One-Week KEV Patch Deadline for Exploited Flaws in Cisco AsyncOS, SonicWall SMA 100, and Fortinet FortiCloud

Cisco and Cisco Talos have released advisories warning users of an ongoing campaign to install persistent backdoors and associated malicious tools, exploiting a CVSS 10.0 zero-day vulnerability in all releases of "Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA)." CVE-2025-20393, only described so far as "improper input validation," has been added to the US Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities Catalog (KEV), and no patch has been released yet. Cisco discovered the attacks on December 10, 2025, targeting both physical and virtual appliances with Secure Email Gateway and Secure Email and Web Manager, with the Spam Quarantine feature enabled and exposed to the internet. This feature is not enabled by default, and is not required to be reachable from the internet. If users have Spam Quarantine configured and enabled, Cisco strongly recommends steps for security hardening: ensure the appliance is inaccessible from the internet or restricted to trusted hosts; implement a filtering device such as a firewall, possibly a two-layer firewall; "separate mail and management functionality onto separate network interfaces"; monitor web log traffic; disable HTTP for the main administrator portal; disable non-essential network services; keep Cisco AsyncOS up to date; implement end-user authentication such as SAML or LDAP; restrict access to the administrator account and change the default password; and "using SSL/TLS, obtain an SSL certificate from a certificate authority (CA) or create a self-signed certificate." Cisco provides resources for downloading replacement Virtual Appliances, exporting reporting data, purging messages in the quarantine, and centralizing quarantines, also recommending users contact Cisco Technical Assistance Center (TAC) with any questions. Talos tracks the campaign back to at least late November 2025, and attributes the attacks to UAT-9686, believed to be a "Chinese-nexus" advanced persistent threat actor.

SonicWall has released updates to address an actively exploited local privilege escalation vulnerability in SonicWall Secure Mobile Access (SMA) 1000 series appliances. The medium-severity vulnerability (CVE-2025-40602) was discovered by researchers from Google's Threat Intelligence Group. According to SonicWall's advisory, the "vulnerability was reported to be leveraged in combination with CVE-2025-23006, a critical pre-authentication deserialization of untrusted data vulnerability that was addressed in a Sonic Wall update in January 2025. "SonicWall PSIRT strongly advises users of the SMA1000 product to upgrade to the latest hotfix release version to address the vulnerability." The US Cybersecurity and Infrastructure Security Agency (CISA) added the more-recently disclosed vulnerability (CVE-2025-40602) to the Known Exploited Vulnerabilities (KEV) catalog on Wednesday, December 17, 2025, with a mitigation deadline of December 24, 2025, giving Federal Civilian Executive Branch agencies just one week to address the issue. The vulnerability affects versions 12.4.3-03093 (platform-hotfix) and 12.5.0-02002 (platform-hotfix), and is fixed in versions 12.4.3-03245 (platform-hotfix) and 12.5.0-02283 (platform-hotfix).

Threat actors are exploiting a pair of critical vulnerabilities affecting multiple Fortinet products. Both vulnerabilities (CVE-2025-59718 and CVE-2025-59719) are improper verification of cryptographic signature issues; Fortinet released updates to address both flaws on December 9, 2025, noting that the vulnerabilities could be exploited to "allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message." Fortinet adds, "Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch 'Allow administrative login using FortiCloud SSO' in the registration page, FortiCloud SSO login is enabled upon registration." Users are urged to turn off the FortiCloud login feature until they are able to update to a fixed version. Researchers at Arctic Wolf have observed "intrusions involving malicious SSO logins on FortiGate appliances" starting on December 12. The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to the Known Exploited Vulnerabilities (KEV) catalog on Tuesday, December 16, 2025, with a mitigation deadline for Federal Civilian Executive Branch (FCEB) agencies of December 23, 2025. It is one of three recently added CVEs with short mitigation deadlines; the others are flaws in Cisco and SonicWall, both covered in this issue of NewsBites.

This year’s challenge covers the following topics, including grand challenges provided by Microsoft and Google: defanging IOCs, using SUDO, port discovery, forensic analysis, basic networking, firewall basics, Nmap basics, CURL basics, IDOR challenge, using POCs, Java deserialization, Quantum computing, reverse engineering, hacking SQLI, Linux and PrivEsc, and WebApp Pentesting.

The cyber range stays open year-round; the contest elements close on January 5, 2026.

