Weekly Report: New Hacking Techniques and Critical CVEs 18 Dec – 25 Dec 2025

The week of December 18-25, 2025 saw sustained active exploitation of critical network appliance vulnerabilities including Cisco CVE-2025-20393 (CVSS 10.0) and Fortinet SSO bypass flaws. No major data breaches with confirmed incident dates strictly within this 7-day period were identified from prioritized sources. Emerging threats included Cellik Android RAT with Play Store integration capabilities and elevated darkweb ransomware claims (64 tracked on Dec 18 alone). Chinese APTs continued targeting email security gateways while ransomware operators exploited holiday staffing reductions.

>>Outpace Attackers With AI-Based Automated Penetration Testing

NEW HACKING TECHNIQUES

Cellik Android RAT: Play Store Trojanization

Discovery Date: December 18, 2025

Overview

Cellik enables attackers to browse Google Play Store directly from C2 panels, select legitimate apps, and auto-generate trojanized APKs wrapping malware payloads for phishing distribution.

Technical Explanation

• Real-time screen streaming with remote touch simulation
• One-click APK builder scans entire Play Store catalog
• Overlay attacks deploy fake banking/Gmail login screens
• Claims Google Play Protect evasion via trusted app signatures
• Subscription model with cloud-based control panels

Impact/Risk

Bypasses app vetting by leveraging legitimate app trust. Targets BYOD environments for credential theft via overlays.

CISO Takeaway

Deploy MDM blocking sideloaded APKs. Monitor anomalous camera/microphone usage and mobile data exfiltration.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial

CRITICAL CVEs & ACTIVE EXPLOITATION

CVE-2025-20393: Cisco AsyncOS RCE (CVSS 10.0)

Active Exploitation: Confirmed December 18-22, 2025

Overview

Chinese APT UAT-9686 exploited Cisco Secure Email Gateway appliances with Spam Quarantine enabled for unauthenticated root RCE.

Technical Explanation

Attack Flow:

1. POST /quarantine/… malformed input → system() injection
2. AquaShell backdoor: HTTP POST /cmd → custom Base64+XOR decode → root shell
3. ReverseSSH tunnel to attacker C2
4. Chisel masks lateral movement
5. AquaPurge clears logs

Impact/Risk: 

Compromised gateways enable email interception, credential harvesting, trusted perimeter pivoting.

CISO Takeaway:

Audit SEG/SEWM Spam Quarantine exposure. No patch available—disable feature or rebuild appliances.

CVE-2025-59718: Fortinet FortiGate SSO Bypass (CVSS 9.8)

Active Exploitation: December 18-20, 2025

Overview

SAML response spoofing bypasses FortiCloud SSO on FortiGate/FortiProxy appliances.

Technical Explanation

POST /remote/saml/login

SAMLResponse=<forged_signature><admin_assertion/></SAMLResponse>

Appliance accepts invalid signatures → admin session. Attackers exported configs revealing firewall rules/VPN credentials.

Impact/Risk

Perimeter compromise enables rule modification and internal pivoting.

CISO Takeaway

Patch immediately or disable FortiCloud SSO. Segment management interfaces.

CVE-2025-40602: SonicWall SMA1000 Chain (CVSS 10.0 chained)

Exploitation Reports: December 17-22, 2025

Overview

CVE-2025-40602 chained with CVE-2025-23006 yields unauthenticated RCE on 950+ exposed SMA1000 appliances.

Attack Chain

1. Deserialization (CVE-2025-23006) → shell
2. AMC priv. esc. (CVE-2025-40602) → root
3. VPN server control

Impact/Risk

Remote access gateway compromise provides internal network entry.

CISO Takeaway

Patch both vulns. Restrict SMA1000 management to VPN-only.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial

DARKWEB INTELLIGENCE

Ransomware Ecosystem (Dec 18-25 Activity)

• 64 new claims Dec 18 (Sinobi: 10 claims)
• Qilin (20.86%), Akira (13.9%), LockBit 5 (12.3%) dominated
• Government (12 victims), Education (9 victims) primary targets

ShinyHunters Activity

December 23, 2025: Launched “Trinity of Chaos” site claiming Cisco/Google data.

Cellik RAT Marketing

Active forum promotion of Play Store trojanization tooling with live device control demos.

No Confirmed Breaches (Dec 18-25 Incident Dates)
Condé Nast (Nov breach), Ubisoft (Dec 26 detection) excluded per strict incident date criteria.

FIRECOMPASS CALL-TO-ACTION

Real-Time Vulnerability Monitoring: CVSS 9.0+ discovery across cloud/perimeter
Supply Chain Validation: Third-party software integrity checks
Darkweb Surveillance: Leak site/forum monitoring
Ransomware Simulation: Test vs. Qilin/Akira TTPs
Mobile Threat Hunting: BYOD Cellik detection

Request your no-obligation security assessment today to identify vulnerabilities exploited by these exact threat actors.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial