December 20, 2025

RedDotSecurity.news header image, Santa hat version

Hello all,

For those of you in the Northern Hemisphere, Winter starts tomorrow! And it is also the shortest day of the year. Now if your system clocks rely on the National Institute of Standards (NIST) timeservers located in Boulder, Colorado, then your day is 4.8 microseconds longer than the rest of the world’s. This is due to massive storms in the Northwest USA resulting in significant power issues currently, which have caused a time “desync issue” in the Boulder facility that will be worked on as soon as people can get on site to make repairs. Meanwhile, you might want to point your Network Time Protocol (NTP) services to another source of truth. Speaking of sources, this week has been a busy one from my various news sources, with multiple critical vulnerabilities and zero-day attacks underway. So, let’s get to them.

Headline NEWS:

  • Apple Patches were rolled our for “Sophisticated” targeted zero-day attacks. The fix is to update to the latest iOS 26 version. This particular defect was found by Google’s Threat Analysis Group and is speculated to be a similar, if not the same attack vector that Google patched in Chrome last week. This is specifically in WebKit and can result in remote code execution when iOS handles specially crafted web content. If you have iFruit, check for updates and apply them soon.
  • Cisco had a bad week with a pair of zero-day defects in their AsyncOS which powers their Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Unfortunately, Chinese threat actors found this and have been exploiting it since late November. This vulnerability is made possible by improperly configured appliances that have exposed their spam quarantine to the internet, vs. internally, as is the recommended default configuration. As of this writing there are no patches offered and vendor guidance is to disable internet access to the quarantine, and check for signs of compromise. If found, Cisco says you’ll need to wipe and rebuild the appliance. And, as if that wasn’t enough, some unknown threat actor has initiated a massive brute force attack against Cisco Secure Sockets Layer (SSL) Virtual Private Networks (VPNs), probing for misconfigurations, missing patches, lack of MFA, and insecure and reused credentials.
  • Fortinet is in the news again this week with a major defect. This time the vendor has released patches for a critical vulnerability in Single Sign-On (SSO) which can gain the threat actor administrator level access. If you have FortiAnything, check your product for updates and apply them immediately.
  • HPE aka Hewlett Packard Enterprise doesn’t make this newsfeed often, but when it does, it is a doozy. The vendor is warning of a maximum severity vulnerability in their HPE OneView that can enable Unauthenticated Remote Code Execution (RCE). Thankfully, this appears to have been internally detected as there is no mention of current active exploitation. Check with HPE for patches and a fixed new version.
  • SonicWall sent out notices on Wednesday to their customers that SMA1000 appliances have a zero-day that is being actively exploited. They “strongly” advised to upgrade to the latest hotfix release. Based on this SonicWall article about End of Support coming in June of 2026, this vulnerability should serve as a warning that your time is limited to replace this with newer remote access technologies.
  • WatchGuard was mentioned by me last week for having released nearly a dozen updates so far in December. Well, this week a critical defect was revealed in their WatchGuard Firebox firewalls, and it is under active attack. What’s worse is that this can enable Remote Code Execution (RCE) by the threat actor via a low-complexity attack that doesn’t need any user interaction to achieve. This defect resides specifically in the IKEv2 VPN. However, the vendor notes that if you’ve ever had “mobile user VPN with IKEv2 or a branch office VPN using IKEv2” enabled, you may be vulnerable and need to follow guidance and apply the newly released patch. If you can’t do this right away, there is some mitigation guidance provided. Check with WatchGuard for further details.

In Ransomware, Malware, and Vulnerabilities News:

  • React2Shell is still being actively exploited by dirtbags, both small-time and nation-state. The most common intrusion appears to be crypto miners. There’s an excellent article linked about one guy’s discovery and eradication of a miner that infected his system. And of course, the inhuman scum known as ransomware operators have now weaponized this defect for their nefarious purposes. If you have vulnerable internet facing systems anywhere, you’re likely infected with something by now.

In Other News Events of Note and Interest:

  • Microsoft Native NVMe for Windows 2025. This article caught my attention since Big Redmond has demonstrated that simply turning on this feature, that should be available on all Windows 2025 servers since the October 2025 updates, can improve disk input output per second (IOPs) by up to 80% in many cases. You can use a Windows registry change, or Group Policy object (GPO) to flip the switch on. Cool!

Musings:

There are numerous holidays coming in the next two weeks for most of the world. And if you’re reading or hearing this, then your organization likely relies on the tried-and-true process of having a person on-call to cover these periods. One (or more) designated individuals will be tasked with remaining available to service clients and equipment while the rest of the staff relaxes with family and friends, enjoying the festivities. I recently read something on Reddit that made so much sense. Why don’t we flip the script and make on-call into something that our employees actually want to do. No, hear me out. What if we offered a substantial sum to compensate for the employee missing out on family, celebrations and feasting; something like, say $300 per week when it is your turn. I suspect that we’d have people lining up, asking to be on-call. If your company had 6 people in rotation, a person could theoretically earn an extra $2,500 per year. I’d jump at that. In the meantime, please remember to…

Visc. Jan Broucinek

Keep the shields up!

Viscount Jan Broucinek
Red Dot Security News

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest
Tags
Share this with: