Daily Threat Intel Digest - December 20, 2025

🔴 Critical Threats & Active Exploitation

[NEW] 25,000+ FortiCloud SSO Devices Exposed to Critical Bypass Flaws
Over 25,000 internet-facing Fortinet devices with FortiCloud SSO enabled are vulnerable to critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719). CVE-2025-59718 is already in CISA’s Known Exploited Vulnerabilities Catalog, indicating active exploitation. Attackers can bypass authentication to gain unauthorized access, putting organizations at risk of complete network compromise. The Shadowserver Foundation is actively notifying affected entities, and immediate patching is required [CyberPress; GBHackers].

[UPDATE] Cisco Email Gateway Zero-Day Exploited by Chinese APT
The newly identified CVE-2025-20393 (CVSS 10.0) is being actively exploited in attacks targeting Cisco Secure Email Gateway appliances with Spam Quarantine enabled. China-nexus threat actor UAT-9685 leverages this flaw to execute arbitrary commands with root privileges, establishing persistent backdoors. This continues a trend of APT groups targeting network appliances for espionage [Arctic Wolf; Eclypsium].

[UPDATE] Gladinet Triofox Zero-Day Allows SYSTEM-Level RCE
Critical vulnerability CVE-2025-12480 in Gladinet’s Triofox platform enables unauthenticated remote code execution through a complex 20-step exploit chain. Threat group UNC6485 leveraged local host header injection to access admin setup pages, then abused built-in antivirus features to execute malicious scripts. Affected organizations should patch immediately and investigate for signs of compromise, as exploitation leaves minimal forensic artifacts [CyberPress; VulnCheck].

🎯 Threat Actor Activity & Campaigns

[NEW] Sinobi Ransomware Claims Double Extortion Attacks
The newly observed Sinobi ransomware group has claimed attacks on Italian refrigeration leader Fhiaba S.r.l. and Canadian biblical storytelling organization NBS Canada. The group threatens to publish stolen data unless negotiations begin, marking its emergence as an active extortion-focused operation. Unlike typical ransomware, Sinobi focuses on data theft rather than encryption [DeXpose; DeXpose].

[NEW] FBI: Deepfake Impersonation of U.S. Officials Dating to 2023
An ongoing campaign uses AI voice cloning and encrypted messaging apps to impersonate senior U.S. government officials, targeting individuals including officials’ family members. Attackers use credential harvesting requests and contact list access to enable further targeting. The FBI’s revised timeline reveals activity began under the previous administration, with campaigns leveraging Signal and WhatsApp to lend credibility [CyberScoop; IC3].

[NEW] Wave of OAuth Device Code Phishing Targets Microsoft 365
Multiple threat groups, including financially motivated TA2723 and suspected Russia-aligned UNK_AcademicFlare, are exploiting OAuth device code authorization flows to bypass MFA. Attackers trick victims into entering device codes on legitimate Microsoft login pages, granting attackers persistent account access. Campaigns use phishing kits like SquarePhish and Graphish, with significant volume increases since September [BleepingComputer].

⚠️ Vulnerabilities & Patches

[NEW] UEFI Flaw Enables Pre-Boot DMA Attacks on Major Motherboards
A critical UEFI firmware vulnerability (CVE-2025-11901, CVE-2025-14302/14303/14304) affects ASUS, Gigabyte, MSI, and ASRock motherboards, allowing DMA attacks before IOMMU protection initializes. Malicious PCIe devices can read/write system memory during boot, bypassing OS security. Riot Games’ Vanguard anti-cheat blocks vulnerable systems from launching Valorant. Firmware updates are required [BleepingComputer; CERT/CC].

[NEW] HPE UOCAM Vulnerabilities Require Urgent Patching
HPE addressed multiple undisclosed vulnerabilities in Unified OSS Console Assurance Monitoring (UOCAM) versions prior to 3.1.19. While exploit details are limited, centralized server management tools are high-value targets for attackers seeking persistence. Organizations should review HPESBNW04989 and apply updates promptly [Malware.news].