December 2025 security update: Public and private sectors reminded that cyber hygiene is a non-negotiable

Today’s threat landscape 

Social engineering fraud & AI misuse kick off the holiday season 

A steep rise in account-takeover (ATO) fraud is expected with the arrival of the holiday shopping season. The Federal Bureau of Investigation (FBI) reports that this has already cost victims over $262 million this year, with more than 5,100 complaints logged. This is a clear indication that cybercriminals are intensifying credential-theft and impersonation campaigns during the holiday season.  

Analyses from FortiGuard Labs and Flashpoint also reveal a surge in holiday-themed malicious infrastructure. Over 18,000 domains registered in the last three months contained terms like “Black Friday,” “Christmas,” or “Flash Sale,” of which at least 750 were flagged as malicious. Simultaneously, stealer-log markets that trade browser-saved credentials, cookies, and session tokens are booming, making bulk credential stuffing and account hijacking far simpler - even for those with modest hacking abilities.  

We have noted the growing susceptibility of AI in previous security updates, and November was no exception. Within 24 hours of Google’s release of Antigravity, its new Gemini-powered AI coding tool, a security researcher discovered a serious vulnerability. The tool could be manipulated to execute malicious code on a user’s machine, effectively installing malware or ransomware. This highlighted a broader concern: AI agents with extensive system privileges may be deployed without robust security testing, allowing cybercriminals to weaponize them with far-reaching consequences. 

Top 3 vulnerabilities 

MOVEit Transfer vulnerable to unauthenticated DoS attacks 

MOVEit Transfer, a widely used enterprise file-transfer platform, was found to contain a serious vulnerability (CVE-2025-10932 rated CVSS 8.2) residing in MOVEit’s AS2 module. Classified as an Uncontrolled Resource Consumption (CWE-400) flaw, an unauthenticated attacker can trigger it remotely – without valid credentials or user interaction - by sending specially crafted AS2 requests. Successful exploitation can overload server resources (CPU, memory or bandwidth), leading to degraded performance or a full denial-of-service (DoS). This can disrupt critical file transfers, potentially halting sensitive data exchanges.   

The flaw affects releases: 

• 2025.0.0 through 2025.0.2 
• 2024.1.0 through 2024.1.6 
• 2023.1.0 through 2023.1.15 

Vendor Progress Software has issued the following patched versions to remediate the vulnerability: 

• 2025.0.3 
• 2024.1.7 
• 2023.1.16 

QNAP patches multiple zero-days after Pwn2Own 

Widely used operating systems for NAS devices, QNAP QTS and QNAP QuTS hero, were patched after several zero-day vulnerabilities were exploited publicly during the Pwn2Own Ireland 2025 hacking competition.  

The vendor did not publish individual CVSS scores for CVE-2025-62847, CVE-2025-62848, and CVE-2025-62849, but these vulnerabilities resulted in zero-day status. Combined with the ability to achieve remote code execution, privilege escalation, or denial-of-service, this status underscores a critical severity risk, potentially exposing sensitive data, backups, or entire NAS infrastructures. 

To address these vulnerabilities, QNAP rolled out the following patches: 

• QTS 5.2.7.3297 build 20251024 
• QuTS hero h5.2.7.3297 / h5.3.1.3292 builds 
• Updated versions of the affected applications 

FortiWeb vulnerabilities exploited in the wild 

FortiWeb, the web application firewall from Fortinet, is under fire after two recently discovered flaws have been exploited in the wild. 

The first of these, CVE-2025-64446 with CVSS 9.1, is a critical path-traversal and authentication bypass vulnerability that allows unauthenticated attackers to send crafted HTTP(S) requests to create administrative user accounts, effectively gaining full control over the device. 

The second, CVE-2025-58034 with CVSS 6.7, is an OS command-injection vulnerability. By exploiting this, authenticated cybercriminals can misuse FortiWeb’s API or CLI to execute arbitrary system commands via specially crafted inputs.  

Both issues have been patched. Users should upgrade to the latest versions, including: 

• FortiWeb 8.0.2 
• FortiWeb 7.6.6 
• FortiWeb 7.4.11 
• FortiWeb 7.2.12 
• FortiWeb 7.0.12  

Industry news 

Reshaping how public and private sectors view digital defense 

In London, multiple municipal councils suffered a coordinated cyberattack, forcing IT shutdowns and disrupting critical services such as social care and waste management. Hackney Council raised its cyber security threat to critical but says it is unaffected by the attack, and the Westminster City Council said people were struggling to contact them. The Royal Borough of Kensington & Chelsea confirmed a data breach that is expected to result in significant disruption for the next two weeks as the borough works to get its systems back online. Security experts warn that this incident highlights the risk of shared-infrastructure models: infecting one target can bring down others as well.  

Meanwhile in Sweden, CERT‑SE is preparing to launch MISP‑SE, a national open source threat intelligence-sharing platform that's meant to enhance Sweden’s resilience to cyberattacks. Slated for launch in February 2026, the service will initially be available for the public sector. The private sector will be able to join when enhanced legal support is in place to process personal data related to violations of the law. 

At a broader level, the security community is marking the release of MITRE ATT&CK v18, an updated threat-detection framework that now includes “Detection Strategies” and analytics tailored for modern attack patterns - from mobile compromise to industrial control system (ICS) threats. The new framework represents a meaningful step in merging threat intelligence with actionable defense logic.