- https://www.sans.org/cyber-ranges/holiday-hack-challenge

Hewlett Packard Enterprise (HPE) has published a security bulletin including a patch for a CVSS 10.0 flaw affecting all versions through v10.20 of HPE OneView, the company's IT infrastructure management software. The newly released version 11.00 is not affected. HPE has not disclosed the details of CVE-2025-37164, but states that it allows a remote unauthenticated attacker to perform remote code execution; the Common Weakness Enumeration mentioned on the flaw's CVE record in the National Vulnerability Database (NVD) is CWE-94, "Improper Control of Generation of Code ('Code Injection')." HPE directs users to apply the provided hotfix to HPE OneView 5.20 through 10.20, noting that OneView 6.60.xx must first be upgraded to 7.00.00, "including any HPE Synergy Composer reimage." HPE Synergy Composer2 has a separate hotfix that must be applied.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical embedded malicious code vulnerability in ASUS Live Update to the Known Exploited Vulnerabilities (KEV) database, warning that the vulnerability is being actively exploited. According to the NIST CVE entry, "certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected." ASUS disclosed the supply chain attack in 2019. The ASUS Live Update client reached end-of-life earlier this month; the vulnerability does not affect any currently supported products. The CVE has a mitigation deadline of January 7, 2026, and in this case, Federal Civilian Executive Branch agencies are expected to discontinue using the product altogether.

On Friday, December 12, 2025, following intelligence shared by Italian authorities, French police arrested two crewmembers of the international passenger ferry "Fantastic," docked at the Mediterranean port of Sète in southern France, on suspicion of infecting the ferry's systems with a Remote Access Trojan (RAT). GNV, the Italian shipping company operating the ferry, initially submitted the tip, stating that they "identified and neutralised an attempt at intrusion on the company's computer systems, which are effectively protected. It was without consequences." France's counterespionage service, the General Directorate for Internal Security (DGSI), have inspected and reportedly seized items from Fantastic, which has been cleared to sail by maritime authorities. Interior Minister Laurent Nuñez has stated, "individuals tried to gain access to a ship’s data-processing system." One Bulgarian crewmember was released without charge, and one Latvian crewmember remains in custody.

A UK technology company whose software is used by multiple National Health Service (NHS) trusts has disclosed a cybersecurity incident. DXS International "provides clinical decision support and referral management tools used by GP practices and primary care networks across England." The breach affected DXS's internal servers. According to a notice made to the London Stock Exchange, DXS International discovered the incident on December 14, 2025, and has engaged third-party experts to investigate the incident, which has also been reported to the Information Commissioner's Office (ICO) and other relevant regulators and authorities.

Virginia’s Richmond Behavioral Health Authority (RBHA) has disclosed a security breach that resulted in the theft of sensitive personal information of more than 113,000 individuals. RBHA is "the public entity responsible for providing mental health, substance abuse, and prevention services in the city of Richmond, Virginia," according to HIPAA Journal. The data theft is a result of a September 29, 2025 ransomware attack that led to portions of RBHA's network being encrypted. In a December 4 breach notification, RBHA writes that the stolen data could include names in combination with associated Social Security numbers, passport numbers, financial account information, and health information. RBHA has notified the US Department of Health and Human Services Office for Civil Rights (HHS OCR) of the incident.

French authorities have made an arrest in the ongoing investigation of a December 11-12 cyberattack against the country's Ministry of the Interior. Since the initial announcement by Minister of the Interior Laurent Nuñez, the ministry has disclosed that during several days of unauthorized access an attacker accessed a number of professional email accounts and confidential files on judicial records and wanted persons, possibly also accessing credentials that could enable lateral movement through internal business applications. Nuñez states that there has not been a ransom demand and that he believes the attack does not pose danger to citizens. The ministry has filed a breach report with the National Commission for Information Technology and Civil Liberties (CNIL). The French National Cybersecurity Agency (ANSSI) is aiding in the investigation, and the judicial police's anti-cybercrime unit with the Paris Public Prosecutor’s Office is also conducting a formal judicial investigation. The ministry is enacting "increased security of infrastructure, widespread implementation of two-factor authentication, revocation of compromised access, password changes, and strict reminders of digital hygiene practices to all staff." The 22-year old suspect in custody was already known to prosecutors for convictions of similar crimes, and is being held on the charge of "an attack on an automated personal data processing system operated by the State, as part of an organized group."

The US Federal Bureau of Investigation (FBI), along with the Michigan State Police and law enforcement partners in Finland and Germany, have dismantled the infrastructure for the E-Note cryptocurrency exchange, which "allegedly facilitated money laundering by transnational cyber-criminal organizations, including those targeting U.S. healthcare and critical infrastructure. Since 2017, the FBI identified more than $70,000,000 of illicit proceeds of ransomware attacks and account takeovers transferred via E-Note payment service and money mule network, including laundered funds stolen or extorted from U.S. victims." The law enforcement agents seized domains and servers associated with E-Note, along with copies of customer databases and records of transactions. According to a press release, the US Attorney's Office for the Eastern District of Michigan also unsealed a related indictment that charges a Russian national of conspiracy to launder money.