Critical React RCE, CISA’s New IEP, and Cloud AI Updates

Critical React4Shell RSC Vulnerability CVE-2025-55182

🛡️ A critical remote code execution flaw, CVE-2025-55182 (React4Shell), was disclosed affecting React Server Components and multiple derivatives including Next.js, React Router RSC preview, and several bundler plugins. The bug arises from unsafe deserialization of Flight protocol payloads and permits unauthenticated HTTP requests to execute code on vulnerable servers. Immediate updating to the patched React and Next.js releases, plus deployment of WAF rules and access restrictions, is strongly recommended.

Critical React2Shell RCE Affects React and Next.js Servers

🚨 React and Next.js applications are affected by a maximum-severity deserialization vulnerability dubbed React2Shell, which enables unauthenticated remote code execution via the React Server Components (RSC) "Flight" protocol. Discovered by researcher Lachlan Davidson and reported on November 29, the flaw received a 10/10 severity rating and has been assigned CVE-2025-55182 for React (Next.js received CVE-2025-66478, later rejected by the NVD). Affected default packages include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, and researchers warn many deployments are exploitable without additional misconfiguration. Developers should apply the published patches and audit environments immediately.

Dataplex Data Products: Curated Assets for Enterprise

🔍 Google Cloud has introduced data products in Dataplex Universal Catalog (preview), packaging curated data assets, documentation, and governance controls into purpose-built units aligned to business use cases. These data products let producers declare quality, freshness, ownership, and contractual guarantees while grouping assets to simplify access and reduce operational toil. Consumers can discover, request access, and rely on documented lineage and context to accelerate analytics. Google also positions data products as foundational inputs to more reliable AI and agent-driven workflows.

AI Security and Elevated Zero Trust for Hybrid Networks

🔒 Check Point's new Quantum Firewall Software release, R82.10, extends a prevention-first security model across CloudGuard Network and Quantum Force Firewalls. The update unifies management, strengthens Zero Trust controls for hybrid mesh environments, and adds enforcement and telemetry designed to protect MCP servers, AI workloads, cloud assets and on-prem systems. It simplifies policy consistency and supports responsible AI adoption through data-aware controls and centralized governance.

Urgent: Patch React 19 and Next.js to Mitigate RCE

⚠️ Developers must immediately upgrade React 19 and affected frameworks such as Next.js after researchers at Wiz disclosed a critical deserialization vulnerability in the React Server Components (RSC) Flight protocol that can enable remote code execution. The flaw exists in default configurations and impacts React 19.0.0, 19.1.0, 19.1.1 and 19.2.0, while Next.js 15.x and 16.x App Router deployments received a related CVE. Upgrade to the latest vendor-recommended releases now and follow the React blog's guidance.

Critical RCE in React and Next.js Flight Protocol Disclosed

🚨 Researchers disclosed critical remote code execution vulnerabilities in the Flight protocol for React Server Components (CVE-2025-55182 and CVE-2025-66478). The flaw permits unauthenticated attackers to achieve deterministic RCE via insecure deserialization of malformed HTTP payloads, with near-100% reliability against default deployments. Vendors have issued patched releases; administrators should apply upgrades immediately. Palo Alto Networks Unit 42 published detection guidance and hunting queries to help identify exploitation and post-exploitation activity.

CISA Launches Industry Engagement Platform to Innovate

🛡️ CISA launched the Industry Engagement Platform (IEP) to create a structured, two-way channel between the agency and companies, researchers, and academia to present emerging cybersecurity and infrastructure technologies. The platform lets organizations build customizable technology profiles and upload capability overviews to connect with the right CISA subject-matter experts. Participation does not confer preferential contract consideration, but informs CISA market research and mission needs.

AWS previews EC2 M9g instances powered by Graviton5

🚀 Amazon Web Services today previewed new Amazon EC2 M9g instances powered by AWS Graviton5 processors. AWS says M9g delivers up to 25% better compute performance and increased networking and EBS bandwidth versus Graviton4-based M8g, with up to 30–35% faster performance for databases, web applications, and machine learning. Built on the AWS Nitro System, M9g targets application servers, microservices, gaming servers, midsize data stores, and caching fleets, and is available in preview through a request process.

NVIDIA Run:ai Model Streamer Adds Cloud Storage Support

🚀 The NVIDIA Run:ai Model Streamer now supports native Google Cloud Storage access, accelerating model load and inference startup for vLLM workloads on GKE. By streaming tensors directly from Cloud Storage into GPU memory and using distributed, NVLink-aware transfers, the streamer dramatically reduces cold-start latency and idle GPU time. Enabling it in vLLM is a single-flag change and it can leverage GKE Workload Identity for secure, keyless access.

PubMed Data in BigQuery to Accelerate Medical Research

🔬 Google Cloud has made PubMed content available as a BigQuery public dataset with integrated vector search via Vertex AI, enabling semantic search across more than 35 million biomedical articles. Both BigQuery and Vertex AI Vector Search are FedRAMP High authorized, allowing organizations to run embedding models and VECTOR_SEARCH queries inside BigQuery. Early adopters like The Princess Máxima Center report literature reviews reduced from hours to minutes, and example SQL plus a demo repo are provided to help teams get started.

Amazon Bedrock Adds OpenAI-Compatible Responses API

🚀 Amazon Bedrock now exposes an OpenAI-compatible Responses API on new service endpoints, enabling asynchronous inference for long-running workloads, streaming and non-streaming modes, and automatic stateful conversation reconstruction so developers no longer must resend full histories. The endpoints provide Chat Completions with reasoning-effort support for models served by Mantle, Amazon’s distributed inference engine. Integration requires only a base URL change for OpenAI SDK–compatible code, and support starts today for OpenAI’s GPT OSS 20B and 120B models, with additional models coming soon.

Building a Production-Ready AI Security Foundation

🔒 This guide presents a practical defense-in-depth approach to move generative AI projects from prototype to production by protecting the application, data, and infrastructure layers. It includes hands-on labs demonstrating how to deploy Model Armor for real-time prompt and response inspection, implement Sensitive Data Protection pipelines to detect and de-identify PII, and harden compute and storage with private VPCs, Secure Boot, and service perimeter controls. Reusable templates, automated jobs, and integration blueprints help teams reduce prompt injection, data leakage, and exfiltration risk while aligning operational controls with compliance and privacy expectations.

Replit and Google Cloud Expand Vibe Coding for Enterprise

🚀 Replit and Google Cloud have expanded a strategic, multi‑year partnership to bring vibe coding capabilities to enterprise developers and teams. Replit will continue to run on Google Cloud infrastructure—leveraging Cloud Run, Google Kubernetes Engine, BigQuery, and Vertex AI—and now supports Google models including Gemini 3, 2.5 Flash Lite, 2.5 Flash, and Imagen 4 to power coding and multimodal workflows. The agreement also includes joint go‑to‑market and co‑sell initiatives to accelerate adoption across enterprise customers.

BRICKSTORM Backdoor Targets VMware vSphere and Windows

🛡️ CISA, NSA, and the Canadian Centre for Cyber Security report that PRC state-sponsored actors deployed the BRICKSTORM backdoor to gain long-term persistence on VMware vSphere (vCenter/ESXi) and Windows hosts. The analysis of eight samples includes YARA and Sigma detection content plus scanning guidance for vCenter filesystems and SIEMs. Organizations should apply the provided IOCs and detection signatures, hunt for modified init scripts, DoH resolver requests, and hidden API endpoints, and report any findings immediately.

CISA, NSA, and Cyber Centre Warn of BRICKSTORM Malware

🔒 CISA, NSA, and the Canadian Centre for Cyber Security released a joint malware analysis on BRICKSTORM, a sophisticated backdoor targeting VMware vSphere (vCenter) and Windows environments used by PRC state-sponsored actors. The report provides indicators of compromise (IOCs), detection signatures, and CISA-developed YARA and SIGMA rules to help critical infrastructure owners identify compromises. Recommended mitigations include scanning with the provided rules, inventorying and monitoring edge devices, enforcing network segmentation, and adopting Cross-Sector Cybersecurity Performance Goals; organizations are urged to report suspected activity to CISA immediately.

Advantech iView SQL Injection Vulnerability (CVE-2025-13373)

⚠️ Advantech iView versions 5.7.05.7057 and earlier are affected by an SQL injection vulnerability in SNMP v1 trap handling (port 162) that can be exploited remotely with low attack complexity. CISA assigns CVE-2025-13373 with a CVSS v4 base score of 8.7 (and CVSS v3.1 7.5). Successful exploitation could disclose, modify, or delete data. Advantech recommends updating to iView v5.8.1; CISA advises network isolation, firewalls, and secure remote access.

