Good Morning Security Gang
I’m back home and reunited with my double espresso. I missed it more than I should admit. For the record, Tim Hortons espresso is an abomination — sorry, my Canadian friends, but that’s coffee treason.
It’s Wednesday, December 10th, 2025, and you know what that means: it’s Patch Tuesday recap day — the most sadistic day of the month.
Today we’re unpacking Microsoft’s latest updates fixing 57 vulnerabilities and three zero-days, Adobe’s monster patch round with 140 fixes, Fortinet’s authentication bypass warning, and Avanti’s latest remote code execution disaster. We’ll also dive into geopolitical cyber sanctions, Korea’s Coupang investigation, and Australia’s controversial new social media ban.
Coffee cup cheers, y’all — let’s get to it.
“By the way, I had Tim Hortons espresso yesterday. That’s an abomination. I mean, an abomination to call that an espresso. It was an absolute abomination. Just going to put that out there. Tim Hortons, not an espresso. Just putting it out there. Sorry to all of my Canadian friends.” James Azar
Microsoft Fixes 57 Flaws and 3 Zero-Days
Microsoft’s December Patch Tuesday dropped fixes for 57 vulnerabilities — including three actively exploited zero-days affecting Windows, Office, Edge, and Chromium components.
The biggest concern is CVE-2025-62221, a use-after-free flaw in the Windows Cloud Files Mini Filter Driver, rated 7.8 CVSS, that’s already being exploited in the wild. Attackers are using this one for privilege escalation after gaining a foothold via phishing or web delivery.
Other highlights:
CVE-2025-64671: Remote code execution in Copilot for JetBrains via command injection.
CVE-2025-54100: PowerShell injection risk leading to post-compromise persistence.
For defenders, this patch cycle is all about post-exploitation risk management. Prioritize zero-day KBs, enable attack surface reduction (ASR) rules, and monitor token manipulation and new local admin creation in patch windows.
My advice: patch aggressively, validate your controls, and treat help desk and jump hosts like tier-zero assets — because attackers sure do.
SAP Patches 3 Critical Vulnerabilities in December Update
SAP’s December security release includes three critical vulnerabilities, with CVSS scores as high as 9.6.
Key flaws:
CVE-2025-55754 (9.6): Remote code execution in SAP Commerce Cloud.
CVE-2025-42928 (9.1): Deserialization flaw in SAP JConnect, exposing backend services.
These vulnerabilities pose major risks to ERP and financial systems, making exploitation a potential compliance and fraud nightmare.
Immediate steps:
Apply all SAP hotfixes and restrict management endpoints by IP.
Enable EDR visibility on app servers.
Monitor for RFC anomalies, job tampering, and mass data exports.
In plain English: your SAP isn’t just accounting — it’s your business’s financial bloodstream. Patch it like your paycheck depends on it.
Adobe Patches 140 Vulnerabilities Across Suite
Adobe released fixes for over 140 vulnerabilities spanning Acrobat Reader, Premiere, After Effects, Substance tools, and Experience Cloud.
Several were critical code execution bugs, and while Adobe exploits rarely start attacks, they’re often the pivot point for lateral movement. A malicious PDF or plugin update can compromise creative teams and marketing systems tied to sensitive data.
The good news? Adobe patches are relatively easy to deploy. Roll out the Creative Cloud updates enterprise-wide and verify version compliance — because creative doesn’t mean unprotected.
Fortinet Warns of Critical FortiCloud Authentication Bypass
Fortinet has issued an emergency warning for a FortiCloud SSO authentication bypass that could allow attackers to hijack tenant environments and alter security configurations.
The issue lies in improper cryptographic signature validation in FortiCloud’s SAML implementation. The result? Complete tenant takeover.
If you can’t patch immediately:
Disable FortiCloud SSO login via CLI.
Enforce phishing-resistant MFA (like FIDO2 keys).
Hunt for unexpected new admin accounts and API tokens.
This is not a theoretical bug — it’s being actively tested in the wild. If you use FortiManager or FortiGate with cloud linkage, isolate those tenants immediately.
Ivanti EPM Flaw Allows Remote Code Execution
Here we go again — Ivanti is back in the headlines, and not for good reasons. A new flaw in Ivanti Endpoint Manager (EPM) allows remote unauthenticated attackers to execute JavaScript code on management servers.
Identified as CVE-2025-10573, this cross-site scripting (XSS) vector requires minimal user interaction and can result in credential theft, script injection, and estate-wide compromise.
Avanti has issued a patch, but Rapid7 notes the exploit is trivial to execute. Organizations should:
Restrict console access to corporate networks or VPN only.
Rotate service credentials.
Review recent software distribution jobs for rogue scripts.
As I said on the show: if “Ivanti” sounds familiar, it’s because they’re patched so often it’s practically a monthly segment.
Coupang Investigation Escalates as Seoul Police Raid HQ
South Korea’s largest online retailer, Coupang, is under heavy fire after a major data breach allegedly tied to a former Chinese employee.
Police raided Coupang’s Seoul headquarters, seizing devices and servers. Authorities claim the company initially withheld information, forcing investigators to step in.
The insider reportedly exfiltrated customer and operational data before leaving the country. If true, this could redefine insider risk management across global enterprises.
For CISOs:
Review offboarding and remote access controls.
Implement data loss prevention (DLP) tools for insider exfil monitoring.
Establish clear law enforcement cooperation protocols.
Insider risk isn’t a product — it’s a culture. Coupang just became a case study in what happens when you miss that memo.
Storm-0249 Ransomware Campaign Evolves
Microsoft’s threat intel team is tracking Storm-0249, a ransomware actor now expanding into edge device exploits, DLL side-loading, and PowerShell payloads.
The group’s targeting manufacturing and service organizations, blending phishing with living-off-the-land techniques.
Defenders should:
Block unsigned PowerShell scripts.
Monitor edge device configurations.
Update detections for ClickFix and side-loading activity.
Ransomware groups are evolving faster than patch cycles — and 2026 looks poised to be the year of hybrid extortion.
Australia Bans Social Media for Minors Under 16
Australia has officially banned social media access for anyone under 16, with fines up to $50 million AUD for companies that fail to enforce it.
Platforms including Facebook, X, TikTok, and Reddit face impossible compliance hurdles — how do you verify user age without over-collecting data?
The law has sparked backlash from privacy groups and digital rights advocates, calling it “performative politics over practical policy.”
As I said: “You can’t stop kids from getting online — you can only push them toward darker corners of the web.”
UK Sanctions Russian and Chinese Firms Over Cyber Operations
The UK government has sanctioned six Russian and Chinese entities for their roles in disinformation and cyber operations.
Russian targets include the Rybar Telegram channel and the Center for Geopolitical Expertise, linked to the GRU. Chinese firms ISUNA and Integrated Technology Group were sanctioned for cyber espionage and influence campaigns.
Organizations should review vendor lists for exposure to sanctioned entities and update compliance workflows — because secondary sanctions are where businesses get blindsided.
EU Cybersecurity Investment Report Shows Talent Gaps Widening
A new EU cybersecurity investment report shows cyber spending now averages 9% of IT budgets, yet talent shortages persist across the bloc.
Companies are leaning heavily on outsourced SOCs and managed services, as NIS2 compliance strains in-house resources. The report highlights a troubling reality — technology investments are outpacing workforce growth, leaving visibility gaps across supply chains.
Europe needs people, not just platforms. Until they fix that, breaches will continue to outpace budgets.
California Man Pleads Guilty in $263M Crypto Theft Case
A 22-year-old California man pled guilty to RICO conspiracy after laundering over $263 million in stolen cryptocurrency through social engineering schemes.
The group targeted wealthy crypto holders, socially engineered access to wallets, and even broke into victims’ homes to steal devices.
This case proves one thing: crypto crime isn’t just digital — it’s increasingly physical.
Action List
🧱 Patch Microsoft, SAP, Adobe, and Fortinet immediately.
☁️ Disable FortiCloud SSO if patching isn’t possible.
💻 Restrict Avanti console access and rotate credentials.
🔍 Harden insider monitoring and DLP.
🌐 Verify vendor compliance with UK/EU sanctions.
🧑💻 Update detection rules for Storm-0249 and PowerShell misuse.
👨👩👧 Prepare for social media restrictions impacting user engagement and platform compliance.
James Azar’s CISO’s Take
Today’s episode was a snapshot of how cyber risk and geopolitics have officially merged. Patch cycles, insider threats, and sanctions aren’t separate domains anymore — they’re connected by the same thread: trust and control. From Microsoft’s zero-days to Coupang’s insider mess, the playbook hasn’t changed — the actors just keep rotating.
My biggest takeaway? Resilience isn’t patching faster — it’s understanding who and what you rely on. Whether it’s a vendor, an employee, or a government partner, your weakest link often holds the most access. As we close out 2025, it’s not about more alerts — it’s about sharper focus and faster recovery.
Stay sharp, stay caffeinated, and as always — stay cyber safe.
