Sign in Subscribe
Cybersecurity

Major Cyber Threats: WinRAR Flaw, Gemini Exfiltration, Fortinet Vulns, Russian Attacks

Major Cyber Threats: WinRAR Flaw, Gemini Exfiltration, Fortinet Vulns, Russian Attacks
Photo by Angel Bena

TL;DR

  • CISA issues urgent alert for critical WinRAR path traversal vulnerability (CVE-2025-6218) actively exploited in the wild – immediate patching required by December 30, 2025
  • Google Gemini Enterprise RAG architecture vulnerable to prompt injection attacks allowing silent exfiltration of Gmail, Calendar, and Google Docs data without user interaction
  • Fortinet patches two critical vulnerabilities (CVE-2025-59718 & CVE-2025-59819) enabling SSO bypass and arbitrary credential reset** in FortiOS and FortiWeb – active exploitation confirmed
  • North Korean actors exploit React2Shell (CVE-2025-55182) via malicious npm packages and GitHub campaigns to deliver EtherRAT malware targeting JavaScript developers
  • Microsoft December 2025 Patch Tuesday fixes two actively exploited zero-days – CVE-2025-62221 (Windows) and CVE-2024-64671 (Copilot plugin)
  • SAP patches three critical (CVSS 9.9) vulnerabilities in S/4HANA and Commerce Cloud, including remote code execution via malicious module calls and embedded Apache Tomcat flaws
  • Storm-0249 evolves tactics with ClickFix social engineering + DLL sideloading, achieving persistence via legitimate SentinelAgentWorker.exe and PowerShell
  • Ransomware attacks on hypervisors (VMware ESXi & Microsoft Hyper-V) surge, now accounting for 25% of all incidents in H2 2025 with full virtual infrastructure disruption
  • New “Spiderman” phishing kit lowers barrier for attackers, enabling non-technical criminals to clone European bank and crypto login pages – 750+ active distributors
  • CBI (India) files chargesheet against Chinese nationals Wan Jun and Li Anming in ₹1,000 crore HPZ Token cryptocurrency fraud using shell companies during COVID-19
  • U.S. DOJ indicts Russian national Victoria Dubranova for coordinating cyberattacks with NoName057(16) and CARR groups targeting Ukrainian and European critical infrastructure

Microsoft Patches Two Actively Exploited Zero-Days in Windows Kernel and Copilot Plugin

What vulnerabilities were patched?

Microsoft released updates on 9 December 2025 to fix two actively exploited zero-day vulnerabilities:

  • CVE-2025-62221: Use-after-free privilege escalation in the Windows kernel (Win32k/Cloud Files Mini-Filter), CVSS 7.8.
  • CVE-2024-64671: Improper input validation leading to remote code execution in the GitHub Copilot plugin for JetBrains IDEs, CVSS 8.4.

Both patches are included in cumulative updates KB5072033 and KB5071417.

How widespread is the impact?

  • CVE-2025-62221 affects all Windows 10 and Windows 11 systems, enabling local users to gain SYSTEM-level privileges.
  • CVE-2024-64671 targets developers using JetBrains IDEs with the Copilot plugin, risking source code compromise and supply-chain attacks.

What is the broader context?

  • December 2025’s update addressed 57 vulnerabilities, bringing Microsoft’s 2025 cumulative patch count to 1,140+—an 11% increase over 2024.
  • Three zero-days were actively exploited in this cycle, including CVE-2025-62221, CVE-2024-64671, and CVE-2025-54100.
  • Kernel use-after-free flaws remain prevalent, with CVE-2025-40283 (Bluetooth driver) and CVE-2025-62215 (November 2025) showing recurring patterns.

What actions should organizations take?

  1. Deploy KB5072033/KB5071417 immediately via Windows Update, WSUS, or Intune.
  2. Verify Copilot plugin version ≥2025.2 on JetBrains IDEs; disable temporarily if unpatched.
  3. Ingest Talos Snort rules and ZDI advisories into SIEM systems to detect residual exploitation attempts.
  4. Enforce least-privilege policies and enable Windows Defender Credential Guard.
  5. Apply the CVE-2025-40283 patch to systems using WSL2 or Azure Linux with vulnerable Bluetooth drivers.

What does this indicate for future security?