PRC State-Sponsored Actors Use BRICKSTORM Malware Campaigns

🔒 CISA warns that PRC state-sponsored actors are deploying the BRICKSTORM backdoor to maintain stealthy, long-term access on VMware vSphere and Windows hosts. The malware leverages nested TLS/WebSockets, DNS-over-HTTPS, and a SOCKS proxy for encrypted C2, lateral movement, and tunneling, and implements a self‑healing persistence mechanism. CISA urges defenders to hunt with provided YARA/Sigma rules, block unauthorized DoH, inventory edge devices, and enforce DMZ segmentation.

CISA Alerts on BrickStorm Backdoors in VMware vSphere

🔒 CISA warns that Chinese threat actors have used Brickstorm malware to backdoor VMware vSphere servers, creating hidden rogue virtual machines and exfiltrating cloned VM snapshots to harvest credentials. A joint analysis with the NSA and Canada's Cyber Security Centre examined eight samples and documents layered evasion including nested TLS, WebSockets, SOCKS proxying and DNS-over-HTTPS. CISA provides YARA and Sigma rules, advises blocking unauthorized DoH providers, inventorying edge devices, segmenting DMZ-to-internal traffic, and reporting detections as required.

Predator Spyware Uses Ad-Based Zero-Click Infection

📢 Researchers report that the Predator spyware operator Intellexa developed a zero-click delivery mechanism called Aladdin that can infect targets simply by serving a weaponized advertisement. The technique abuses commercial mobile advertising systems and Demand Side Platforms to force malicious ads to specific IPs and devices, with viewing alone triggering redirections to exploit servers. First deployed in 2024 and routed through shell companies across multiple countries, the campaign is corroborated by leaked Intellexa documents and technical analysis from Amnesty, Google, and Recorded Future. Analysts recommend blocking ads, hiding public IPs, and using platform protections, though leaked materials suggest operators can obtain subscriber IP/location data from local mobile operators.

Contractors Accused of Wiping 96 Government Databases

🧾 Two Virginia brothers, former federal contractors Muneeb and Sohaib Akhter, have been charged with conspiring to steal sensitive data and deleting roughly 96 government databases after being fired. Prosecutors allege the deletions occurred in February 2025 and that Muneeb also stole IRS and EEOC information for hundreds of individuals. One minute after deleting a DHS database he reportedly asked an AI tool how to clear system logs. Authorities say the pair wiped devices, destroyed evidence, and face multiple federal charges including computer fraud and aggravated identity theft.

SolisCloud API Authorization Bypass Affects Monitoring

⚠️ CISA warns of an authorization bypass (IDOR) in the SolisCloud Monitoring Platform affecting Cloud API and Device Control API v1 and v2. An authenticated user can access detailed plant data by manipulating the plant_id parameter, exposing sensitive information. The issue is tracked as CVE-2025-13932 with a CVSS v4 score of 8.3 and is remotely exploitable with low complexity. SolisCloud has not engaged with CISA; users should limit network exposure and follow CISA mitigation guidance.

Sunbird DCIM dcTrack and Power IQ: Critical Flaws (2025)

🔒 CISA warns of two critical vulnerabilities in Sunbird DCIM dcTrack and Power IQ appliances that could enable unauthorized access or credential theft. One is an authentication bypass via alternate remote-access channels (CVE-2025-66238); the other involves hard‑coded/default credentials (CVE-2025-66237) with a CVSS v4 high score of 8.4. Sunbird has released fixes (dcTrack 9.2.3, Power IQ 9.2.1); until systems are updated, CISA recommends restricting SSH and nonessential ports, changing deployment passwords, isolating control networks behind firewalls, and using secure VPNs for remote access.

ThreatsDay: Wi‑Fi Hack, npm Worm, DeFi Theft and More

🔒This week's ThreatsDay roundup highlights a string of high-impact incidents, from a $9 million DeFi drain and an npm-based self-replicating worm to airport Wi‑Fi evil‑twin attacks and mass camera compromises. Researchers and vendors including Fortinet, Microsoft, and TruffleHog disclosed evolving malware techniques, supply-chain abuse, and widespread credential exposure. Practical protections include minimizing long-lived secrets, enforcing CI/CD safeguards, updating detection for eBPF-based threats, and applying MFA and phishing-resistant controls.

