Daily Threat Intel Digest - 2025-12-12

🔴 Critical Threats & Active Exploitation

[NEW] CISA orders federal agencies to patch actively exploited GeoServer XXE flaw CISA has added CVE-2025-58360, a critical XML External Entity (XXE) vulnerability in GeoServer versions 2.26.1 and prior, to its Known Exploited Vulnerabilities (KEV) catalog. Attackers are exploiting this flaw through the GetMap operation to retrieve arbitrary files from vulnerable servers, putting organizations sharing geospatial data at risk of data theft and SSRF attacks. Federal agencies must patch by January 1, 2026, but with over 14,000 instances exposed online according to Shodan, all organizations running GeoServer should prioritize immediate patching [BleepingComputer]. This marks the third GeoServer vulnerability added to KEV in recent years, following CVE-2022-24816 and CVE-2024-36401 which led to a U.S. government breach in 2024.

[NEW] Gogs zero-day exploited to compromise over 700 Git servers An unpatched zero-day vulnerability (CVE-2025-8110) in Gogs, the self-hosted Git service, is being actively exploited to achieve remote code execution. Attackers bypass previous protections for CVE-2024-55947 by abusing symbolic links in the PutContents API to overwrite files outside repositories, specifically targeting Git configuration files to execute arbitrary commands. Wiz Research discovered the flaw and found over 700 of 1,400 exposed Gogs servers showing compromise indicators, with malware using the Supershell C2 framework. All Gogs administrators should disable open registration, limit access via VPN/allowlist, and check for repositories with random 8-character names [BleepingComputer].

[NEW] Gladinet CentreStack cryptographic flaw enables RCE attacks Attackers are exploiting hardcoded AES encryption keys in Gladinet CentreStack and Triofox products to achieve remote code execution without authentication. The cryptographic implementation uses static keys derived from Chinese and Japanese text strings, allowing attackers to decrypt Access Tickets containing credentials or forge their own tickets with expired timestamps. Huntress has identified at least nine organizations compromised through this flaw, where attackers steal web.config machineKeys to trigger ViewState deserialization RCE. Organizations using CentreStack should update to version 16.12.10420.56791 immediately, rotate machine keys, and scan for the IoC string ‘vghpI7EToZUDIZDdprSubL3mTZ2’ [BleepingComputer].

🎯 Threat Actor Activity & Campaigns

[UPDATE] North Korean fake employee campaign escalates with hardware-based access Microsoft DART has responded to incidents where North Korean Jasper Sleet operatives infiltrated organizations as fake IT workers, then deployed PiKVM hardware devices to gain persistent, out-of-band remote access. These hardware-based remote access tools allow attackers to bypass traditional EDR controls while maintaining covert data exfiltration channels. The campaign demonstrates increased sophistication beyond initial access techniques, with threat actors leveraging physical hardware implants to maintain presence even after initial detection. Organizations should enhance device inventory management and monitor for unauthorized hardware connections, particularly USB devices claiming KVM functionality [Microsoft].

[NEW] Ashen Lepus (Hamas-linked) deploys AshTag malware against diplomatic targets The Hamas-affiliated APT group Ashen Lepus (aka WIRTE) has intensified espionage operations against Middle Eastern government and diplomatic entities using a sophisticated malware suite called AshTag. The group has demonstrated significant operational evolution throughout regional conflicts while maintaining persistent activity [GBHackers]. This development highlights how politically motivated groups continue to refine custom malware capabilities for targeted intelligence gathering operations, requiring diplomatic entities to implement enhanced endpoint detection and network segmentation.

⚠️ Vulnerabilities & Patches

[NEW] ConsentFix attack hijacks Microsoft accounts via Azure CLI OAuth abuse A new social engineering variant called ConsentFix is abusing the Azure CLI OAuth application to hijack Microsoft accounts without requiring passwords or bypassing MFA. Attackers trick victims into completing legitimate Azure CLI authentication flows, then steal the authorization code from the redirect URL to obtain full account access. The campaign uses compromised legitimate websites and Cloudflare-branded CAPTCHA widgets to filter targets, with activity triggering once per victim IP address. Defenders should monitor for unusual Azure CLI logins from new IP addresses and investigate usage of legacy Graph scopes which attackers leverage to evade detection [BleepingComputer].

