.

For IT Directors and CISOs, this week's developments underscore a critical reality: the window between vulnerability disclosure and active exploitation has collapsed to mere days. The convergence of nation-state campaigns, zero-day exploitation, and opportunistic attacks on trusted platforms demands immediate attention and strategic response.

Fortinet FortiGate Vulnerabilities Under Active Exploitation

On December 12, 2025—just three days after Fortinet released patches—Arctic Wolf observed threat actors actively exploiting two critical authentication bypass vulnerabilities in FortiGate appliances. CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog on December 16, with a remediation deadline of December 23.

Vulnerability Details

Both vulnerabilities (CVE-2025-59718 and CVE-2025-59719) carry CVSS scores of 9.8 and affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. The flaws stem from improper verification of cryptographic signatures in SAML authentication, allowing unauthenticated attackers to bypass FortiCloud Single Sign-On (SSO) login authentication via crafted SAML messages.

While FortiCloud SSO is disabled by default in factory settings, it is automatically enabled during FortiCare registration unless administrators explicitly disable the "Allow administrative login using FortiCloud SSO" toggle. This common oversight exposes internet-facing devices to remote exploitation.

Observed Attack Patterns

Arctic Wolf documented intrusions involving malicious SSO logins originating from a small set of hosting provider IP addresses. Attackers primarily targeted administrator accounts, successfully authenticating via SSO and using the FortiGate GUI to download device configuration files. These configuration exports pose a significant risk, as even hashed passwords remain vulnerable to offline dictionary attacks.

Immediate Mitigation Steps

Organizations should upgrade to fixed versions immediately: FortiOS 7.0.18, 7.2.12, 7.4.9, or 7.6.4; FortiProxy 7.0.22, 7.2.15, 7.4.11, or 7.6.4; FortiSwitchManager 7.0.6 or 7.2.7; FortiWeb 7.4.10, 7.6.5, or 8.0.1. If immediate patching isn't possible, disable FortiCloud SSO via System → Settings or CLI command: config system global → set admin-forticloud-sso-login disable. Security teams should review logs for suspicious SSO login events and reset credentials if malicious activity is detected.

Apple Patches "Extremely Sophisticated" WebKit Zero-Days

On December 12, Apple released emergency security updates addressing two WebKit zero-day vulnerabilities that have been exploited in what the company described as "an extremely sophisticated attack against specific targeted individuals."

Coordinated Disclosure with Google

The vulnerabilities—CVE-2025-43529 (use-after-free) and CVE-2025-14174 (memory corruption, CVSS 8.8)—were discovered jointly by Apple Security Engineering and Architecture (SEAR) and Google's Threat Analysis Group (TAG). CVE-2025-14174 affects both Chrome and WebKit, as the flaw resides in the ANGLE (Almost Native Graphics Layer Engine) graphics library used by both browser engines.

Google patched CVE-2025-14174 in Chrome on December 10, followed by Apple's updates on December 12 and Microsoft Edge updates on December 11. CISA added both vulnerabilities to its KEV catalog, with CVE-2025-14174 said on December 12 and CVE-2025-43529 added on December 15.

Spyware Campaign Indicators

The coordinated disclosure and TAG involvement strongly indicate these zero-days were exploited by commercial spyware vendors targeting high-value individuals. Both flaws can be triggered by processing maliciously crafted web content, requiring no additional user interaction beyond visiting a compromised webpage.

Affected Systems and Updates

Organizations should deploy iOS 26.2/iPadOS 26.2, iOS 18.7.3/iPadOS 18.7.3, macOS Tahoe 26.2, Safari 26.2, tvOS 26.2, watchOS 26.2, and visionOS 26.2 immediately. All Chromium-based browsers (Chrome, Edge, Brave, Vivaldi, Opera) require updates to address CVE-2025-14174.

Amazon Exposes Years-Long Russian GRU Campaign

Amazon Threat Intelligence disclosed on December 15 a sustained Russian state-sponsored campaign targeting Western critical infrastructure from 2021 through 2025. The report provides crucial intelligence on evolving nation-state tactics with direct implications for enterprise security.

Attribution and Tactical Evolution

Amazon attributes the campaign with high confidence to Russia's Main Intelligence Directorate (GRU), based on infrastructure overlaps with APT44 (Sandworm/Seashell Blizzard). The activity also shows connections to the Curly COMrades cluster tracked by Bitdefender, suggesting complementary GRU subclusters focusing on different operational phases.

The most significant finding is a tactical shift: while the campaign initially exploited vulnerabilities in WatchGuard, Confluence, and Veeam products, in 2025 it pivoted to targeting misconfigured network edge devices—enterprise routers, VPN concentrators, remote access gateways, and network management appliances with exposed management interfaces.