WARP PANDA: Sophisticated China-Nexus Cloud Threats

🔍 CrowdStrike identified a China-nexus adversary, WARP PANDA, conducting covert intrusions against VMware vCenter and cloud infrastructure throughout 2025, deploying novel Golang implants and the backdoor BRICKSTORM. Operations emphasized stealth—log clearing, timestomping, unregistered VMs, and tunnelling via vCenter/ESXi/guest VMs—enabling long-term persistence and data staging from live VM snapshots. WARP PANDA also exfiltrated Microsoft 365 and SharePoint content, registered MFA devices, and abused cloud services for C2, prompting recommendations for tighter ESXi/vCenter controls and robust EDR on guests.

US, International Agencies Issue AI Guidance for OT

🛡️ US and allied cyber agencies have published joint guidance to help critical infrastructure operators incorporate AI safely into operational technology (OT). Developed by CISA with the Australian Signals Directorate and input from the UK's NCSC, the document covers ML, LLMs and AI agents while remaining applicable to traditional automation systems. It recommends assessing AI risks, protecting sensitive OT data, demanding vendor transparency on embedded AI and supply chains, establishing governance and testing in controlled environments, and maintaining human-in-the-loop oversight aligned with existing cybersecurity frameworks.

Windows LNK Shortcut Abuse Addressed by Recent Patches

🔒 Microsoft has quietly altered how Windows displays .lnk shortcut Targets, addressing a long‑abused technique attackers used to hide malicious commands in trailing whitespace. The issue (tracked as CVE-2025-9491) stemmed from Explorer showing only the first 260 characters of a Target field, allowing long PowerShell or BAT scripts to be concealed. Third‑party vendor 0patch acknowledges the UI change but says Microsoft’s fix doesn't prevent execution and offers a micropatch that truncates long Targets and warns users.

UDPGangster Backdoor Campaigns Target Turkey, Israel

🔒FortiGuard Labs reports multiple campaigns deploying the UDPGangster UDP-based backdoor, attributed to the MuddyWater espionage group. Attackers used macro-embedded Microsoft Word documents delivered via phishing, impersonating official Turkish emails and targeting users in Turkey, Israel, and Azerbaijan. The malware implements persistence, extensive anti-analysis checks, and UDP C2 communications to exfiltrate data and execute remote commands. Fortinet detections and protections are available to mitigate these threats.

MAXHUB Pivot Weak Password Reset Vulnerability Advisory

🚨 A weak password recovery mechanism in MAXHUB Pivot client allows remote attackers to request password resets and potentially take over accounts. MAXHUB reports all Pivot client versions prior to v1.36.2 are affected and has released v1.36.2 to address the issue. CISA assigned CVE-2025-53704 and rates the flaw high severity (CVSS v4 8.7) with low attack complexity. Administrators should apply the update and follow recommended network-segmentation and access controls to reduce exposure.

GoldFactory Targets SE Asia with Modified Banking Apps

🛡️ Group-IB says the financially motivated actor GoldFactory has launched a new campaign across Indonesia, Thailand, and Vietnam, distributing modified Android banking apps that serve as droppers for remote‑access trojans. The campaign, active since October 2024 and linked to activity as far back as June 2023, relies on phone-based social engineering and messaging apps like Zalo to direct victims to fake Play Store landing pages. Injected modules preserve normal banking functionality while hooking app logic to bypass security checks, abuse accessibility services, and exfiltrate credentials and account balances.

Cloudflare Mitigates Record 29.7 Tbps DDoS by AISURU

🚨 Cloudflare reported it detected and mitigated a record 29.7 Tbps distributed denial-of-service attack attributed to the AISURU botnet. The UDP "carpet-bombing" assault, which randomized packet attributes and targeted an average of 15,000 destination ports per second, lasted 69 seconds. Cloudflare also mitigated a 14.1 Bpps event and said AISURU may comprise 1–4 million infected hosts, while blocking thousands of related hyper-volumetric attacks and noting significant quarterly increases in DDoS activity.

NSA Warns AI Introduces New Risks to OT Networks, Allies

⚠️ The NSA, together with the Australian Signals Directorate and allied security agencies, published the Principles for the Secure Integration of Artificial Intelligence in Operational Technology to highlight emerging risks as AI is applied to safety-critical OT networks. The guidance flags adversarial prompt injection, data poisoning, AI drift, hallucinations, loss of explainability, human de-skilling and alert fatigue as primary concerns. It urges operators to adopt CISA secure design practices, maintain accurate asset inventories, consider in-house development tradeoffs, and apply rigorous oversight before deploying AI in OT environments.