[NEW] Notepad++ fixes critical updater vulnerability allowing malicious code delivery The Notepad++ team has released version 8.8.9 to address a critical security weakness in its WinGUp update mechanism that allowed attackers to intercept update traffic and deliver malicious executables. The vulnerability was exploited in real-world incidents where users unknowingly executed reconnaissance commands and exfiltrated system information to temp.sh. The fix implements code signature verification to prevent installation of unsigned updates, addressing CVEs related to traffic hijacking. Organizations should deploy Notepad++ 8.8.9 immediately and investigate systems that may have performed updates since November when initial mitigations were introduced [BleepingComputer].

[NEW] Malicious VSCode Marketplace campaign hides trojan in fake PNG files A sophisticated supply chain attack has compromised 19 extensions on Microsoft’s official VSCode Marketplace, using bundled malicious dependencies and trojanized PNG files to deploy malware. The campaign weaponized popular packages like ‘path-is-absolute’ with modified index.js files that decode obfuscated JavaScript droppers, while hiding a Rust-based trojan within a fake banner.png file. All affected extensions have been removed from the marketplace, but organizations should scan installed extensions for the identified variants: Malkolm Theme, PandaExpress Theme, Prada 555 Theme, and Priskinski Theme [BleepingComputer].

🛡️ Defense & Detection

[NEW] MITRE releases 2025 CWE Top 25 highlighting evolving software weaknesses MITRE’s annual CWE Top 25 list reveals significant shifts in software vulnerability patterns, with Missing Authorization (CWE-862), Null Pointer Dereference (CWE-476), and Missing Authentication (CWE-306) showing the biggest rank increases. New entries include multiple buffer overflow variants (CWE-120, CWE-121, CWE-122) and Allocation of Resources Without Limits (CWE-770), indicating continued memory safety challenges despite modern development practices. Cross-Site Scripting retains its #1 position, while SQL Injection rises to #2. Security teams should prioritize these weaknesses in code reviews and secure development training, with CISA urging organizations to integrate the list into application security testing [BleepingComputer].

[NEW] Brave browser tests agentic AI mode with isolated security profile Brave has introduced an agentic AI browsing mode in its Nightly version that performs automated tasks like web research and product comparison through the Leo AI assistant. To address inherent security risks including prompt injection attacks, Brave implements a strict isolation model: the mode runs in a separate profile without access to user cookies, logins, or settings, with restrictions on non-HTTPS sites and extension downloads. An ‘alignment checker’ mechanism uses a secondary isolated model to evaluate whether agent actions match user intent, similar to Google’s approach for Gemini. The company is also doubling bug bounty payments for in-scope submissions related to AI browsing [BleepingComputer].

📋 Policy & Industry News

[UPDATE] LastPass fined £1.2M by UK ICO for 2022 data breach failures The UK Information Commissioner’s Office has fined LastPass £1.2 million for security failures that led to the 2022 breach impacting 1.6 million UK users. The investigation revealed how attackers compromised a developer’s laptop, exploited a vulnerable Plex application to capture credentials, and ultimately accessed encrypted customer vault data. While the vaults remained encrypted due to LastPass’s zero-knowledge architecture, the ICO found inadequate access controls and insufficient security measures. The penalty underscores regulatory expectations for password managers to implement robust security controls, with customers reminded to use master passwords of at least 16 characters or passphrases to resist offline cracking attempts [BleepingComputer].

[NEW] Microsoft expands bug bounty to cover all online service vulnerabilities Microsoft has expanded its bug bounty program to cover critical vulnerabilities in any of its online services, including third-party components and open-source dependencies that impact Microsoft services. The policy shift, announced at Black Hat Europe, makes all new online services eligible for bounty awards by default as soon as they are released. This change recognizes that attackers don’t distinguish between Microsoft and third-party code when exploiting vulnerabilities. Microsoft has paid over $17 million in bounty awards to 344 researchers in the past year as part of its broader Secure Future Initiative [BleepingComputer].

[NEW] Warrant requirements emerge as key issue for FISA Section 702 renewal Congressional debate is intensifying over whether to require warrants for searching government surveillance databases for U.S. person information as Section 702 of FISA approaches its April 2026 expiration. While 2024 reforms reduced warrantless queries from 3.4 million to approximately 9,000, witnesses testified that the FBI changed the definition of a “query” to artificially lower this figure. Political dynamics have shifted with Democrats now expressing concerns about potential Trump administration usage, reversing the 2024 partisan dynamic where Republicans worried about Biden-era surveillance [CyberScoop].