#NSBCS.104 - Zero-Days Aren’t Rare Anymore – They’re the New Normal. And They’re Not Going Away.
Zero-Days Aren’t Rare Anymore – They’re the New Normal. And They’re Not Going Away.
In 2025, discovering a zero-day vulnerability every week is no longer headline news, it’s a Tuesday.
Microsoft alone patched 130+ zero-days in 2024. Google Project Zero tracked 97. Apple, Citrix, VMware, Fortinet, Ivanti, Palo Alto Networks, every major vendor is shipping products with critical flaws that are already being weaponised before the ink is dry on the release notes.
Here’s the uncomfortable truth Australian organisations must accept:
1. Zero-days have become industrialised
Nation-states (China, Russia, North Korea, Iran) run permanent offensive teams that discover, stockpile, and deploy zero-days at scale. Commercial exploit brokers now sell previously “elite” zero-days for $1–10 million each to ransomware groups and mercenary spyware firms. The days when only the NSA could afford a zero-day chain are over.
2. Patching no longer equals protection
The median time from public disclosure to active exploitation is now under 48 hours. For high-value Australian targets (critical infrastructure, finance, defence supply chain, government) the gap is often measured in minutes. By the time your WSUS server has approved the patch, the attacker has already been inside for weeks.
3. Supply-chain zero-days are the new favourite vector
MOVEit, SolarWinds, Kaseya, Log4j, ProxyLogon/ProxyShell, 3CX, Okta, the list grows monthly. One unpatched SaaS or appliance or managed service provider gives the attacker a skeleton key to hundreds of Australian organisations simultaneously.
4. The regulatory fallout is getting harsher
The OAIC and APRA are no longer satisfied with “it was a zero-day” as an explanation. Directors face personal liability questions when the response forensics don’t stand up because the zero-day evidence was lost in the rush to recover.
5. Australian attackers are buying Australian-specific zero-days
We are now seeing exploits customised for Australian software builds, time zones, and even specific government-mandated configurations. This isn’t imported crime, it’s targeted at us.
Zero-days are not going away. They are getting cheaper, faster, and more targeted.
The only effective counter-measure left is having a pre-retained, national-security-grade DFIR capability that specialises in signature-less hunting, memory forensics, kernel reconstruction, and sovereign evidence handling, ready before the exploit lands.
NSB Cyber has effectively responded to multiple in-the-wild zero-day campaigns targeting Australian organisations, incidents that began with no patch, no detection signature, and no public reporting. Don’t wait for the next unpatchable vulnerability to prove your current plan inadequate.
What we read this week
Chinese Hackers Exploit React2Shell RCE Flaw Hours After Disclosure - Security researchers disclosed a critical remote code execution vulnerability in React Server Components (CVE-2025-55182, CVSS 10.0), dubbed React2Shell, on 8 December 2025, enabling unauthenticated attackers to inject arbitrary JavaScript during server-side rendering. Within hours, Chinese-linked groups Earth Lamia and Jackpot Panda began scanning and exploiting vulnerable Next.js applications for initial access and data exfiltration. The flaw affects versions prior to Next.js 14.2.5 and React 19.0.0-rc-1234, with no widespread compromises confirmed yet. Amazon Web Services reported the rapid weaponisation alongside other N-day flaws like CVE-2025-1338 in NUUO Cameras. Developers are urged to upgrade immediately, validate payloads strictly, and integrate runtime protections to counter this shrinking disclosure-to-exploitation window.
Microsoft's December Patch Tuesday Fixes 56 Flaws, Including Actively Exploited Zero-Day - Microsoft addressed 56 vulnerabilities in its 9 December 2025 Patch Tuesday release, including three zero-days and one under active exploitation: CVE-2025-62221, a use-after-free in the Windows Cloud Files Mini Filter Driver allowing local privilege escalation to SYSTEM level. Additional zero-days include CVE-2025-64671 for command injection in GitHub Copilot for JetBrains and two publicly disclosed RCE flaws in Office apps. The update covers Windows, SharePoint, Exchange, and third-party tools, marking the second year with over 1,000 CVEs patched. CISA added CVE-2025-62221 to its Known Exploited Vulnerabilities catalog, requiring federal remediation by 30 December. Organisations should prioritise patching, monitor driver anomalies, and automate updates to mitigate ransomware and APT risks.
CISA Adds WinRAR Path Traversal Flaw to Known Exploited Vulnerabilities Catalog - The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-6218 (CVSS 7.8), a path traversal vulnerability in WinRAR enabling arbitrary code execution via malicious archives, to its Known Exploited Vulnerabilities catalog on 9 December 2025 due to active exploitation. Attackers are using the flaw to deliver malware through seemingly benign ZIP files, bypassing detection in corporate environments. This follows Microsoft's patching of the related Windows zero-day and highlights ongoing risks in legacy tools. Federal agencies must remediate by year-end, while users should update to the latest WinRAR version, scan archives rigorously, and deploy endpoint controls to prevent code execution and lateral movement.
FTC Takes Action Against Illuminate Education Over Massive Student Data Breach - The Federal Trade Commission announced enforcement action on 1 December 2025 against Illuminate Education following a breach exposing personal data of over 10 million students, including names, grades, and contact details. The incident, stemming from inadequate security practices, violated children's privacy laws and highlighted vulnerabilities in edtech platforms. Illuminate faces penalties and mandated reforms, including enhanced encryption and access controls. This case underscores the growing scrutiny on educational data handlers, with experts recommending regular audits, consent mechanisms, and zero-trust architectures to protect sensitive student information amid rising cyber threats to schools.
Petco Data Breach Exposes Customers' SSNs, Driver's Licences, and Financial Details - Pet products retailer Petco confirmed on 8 December 2025 a cybersecurity incident via a third-party vendor compromise, affecting an unspecified number of customers by exposing Social Security numbers, driver's licences, and financial information used for in-store identity verification. No payment card data was impacted, but the breach prompted notifications and free credit monitoring offers. Detected in late November, it highlights supply chain weaknesses in retail. Petco engaged authorities and experts for response. Customers should monitor accounts for identity theft, while businesses are advised to audit vendors, minimise data sharing, and enforce encryption to avert similar exposures.
Referenceshttps://thehackernews.com/2025/12/chinese-hackers-have-started-exploiting.htmlhttps://thehackernews.com/2025/12/microsoft-issues-security-fixes-for-56.htmlhttps://www.cisa.gov/news-events/alerts/2025/12/09/cisa-adds-two-known-exploited-vulnerabilities-cataloghttps://www.ftc.gov/news-events/news/press-releases/2025/12/ftc-takes-action-against-education-technology-provider-failing-secure-students-personal-datahttps://au.pcmag.com/security/114669/petco-data-breach-exposes-customer-data-including-ssns-credit-card-info