Attackers Exploit ArrayOS AG VPN Bug to Deploy Webshells

🔒 Threat actors are exploiting a command injection vulnerability in Array Networks ArrayOS AG VPN appliances to plant PHP webshells and create rogue user accounts. The flaw affects ArrayOS AG 9.4.5.8 and earlier when the DesktopDirect feature is enabled; Array issued a May update (9.4.5.9) to address the issue. Japan's CERT (JPCERT/CC) reports attacks since at least August originating from IP 194.233.100[.]138. If immediate patching is not possible, disable DesktopDirect or block URLs containing a semicolon as a temporary mitigation.

False-Flag Teams Lure Delivers ValleyRAT via SEO Poisoning

🚨 ReliaQuest attributes a false-flag SEO poisoning campaign to the actor known as Silver Fox, which has been active since November 2025 and aims to masquerade as a Russian group to mislead investigators. The campaign pushes a malicious Teams installer packaged as "MSTчamsSetup.zip" from an Alibaba Cloud URL, drops a trojanized Setup.exe, establishes exclusions in Microsoft Defender, and writes a staged installer "Verifier.exe" to the AppData profile. The loader scans for security processes, injects a malicious DLL into rundll32.exe, and reaches out to a remote server to retrieve the final ValleyRAT payload.

GhostFrame Phishing Framework Surpasses One Million Attacks

🔍 A newly discovered phishing framework named GhostFrame has been linked to more than one million attacks, according to Barracuda. The kit uses a benign-looking outer HTML page that conceals a malicious iframe, enabling attackers to swap content, target regions and evade scanners without changing the visible landing page. GhostFrame employs a two-stage chain: the loader creates randomized subdomains and validates them before loading an internal credential-stealing page, and includes anti-analysis controls that block inspection shortcuts and restrict user actions. Barracuda recommends a multilayered defense—regular browser updates, staff training, email gateways and web filters, restricting iframe embedding, and monitoring for injected or redirected content.

Johnson Controls OpenBlue Mobile Forced Browsing Fix

🔒 Johnson Controls reported a Direct Request (Forced Browsing) vulnerability (CVE-2025-26381) in the OpenBlue Mobile Web Application for OpenBlue Workplace. Versions 2025.1.2 and earlier may allow remote attackers to gain unauthorized access to sensitive information; CISA cites a CVSS v3.1 score of 9.3 and a CVSS v4 score of 6.5. Johnson Controls recommends upgrading to patch level 2025.1.3 when available; until then, administrators should disable the mobile app in IIS or use the primary Workplace web interface as a mitigation.

Protecting LLM Chats from the Whisper Leak Attack Today

🛡️ Recent research shows the “Whisper Leak” attack can infer the topic of LLM conversations by analyzing timing and packet patterns during streaming responses. Microsoft’s study tested 30 models and thousands of prompts, finding topic-detection accuracy from 71% to 100% for some models. Providers including OpenAI, Mistral, Microsoft Azure, and xAI have added invisible padding to network packets to disrupt these timing signals. Users can further protect sensitive chats by using local models, disabling streaming output, avoiding untrusted networks, or using a trusted VPN and up-to-date anti-spyware.

Designing for GKE's Flat Network: Practical Recommendations

🔍 This post previews Google's new design recommendation for leveraging GKE's flat network, explaining how it differs from island-mode networking and how teams can adapt existing architectures. It highlights recommended patterns and a reference design that emulates island-mode behavior within the flat model. The guidance focuses on IP address management, scalability, and integration points to ease migration for critical workloads such as generative AI.

SMS Phishers Pivot to Points, Taxes and Fake Retailers

🚨 China-based phishing-as-a-service groups have deployed thousands of mobile-targeted scam domains using SMS (iMessage/RCS) lures that promise rewards points, tax refunds or bargains to harvest payment data. Sites collect name, address and card details, then request a one-time code — which fraudsters use to enroll stolen cards in Apple or Google mobile wallets. These fake e-commerce shops are advertised on major platforms and can remain active for months, making them harder to detect; reporting suspicious messages and domains to blocklists such as SURBL and threat scanners helps accelerate takedowns.