Target Profile

Primary targets include energy sector organizations across Western nations, including electric utilities, energy providers, and managed security service providers specializing in energy sector clients. Additional targets encompass telecommunications companies, critical infrastructure providers in North America, Europe, and the Middle East, and organizations with cloud-hosted network infrastructure.

Credential Harvesting Operations

Beyond direct infrastructure compromise, Amazon observed systematic credential-replay attacks in which attackers harvested credentials from compromised edge devices (likely via packet capture and traffic analysis) and subsequently attempted to authenticate against victim organizations' online services. While attempts against AWS services were unsuccessful, the pattern demonstrates the campaign's focus on persistent access and credential theft.

Defensive Recommendations

Organizations should immediately inspect all edge devices for signs of compromise, including exposed management interfaces. Implement strict configuration management controls, ensuring management interfaces are not accessible from the internet. Monitor for credential replay attacks against authentication endpoints and deploy multi-factor authentication that is resistant to such attacks.

CISA Releases Seven ICS Advisories

On December 16, CISA published seven Industrial Control Systems advisories addressing vulnerabilities across critical infrastructure sectors.

Key Advisories

Güralp Systems FMUS and MIN Series (ICSA-25-350-01): Vulnerabilities in seismic monitoring systems used in geological and infrastructure monitoring applications.

Johnson Controls PowerG, IQPanel, and IQHub (ICSA-25-350-02): Security flaws in intrusion detection and security panel systems widely deployed in commercial and residential environments.

Hitachi Energy AFS, AFR, and AFF Series (ICSA-25-350-03): Vulnerabilities in power grid automation products affecting energy sector operations.

Mitsubishi Electric GT Designer3 (ICSA-25-350-04): A flaw allowing attackers to obtain plaintext credentials, potentially enabling unauthorized operation of GOT2000 and GOT1000 series human-machine interface devices.

Additionally, updated advisories were released for previously disclosed vulnerabilities in Johnson Controls iSTAR access control systems and Fuji Electric Monitouch V-SFT-6.

Organizations operating in critical manufacturing, energy, healthcare, or commercial facilities sectors should review these advisories and apply vendor mitigations promptly.

SoundCloud Data Breach Affects 28 Million Users

Audio streaming platform SoundCloud confirmed on December 15 that a security breach exposed data belonging to approximately 20% of its user base—roughly 28 million accounts.

Breach Details

SoundCloud detected unauthorized activity in an ancillary service dashboard and immediately activated incident response protocols. The breach exposed email addresses and publicly visible profile information but did not compromise passwords or financial data. The company has engaged third-party cybersecurity experts and believes all unauthorized access has been terminated.

Following containment, SoundCloud experienced multiple denial-of-service attacks, two of which temporarily disabled web-based access to the platform. Configuration changes implemented as part of security hardening inadvertently blocked VPN and Tor access for some users, and the company is working to resolve the issue.

Attribution and Risk

BleepingComputer reports that the ShinyHunters extortion gang is responsible and is attempting to extort SoundCloud to prevent data leakage. While the exposed data is relatively limited in sensitivity, affected users should monitor for phishing attempts and social engineering attacks leveraging the breach.

GhostPairing: WhatsApp Account Takeover Campaign

Security researchers at Gen Digital identified a sophisticated account-takeover campaign dubbed "GhostPairing" that exploits WhatsApp's legitimate device-linking feature to hijack accounts without passwords, SIM swaps, or malware.

Attack Methodology

Victims receive messages from compromised contacts containing links disguised as Facebook photo previews. Clicking the link leads to a fake Facebook-themed page that requests identity verification. The verification process actually initiates WhatsApp's device pairing workflow, linking the attacker's browser to the victim's account.

Once paired, attackers gain complete access, including full conversation history, real-time message receipt, access to shared media, and the ability to send messages to the victim's contacts—enabling rapid propagation as compromised accounts become springboards for reaching new targets.

Geographic Spread

First detected in Czechia, the campaign shows no geographic limitations. The attack kit appears reusable and customizable across regions, with linguistic variations in lure messages suggesting rapid adaptation to any country.

Protective Measures

Users should regularly check linked devices in WhatsApp Settings and remove unknown sessions, treat any requests to scan QR codes or enter pairing codes as immediately suspicious, and enable Two-Step Verification for additional account security.

GhostPoster: Malicious Firefox Extensions Using Steganography

Koi Security researchers uncovered a campaign dubbed "GhostPoster" that infected over 50,000 Firefox users via 17 malicious browser extensions, employing sophisticated steganographic techniques.

Technical Sophistication

The malicious extensions—advertised as VPNs, screenshot utilities, ad blockers, and translation tools—hide JavaScript code within their PNG logo files. The loader searches for a marker sequence (===) within the image data and executes hidden code after it, effectively bypassing static analysis and code review.

The malware monitors browser activity, hijacks affiliate links on e-commerce platforms, injects tracking code, and establishes a backdoor for remote code execution. A deliberate design choice limits payload delivery to 10% of attempts, while the loader remains dormant for 48 hours after installation—both techniques are designed to evade detection.

Mozilla Response

Mozilla has removed the affected extensions from the Add-ons Marketplace and updated automated systems to detect similar attacks. Users who installed extensions named "Free VPN Forever," "screenshot-saved-easy," "weather-best-forecast," "google-translate-pro-extension," "dark-reader-for-ff," or similar should remove them immediately and consider resetting passwords for critical accounts.

NIST Releases Draft Cyber AI Profile

On December 16-17, the National Institute of Standards and Technology (NIST) released a preliminary draft of its Cybersecurity Framework Community Profile for AI (Cyber AI Profile), addressing the intersection of artificial intelligence and cybersecurity.

Three Focus Areas

The profile centers on securing AI systems by identifying cybersecurity challenges when integrating AI into organizational ecosystems, conducting AI-enabled cyber defense to leverage AI for enhanced security operations while understanding associated challenges, and thwarting AI-enabled cyberattacks by building resilience against emerging AI-powered threats.

Public Comment Period

NIST is accepting public comments for 45 days to inform the development of the initial public draft, planned for release in 2026. Organizations developing AI governance frameworks should review the preliminary draft and contribute feedback.

Gladinet Vulnerabilities Continue to be Exploited

Huntress researchers warned on December 16 of active exploitation of a newly identified hardcoded cryptographic key vulnerability (CVE-2025-14611) in the Gladinet CentreStack and Triofox file-sharing platforms, affecting nine organizations to date.

The vulnerability allows threat actors to decrypt or forge access tickets, enabling access to sensitive configuration files that can be exploited for ViewState deserialization and remote code execution. CISA added the vulnerability to its KEV catalog with a remediation deadline of January 5, 2026.

This represents the third actively exploited Gladinet vulnerability in 2025, following CVE-2025-30406 and CVE-2025-11371. Organizations using CentreStack or Triofox should update to version 16.12.10420.56791 immediately.

Strategic Recommendations for IT Leadership

Immediate Actions (24-72 Hours)

Security teams should either patch Fortinet FortiGate appliances or immediately disable FortiCloud SSO. Update all Apple devices and Chromium-based browsers to address the WebKit zero-day vulnerabilities. Audit Firefox extensions against the GhostPoster indicators and remove suspicious add-ons. Review WhatsApp-linked devices and educate users about the GhostPairing threat. Update Gladinet CentreStack/Triofox installations to the latest version.

Short-Term Initiatives (1-2 Weeks)

Organizations should conduct edge device configuration audits to identify exposed management interfaces. Review ICS/SCADA environments against December CISA advisories. Implement enhanced monitoring for credential replay attacks against authentication systems. Establish governance policies and approval workflows for browser extensions.

Strategic Planning (Q1 2026)

Leadership should align security programs with Amazon's GRU campaign findings and prioritize edge device security. Incorporate NIST Cyber AI Profile guidance into AI governance frameworks. Develop incident response playbooks for cloud API abuse and legitimate feature exploitation. Establish supply chain security controls for browser extensions and developer tools.

Conclusion

The events of December 15-17, 2025, demonstrate that threat actors are increasingly exploiting the gap between vulnerability disclosure and organizational patching—Fortinet devices were attacked within 72 hours of the patch release. Simultaneously, nation-state actors are adapting their tactics, shifting from vulnerability exploitation to targeting the "low-hanging fruit" of misconfigured edge devices.

The sophisticated zero-days affecting Apple and Chrome, combined with creative abuse of legitimate features like WhatsApp device linking and browser extension ecosystems, reveal that attackers are finding new paths around traditional security controls. Organizations that maintain rigorous patch management, comprehensive configuration controls, and defense-in-depth strategies will be best positioned to defend against these evolving threats.

Sources:

  • CISA Known Exploited Vulnerabilities Catalog (cisa.gov/known-exploited-vulnerabilities-catalog)
  • CISA ICS Advisories (cisa.gov/news-events/ics-advisories)
  • Arctic Wolf Security Bulletin (arcticwolf.com/resources/blog)
  • Amazon Threat Intelligence (aws.amazon.com/blogs/security)
  • The Hacker News (thehackernews.com)
  • BleepingComputer (bleepingcomputer.com)
  • Help Net Security (helpnetsecurity.com)
  • SecurityWeek (securityweek.com)
  • NIST (nist.gov)

Read more