The frequency of kernel-level exploits and AI-integrated component vulnerabilities suggests increasing attack surface complexity. Microsoft’s rapid response remains effective, but sustained high patch volumes may indicate systemic code quality challenges rather than isolated incidents.

CISA Warns of Exploited WinRAR Flaw; India's Digital Labour Push Relies on Secure AI Infrastructure

Is the WinRAR CVE-2025-6218 flaw a direct threat to India’s NCS platform?

The CISA alert regarding CVE-2025-6218, a path traversal vulnerability in WinRAR exploited in the wild, requires immediate patching by December 30. While the vulnerability affects WinRAR software, its relevance to India’s National Career Service (NCS) lies in the broader supply chain of file-handling components used in employer onboarding portals and AI-assisted skill-mapping tools. Microsoft’s Azure-hosted NCS infrastructure relies on patched Windows and Linux systems; unpatched WinRAR instances on employer or administrative endpoints could introduce lateral access risks to NCS data pipelines.

How does Microsoft’s security posture support the NCS expansion?

Microsoft has issued multiple critical patches in December 2025 for Azure Linux (CVE-2025-40304, CVE-2025-40321) and Windows 11 (KB5070311), directly supporting the stability of NCS-hosted services. These updates mitigate vulnerabilities in kernel components and AI inference layers underpinning the DigiSaksham skilling platform. The same security discipline applied to Azure infrastructure must extend to third-party tools like WinRAR used in file uploads by employers onboarding to NCS.

What is the operational timeline for NCS employer onboarding?

  • December 10, 2025: MoU signed between Ministry of Labour and Microsoft to onboard ≥15,000 employers.
  • December 1–9, 2025: Microsoft released security patches for Azure Linux and Windows OSes.
  • December 30, 2025: CISA deadline for WinRAR patching.
  • January 2026: DigiSaksham AI updates scheduled for full NCS integration.
  • March 2026: Target of 100% social-protection coverage (≈1B individuals).

The employer onboarding window aligns with the AI-skilling engine rollout, creating a 30-day operational window where endpoint security (WinRAR) and cloud infrastructure security (Azure) must both be maintained to prevent service disruption.

What are the critical risk-mitigation requirements?

  • Enforce ≤48-hour patching for all WinRAR installations on employer and administrative systems accessing NCS.
  • Validate that DigiSaksham’s third-party libraries (e.g., libarchive) are updated to versions addressing known CVEs.
  • Monitor Azure Monitor telemetry for authentication failures on employer portals, correlating with Copilot reliability metrics.
  • Deploy hardened AI inference containers to prevent model poisoning in skill-mapping algorithms.

The NCS expansion depends on a secure, end-to-end digital ecosystem. Patching WinRAR is not merely a desktop hygiene issue—it is a prerequisite for the integrity of India’s largest digital labour platform.

Google Gemini Enterprise RAG Exploited via Zero-Click Prompt Injection to Exfiltrate Workspace Data

How was corporate data exfiltrated without user interaction?

Attackers injected malicious prompts into Google Docs, Calendar invites, and emails. These poisoned inputs were indexed by Gemini Enterprise’s RAG pipeline. When users issued routine queries, the system executed hidden commands that retrieved Gmail threads, Calendar histories, and Docs content, then exfiltrated the data via embedded HTML image tags pointing to attacker-controlled servers.

What architectural flaws enabled this attack?

Gemini Enterprise grants custom agents built with the Agent Development Kit (ADK) native read access to Google Workspace without additional OAuth consent. Up to 20 Cloud Run instances per agent can be instantiated, creating privileged execution contexts. The RAG system treats user-generated content as both data and executable instruction, with no strict separation between retrieved documents and system prompts.

What mitigations have been deployed?

Google patched the vulnerability by:

  • Implementing a RAG instruction classifier that blocks HTML image payloads and indirect prompts
  • Isolating Vertex AI Search from Gemini Enterprise
  • Requiring explicit data-source whitelisting and prompt-sanitization hooks for ADK agents

Internal telemetry indicates a 90% reduction in malicious payload execution post-patch.

What systemic risks remain?

  • Instruction-data conflation persists across AI systems, as demonstrated by similar attacks in CI/CD pipelines (PromptPwnd, Dec 2025)
  • Zero-click exploitation bypasses traditional phishing and DLP defenses
  • Expanded attack surface from new integrations like the Gemini CLI extension (Dec 2025), which auto-grants OAuth scopes

What actions should enterprises take?

Action Responsible Party Expected Outcome
Enforce strict data-source allow-lists for all agents Cloud Security / IAM Reduce poisoned corpus to ≤5% of agents
Integrate prompt-sanitization hooks into ADK registration Platform Engineering Block hidden HTML/JS payloads before indexing
Deploy RAG query telemetry to SIEM SOC / SIEM Detect anomalous prompts (e.g., <img src>) in ≤5 minutes
Update DLP policies to inspect AI-generated outbound HTTP requests Data Governance Block ≥95% of beacon URLs
Conduct quarterly red-team simulations targeting prompt injection Security Operations Validate defenses against real-world vectors
Audit and limit OAuth scopes for ADK agents IAM / Cloud Admin Reduce agents with >10 Cloud Run instances to <2%

Regulatory scrutiny under GDPR and CCPA is expected, with potential fines for unmitigated data exfiltration. Architectural changes—such as mandatory data tagging and instruction-only RAG pipelines—are likely to emerge as industry standards within 12 months.

Fortinet Patches Critical SSO Bypass and Credential Reset Vulnerabilities

What are the critical vulnerabilities patched by Fortinet?

Fortinet released patches for CVE-2025-59718 and CVE-2025-59819 on December 9, 2025. CVE-2025-59718 allows attackers to bypass FortiCloud SSO authentication by manipulating SAML assertions, granting authenticated sessions without credentials. CVE-2025-59819 permits unauthenticated password resets on FortiWeb via a vulnerable API endpoint, enabling full account takeover.

How are these vulnerabilities being exploited?

A >300% spike in SSL-VPN brute-force attempts occurred between December 7 and 9, 2025, indicating active probing for SSO bypass opportunities. Concurrently, exploitation of the unrelated FortiWeb zero-day CVE-2025-58034 was observed on December 8, signaling targeted activity against Fortinet’s web application firewall products. No public exploits for the patched CVEs have been confirmed, but the timing suggests imminent weaponization.

What systems are affected?

CVE-2025-59718 impacts FortiOS and FortiManager. CVE-2025-59819 affects FortiWeb. Patches were also issued for FortiProxy and FortiSwitchManager to address related privilege escalation vulnerabilities (CVE-2024-59808 and CVE-2025-02556). All are classified as critical, with CVSS scores ≥9.0.

What are the potential consequences?

  • Unauthorized SSO sessions bypass multi-factor authentication, exposing cloud resources.
  • Admin and service-account passwords can be reset without user interaction, erasing audit trails.
  • Malicious WAF policies can persist after reboot, enabling long-term access.
  • Command injection paths may lead to data exfiltration or service disruption.

What actions should organizations take?

  1. Immediately upgrade to FortiOS 7.2.5+ and FortiWeb 7.2.3+.
  2. Enforce SAML hardening: require signed assertions, strict audience validation, and FortiCloud MFA.
  3. Disable or restrict the password-reset API; require MFA and role-based access.
  4. Deploy SIEM alerts for anomalous SSO token issuance, non-admin password changes, and >5 failed VPN logins per minute per source.
  5. Conduct post-patch vulnerability scans to detect residual backdoors from CVE-2025-58034.

Similar SAML-based SSO bypasses have been reported in Okta and Azure AD within the past six months, indicating a systemic attacker focus on federated identity systems. Organizations should review third-party identity provider integrations for analogous validation gaps.

CBI Charges Chinese Nationals in ₹1,000 Crore Crypto Fraud Amid Global AI Hardware Supply Chain Shifts

What is the nature of the CBI’s charges against Wan Jun and Li Anming?

The Central Bureau of Investigation has filed a chargesheet against Chinese nationals Wan Jun and Li Anming for orchestrating a ₹1,000 crore fraud involving the HPZ Token cryptocurrency. The scheme allegedly used shell companies to launder funds during the COVID-19 pandemic, exploiting regulatory gaps in cross-border digital asset transactions.

How does this case intersect with global AI hardware dynamics?

The timing of the charges coincides with heightened U.S. enforcement actions against illicit GPU exports to China. On December 9, 2025, the DOJ seized $50 million in Nvidia H100/H200 GPUs and blocked $160 million in attempted H300/H400 shipments. These operations reflect a broader strategy to restrict China’s access to advanced AI hardware.

What is the impact of TSMC’s CoWoS capacity allocation on global semiconductor supply?

TSMC has allocated approximately 80% of its Chip-on-Wafer-on-Substrate (CoWoS) packaging capacity to NVIDIA for the Blackwell Ultra GPU family, with 800,000–850,000 wafers booked for 2026. The remaining 20% is shared among AMD, Broadcom, and other firms. This concentration creates a supply bottleneck for competitors and reinforces NVIDIA’s dominance in exascale AI systems.

How do export policies affect the semiconductor ecosystem?

The U.S. Treasury now requires NVIDIA to remit 25% of H200 export revenues to the federal government. This policy, combined with criminal penalties of up to 20 years for smuggling, increases compliance costs and reduces profit margins. These measures aim to deter diversion of high-end GPUs into black markets, which may indirectly support the legitimacy of digital asset markets by reducing illicit capital flows.

What are the strategic responses from competitors and manufacturers?

Rival firms are accelerating adoption of alternative packaging technologies such as InFO and EMIB. TSMC is outsourcing overflow CoWoS work to ASE Technology and SPIL to mitigate bottlenecks. Dual-site production—Taiwan and Arizona—is reducing geopolitical risk, with U.S. facilities scheduled to begin mass production in 2028.

What are the broader implications for digital finance and hardware security?

The HPZ Token fraud underscores vulnerabilities in crypto-based financial systems during periods of global supply chain disruption. Simultaneously, the tightening of hardware export controls and enforcement of revenue-sharing policies indicate a shift toward integrated regulatory frameworks that link digital asset integrity with physical supply chain security. Both domains now face parallel pressures to reduce anonymity and increase traceability.

U.S. Indicts Russian-Linked Actor in Cyber Campaign Targeting Ukraine and European Infrastructure

What role did Victoria Dubranova play in cyber operations against critical infrastructure?

Victoria Dubranova, a 33-year-old Russian-linked actor, was indicted by the U.S. Department of Justice for conspiracy to commit cybercrimes in support of NoName057(16) and CARR. These groups conducted distributed-denial-of-service (DDoS) attacks on Ukrainian power grids and European energy sites, causing service outages lasting hours to days. Dubranova’s activities included coordination via Telegram and participation in the infiltration of industrial-control systems, including an ammonia-leak trigger at a Los Angeles meat-processing plant.

How were these cyber operations structured and supported?

NoName057(16) and CARR were established under Russian state directives, with operational guidance and funding provided by the GRU. CARR maintained a network of over 100 active participants, coordinated through a public Telegram channel with 75,000 followers and the XSS.IS forum. The infrastructure included more than 100 servers, which were dismantled in France and Spain in July 2025 through joint operations involving Europol, French police, and U.S. partners.

Dubranova was extradited to the United States in early 2025 and indicted in Los Angeles. She faces up to 27 years for CARR-related charges and 5 years for NoName057(16) involvement. Two accomplices were arrested in Europe, and over 100 servers were seized. The U.S. State Department has offered a $2 million reward for information leading to the identification of CARR members.

Russian state actors increasingly use proxy hacktivist groups to conduct cyber operations, preserving plausible deniability. Attacks now target physical infrastructure, such as industrial-control systems, blurring the line between cyber and kinetic threats. Coordination via public platforms like Telegram enables rapid scaling and complicates attribution.

What policy responses are emerging?

The U.S. and allied nations are shifting toward prosecutorial deterrence, combining international legal cooperation, financial rewards, and infrastructure hardening. Cross-border intelligence sharing on Telegram-based threat channels and enhanced protection of industrial-control systems are critical next steps.

Read next

ATR 42 Crash in Indonesia Sparks Global Safety Overhaul as Oreshnik Strikes Expose the New War of Deception in Ukraine

ATR 42 Crash in Indonesia Sparks Global Safety Overhaul as Oreshnik Strikes Expose the New War of Deception in Ukraine

TL;DR * Indonesia ATR 42-500 crashes near Mount Bulusaraung with 11 aboard, debris found 12 miles from Makassar airport * Russian Oreshnik missile strikes Lviv aircraft repair plant, Ukrainian officials confirm decoy used in Kharkiv Patriot strike ✈️ ATR 42-500 Crash into Mount Bulusaraung: CFIT Confirmed, Terrain Warning System Under Scrutiny ATR
Barista @ Cafecito

Comments ()