Securing the AI Frontier: GSA OneGov Accelerates Secure AI

🔒 Palo Alto Networks explains why the GSA OneGov agreement matters for federal AI adoption and cybersecurity. Author Eric Trexler cites Unit 42 research showing new risks—particularly AI Agent Smuggling via indirect prompt injection and agent session smuggling—and argues AI must be defended as an attack surface. The post highlights platform protections including Prisma AIRS, FedRAMP High CNAPP, and Prisma SASE to secure AI workloads, edge users, and data. It positions OneGov as a procurement shortcut for agencies to deploy AI securely and notes promotional offers through 31 January 2028.

Public Sector Agentic Era: 300 Agents in One Day Showcase

🤖 Google Public Sector ran a #100DaysOfAgents campaign and an interactive Mission District at its October 29, 2025 Public Sector Summit where attendees built 300+ AI agent prototypes using self-serve builder stations. The initiative demonstrates how AI agents can accelerate mission outcomes by automating complex tasks, breaking down data silos, and improving access to services. Prototype examples ranged from a Grid Optimization Analyst to a Water System Transition Planner and an NIH Access Assistant; agents in the library are illustrative, not production-ready. Google invites agencies to partner with experts, prototype with Gemini for Government, and continue development at Google Cloud Next.

Johnson Controls iSTAR TLS Certificate Expiration Issue

🔒 Johnson Controls reported an improper validation of certificate expiration in iSTAR access control panels that can prevent devices from re-establishing communication when the default certificate expires. The flaw, tracked as CVE-2025-61736, carries a CVSS v4 base score of 7.1 and a CVSS v3.1 score of 6.5. Affected units are those running versions prior to TLS 1.2. Recommended mitigations include deploying host-based certificates, migrating clusters to TLS 1.3 (requires firmware/C•CURE updates), or upgrading legacy panels to G2 hardware.

Five Major Threats That Reshaped Web Security in 2025

🛡️ Web security in 2025 shifted rapidly as AI-enabled development and adversaries outpaced traditional controls. Natural-language "vibe coding" and compromised AI dev tools produced functional code with exploitable flaws, highlighted by the Base44 authentication bypass and multiple CVEs affecting popular assistants. At the same time, industrial-scale JavaScript injections, advanced Magecart e-skimming, and widespread privacy drift impacted hundreds of thousands of sites and thousands of financial sessions. Defenders moved toward security-first prompting, behavioral monitoring, continuous validation, and AI-aware controls to reduce exposure.

Protecting Submarine Cables: Cyber and Physical Security

🔒 Submarine cables carry between 95% and 99% of global data traffic, yet recent breakages — notably ten in the Baltic Sea between 2022 and July 2025 — highlight persistent vulnerabilities. Private operators now control most capacity, and governments and vendors must address both physical threats such as fishing and anchors and increasingly sophisticated cyber risks. Major cloud vendors emphasize route diversity and redundancy while operators like Telxius combine burial, audits, AI/ML detection and continuity planning to protect service availability.

Indirect Prompt Injection: Hidden Risks to AI Systems

🔐 The article explains how indirect prompt injection — malicious instructions embedded in external content such as documents, images, emails and webpages — can manipulate AI tools without users seeing the exploit. It contrasts indirect attacks with direct prompt injection and cites CrowdStrike's analysis of over 300,000 adversarial prompts and 150 techniques. Recommended defenses include detection, input sanitization, allowlisting, privilege separation, monitoring and user education to shrink this expanding attack surface.

Cyber Agencies Urge Provenance Standards for Digital Trust

🔎 The UK’s National Cyber Security Centre and Canada’s Centre for Cyber Security (CCCS) have published a report on public content provenance aimed at improving digital trust in the AI era. It examines emerging provenance technologies, including trusted timestamps and cryptographically secured metadata, and identifies interoperability and usability gaps that hinder adoption. The guidance offers practical steps for organisations considering provenance solutions.

CISA Releases Nine ICS Advisories for Multiple Vendors

🔔 On December 4, 2025, CISA published nine Industrial Control Systems advisories addressing vulnerabilities in products from Mitsubishi Electric, MAXHUB, Johnson Controls, Sunbird, SolisCloud, and Advantech. The release also includes updated advisories for Consilium Safety CS5000 and Johnson Controls FX families. Each advisory provides technical details, affected versions, and recommended mitigations. Administrators are encouraged to review the advisories and apply vendor guidance promptly.

