Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On December 11, 2025, Push Security published research detailing a newly observed browser-based phishing technique called ConsentFix. The name ConsentFix is derived from its similarity to the previously documented ClickFix technique using fake CAPTCHA pages. ConsentFix, enables threat actors to gain cloud account access without capturing passwords, multifactor authentication (MFA) codes, or other credentials by abusing legitimate OAuth authentication and consent flows.

The holiday season is traditionally a period of goodwill, gift giving, and time with loved ones, but if you are responsible for your enterprise’s cyber defenses it’s also a time when you should have a heightened awareness of cyber risk. Cybercriminals often treat this time of year as a prime opportunity to exploit the unprepared and unwary.

In December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter.

On December 9, 2025, Fortinet released an advisory detailing two critical authentication bypass vulnerabilities affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Designated CVE-2025-59718 and CVE-2025-59719, these vulnerabilities allow an unauthenticated threat actor to bypass FortiCloud SSO login authentication via a crafted SAML message if the feature is enabled on the device. Fortinet states that FortiCloud SSO login is disabled by default in factory settings.

On December 3, 2025, the React team released fixes for a maximum severity vulnerability in React Server Components (RSC). The vulnerability, tracked as CVE-2025-55182, stems from unsafe handling of serialized DOM elements, allowing for remote code execution in React 19 and other frameworks built on top of it, such as Next.js 15–16. The vulnerability was responsibly disclosed to React as part of a bug bounty program and is not known to be actively exploited in the wild at this time.

On November 24, 2025, researchers identified a renewed supply-chain attack linked to Shai-Hulud malware, revealing that numerous npm packages had been quietly trojanized following the initial wave of malicious activity in September. This second iteration involved compromised versions of popular packages uploaded between November 21, 2025, and November 23, 2025, with additional compromised packages continuing to surface at the time of writing.

Artificial intelligence (AI) has supercharged social engineering. Global management consulting firm McKinsey & Company reported a 1,200% global surge in phishing attacks since the rise of generative AI in the latter half of 2022. And it’s not just the number of attacks that’s climbing; it’s also the success rate. Arctic Wolf’s Human Risk Behavior Snapshot: 2nd Edition reveals that nearly two-thirds of IT and security leaders self-reported falling for a phishing attempt.

On November 19, 2025, Salesforce announced an investigation into unusual activity involving applications published by Gainsight, a company that provides customer success software integrated with Salesforce. In their advisory, Salesforce indicated that they had notified affected customers directly, and that an investigation is ongoing. Salesforce has not yet provided details about the full scope of the malicious activity.

On November 13, 2025, open source reporting began detailing active exploitation of a silently patched Fortinet FortiWeb vulnerability. The flaw is a path traversal issue in the FortiWeb web application firewall (WAF) that allows an unauthenticated threat actor to create new administrative users on exposed devices. The following day, November 14, Fortinet officially addressed the vulnerability in an advisory, tracking it as CVE‑2025‑64446.

Phishing has been a mainstay of cybercrime for decades – and for good reason. Threat actors continually evolve their phishing tactics, techniques, and procedures (TTPs), adapting the method with new tools and technologies to ensure it remains highly effective. IT leaders have become especially attractive targets: their privileged access amplifies the impact of a successful compromise.