Skills Shortages Outpace Headcount in Cybersecurity 2025

🔍 ISC2’s 2025 Cybersecurity Workforce Study, based on responses from more than 16,000 professionals, reports that 59% of organizations now face critical or significant cyber-skills shortages, up from 44% last year. Technical gaps are most acute in AI (41%), cloud security (36%), risk assessment (29%) and application security (28%), with governance, risk and compliance and security engineering each at 27%. The survey cites a dearth of talent (30%) and budget shortfalls (29%) as leading causes and links shortages to concrete impacts—88% reported at least one significant security incident. Despite concerns, headcount appears to be stabilizing and many professionals view AI as an opportunity for specialization and career growth.

Mitsubishi Electric GX Works2 Cleartext Credential Risk

🔒 CISA warns that Mitsubishi Electric GX Works2 contains a cleartext storage vulnerability (CVE-2025-3784) that can expose credentials stored in project files. The issue affects all versions and may allow a local attacker with file access to open password-protected projects and read or modify project data. A vendor fix is under development; organizations should restrict access, block untrusted remote logins, and follow the mitigations recommended by Mitsubishi Electric and CISA.

NCSC launches Proactive Notifications pilot for UK orgs

🔔 The UK National Cyber Security Centre (NCSC) is piloting Proactive Notifications, a service delivered via Netcraft that scans publicly available internet data to identify exposed software and missing security services. The NCSC will email affected organizations — messages originate from netcraft.com, contain no attachments, and do not request payments or personal data. The pilot covers UK domains and IPs on UK ASNs and focuses on notifying about specific CVEs and general weaknesses like weak encryption.

Socomec DIRIS Digiware M Series and PDF XChange Flaws

🔒 Cisco Talos disclosed an out‑of‑bounds read in PDF‑XChange Editor (CVE‑2025‑58113) and ten vulnerabilities affecting Socomec DIRIS Digiware M series and Easy Config. The issues range from information disclosure and authentication bypass to multiple denial‑of‑service and buffer overflow flaws. Vendors have released patches; administrators should apply updates and deploy Snort rules to detect exploitation.

Russia Blocks FaceTime and Snapchat Citing Terror Use

📵 Russian telecom regulator Roskomnadzor has blocked FaceTime and Snapchat, alleging the platforms are being used to coordinate terrorist attacks, recruit perpetrators, and facilitate fraud against Russian citizens. Roskomnadzor said Snapchat was blocked on October 10 under centralized public communication network rules, and announced the FaceTime restriction later. Apple and Snap did not immediately respond to requests for comment.

From Feeds to Flows: Operationalizing Threat Intelligence

🔗 The article argues that traditional threat feeds no longer suffice in modern, interconnected environments and proposes a Unified Linkage Model (ULM) to transform static indicators into dynamic threat flows. ULM defines three core linkage types — adjacency, inheritance and trustworthiness — to map how risk propagates across systems. It outlines practical steps to ingest and normalize feeds, establish and score linkages, integrate with MITRE ATT&CK and risk frameworks, and visualize attack pathways for prioritized response and compliance.

Microsoft bug in Microsoft 365 licensing blocks downloads

⚠️ Microsoft is investigating a known issue that prevents customers from downloading Microsoft 365 desktop apps from the Microsoft 365 homepage, with failures reported since November 2. The company says a recent service update introduced a code defect affecting the license check process, and it has tagged the situation as an incident. A fix has been developed and is being validated in Microsoft's internal environment, and the company promised an update on deployment timing by 6:30 PM UTC. Microsoft is also addressing a separate issue causing some users to be unable to open Excel attachments in the new Outlook client due to filename encoding errors.

Phishing, Privileges and Passwords: Identity Risk Guide

🔒Identity-focused attacks are driving major breaches across industries, with recent vishing incidents at M&S and Co-op enabling ransomware intrusions and combined losses exceeding £500 million. Attackers harvest credentials via infostealers, targeted phishing/smishing/vishing, breached password stores and automated attacks like credential stuffing. Implement least privilege, strong unique passwords in managers, MFA (authenticator apps or passkeys), PAM and automated identity lifecycle controls to limit blast radius.

Year-End Infosec Reflections and GenAI Impacts Review

🧭 William Largent’s year-end Threat Source newsletter combines career reflection with a practical security briefing, urging professionals to learn from mistakes while noting rapid changes in the threat landscape. He highlights a Cisco Talos analysis of how generative AI is already empowering attackers—especially in phishing, coding, evasion, and vulnerability discovery—while offering powerful advantages to defenders in detection and incident response. The newsletter recommends immediate, measured experimentation with GenAI tools, training teams to use them responsibly, and blending automation with human expertise to stay ahead of evolving risks.

Four Immediate Cybersecurity Priorities for Organizations

🔒 In this Deputy CISO blog, Damon Becknel, Microsoft’s VP and Deputy CISO for Regulated Industries, outlines four immediate priorities organizations should act on now. He emphasizes reinforcing essential cyber hygiene—accurate asset inventories, network segmentation, timely patching, MFA, EDR, and proxying email and web traffic—as the most effective means to reduce common intrusions. Becknel also urges adoption of modern standards like phishing-resistant MFA, secure DNS and DMARC, deployment of fingerprinting to track bad actors, and active cross-industry collaboration to share threat signals and raise the cost of attack.

Generative AI's Dual Role in Cybersecurity, Evolving

🛡️ Generative AI is rapidly reshaping cybersecurity by amplifying both attackers' and defenders' capabilities. Adversaries leverage models for coding assistance, phishing and social engineering, anti-analysis techniques (including prompts hidden in DNS) and vulnerability discovery, with AI-assisted elements beginning to appear in malware while still needing significant human oversight. Defenders use GenAI to triage threat data, speed incident response, detect code flaws, and augment analysts through MCP-style integrations. As models shrink and access widens, both risk and defensive opportunity are likely to grow.

Smashing Security Ep. 446: Doxxing and SE-as-a-Service

🔐 In episode 446 of the Smashing Security podcast, Graham Cluley and guest Rik Ferguson discuss a teenage cybercriminal who inadvertently doxxed himself by mocking a sextortion scammer. They examine how stolen data has become the jet fuel of cybercrime and consider worrying trends for 2026. Plus, Graham rants about intrusive recipe sites and shares musical notes about Lily Allen.

Post Office Avoids £1.1m Fine for Leak of 502 Postmasters

🔒 The Information Commissioner's Office found that an unredacted settlement document related to the long-running Horizon scandal exposed the names, home addresses and postmaster status of 502 litigants on the Post Office website between 25 April and 19 June 2024. The ICO considered a fine just under £1.1m but issued a reprimand under its public sector approach after concluding the breach was not 'egregious'. The regulator criticised the Post Office for lacking documented publishing policies, quality assurance and sufficient staff training; the organisation has offered compensation and 24 months of identity protection and taken steps to remove cached copies and strengthen controls.

Strengthening OT Security with Robust Password Policies

🔒 Operational technology (OT) environments underpin critical infrastructure but frequently lag behind IT in cybersecurity maturity. Strong password policies mitigate risks from outdated hardware, shared accounts, remote vendor access, and credential reuse. Core measures include prioritizing password length, enforcing rotation with reuse prevention, and adopting password vaults. Combined with MFA, network segmentation and Privileged Access Workstations, these practices form a resilient OT security posture.

Momberger Alerts Customers of Fraudulent Invoice Emails

🔔 Momberger – Lack & Technik warns customers of a targeted email fraud campaign that began on December 1. The company says unauthorized access to an email account was used to send forged messages requesting payment of fictitious invoices; only existing customer addresses were targeted. Momberger urges recipients not to pay, open links, or attachments, and says systems have been secured while additional protections and authorities are involved.

Coach or Mentor: Guidance Paths for Cyber Leaders Today

🔑 Renee Guttmann and other senior cyber leaders explain when professionals need mentorship versus executive coaching. At a September ISSA LA meeting, Guttmann distinguished mentoring as a one-on-one transfer of real-world experience and coaching as focused work on skills like executive presence. Speakers pointed to formal programs, networking, and industry groups as primary sources for guidance. Together, mentors and coaches help bridge technical foundations and board-level business acumen.

How Companies Can Prepare for Emerging AI Security Threats

🔒 Generative AI introduces new attack surfaces that alter trust relationships between users, applications and models. Siemens' pentest and security teams differentiate Offensive Security (targeted technical pentests) from Red Teaming (broader organizational simulations of real attackers). Traditional ML risks such as image or biometric misclassification remain relevant, but experts now single out prompt injection as the most serious threat — simple crafted inputs can leak system prompts, cause misinformation, or convert innocuous instructions into dangerous command injections.