CISO Weekly Intelligence Brief — December 10, 2025

CybersecurityHQ — Executive intelligence for security leadership

Welcome reader to your CybersecurityHQ CISO Weekly Intelligence Brief.

In partnership with:

Smallstep Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

About CybersecurityHQ

CybersecurityHQ provides executive-grade intelligence read weekly inside the Fortune 100. Each briefing is designed to support CISO-level decision-making across identity, infrastructure, third-party risk, and strategic security architecture.

CISO Access

CISOs receive full complimentary access to all CybersecurityHQ strategic intelligence.
If you’d like access or have questions, contact me directly here.

=== CISO SIGNAL ===

Anthropic's report on GTG-1002 removed the last remaining doubt: autonomous AI-orchestrated attacks are now operational reality. A China-aligned, state-sponsored actor used Claude Code to execute roughly 80-90% of the intrusion chain across a multi-sector espionage campaign - from reconnaissance to lateral movement and exfiltration - at machine speeds no human team can match.

The structural failure is not AI gone rogue. It is that identity, speed, and dependency collapsed into a single failure domain: compromised access was used to jailbreak the model, autonomous agents drove thousands of requests per minute, and those agents moved across dependency chains into approximately 30 organizations, with multiple confirmed breaches.

Congress has now pulled this into the accountability layer: the House Homeland Security Committee has called Anthropic's CEO to testify on December 17 about how a commercial AI system was turned into an operational attack platform. The board-level question is shifting from 'How do we adopt AI safely?' to: Can you prove our AI agents are governed like privileged identities - and that we would detect if they were weaponized against us?

1. Threat Trajectory Shift: Autonomy, Not Just Augmentation

Fact Pattern

  • GTG-1002 used Claude Code's agentic capabilities to automate the majority of tactical operations, not just assist human operators.

  • Anthropic and independent analysts estimate around 30 organizations targeted across tech, finance, and government, with at least four breaches confirmed in downstream reporting.

Broken Assumption

AI-enabled intrusions still move at human speed because humans stay in the loop.

Replacement

Adversaries can now offload most of the intrusion lifecycle to AI agents that operate at machine speed, with humans only stepping in at control checkpoints.

Implication

If your security model still treats AI as a tool used by humans, rather than an identity with its own behavioral footprint, you are already behind.

2. Three Strategic Decisions You Cannot Punt

2.1 AI Agent Identity Governance

What Happened

  • Anthropic's incident shows a commercial AI agent used as the primary orchestrator of an espionage campaign.

  • The House Homeland Security Committee has scheduled a Dec 17 hearing and requested Anthropic, Google, and Quantum Xchange testify on how AI can be weaponized by state actors.

What Leading Organizations Are Doing

Treating AI agents (Claude Code, Copilot, custom MCP agents) as privileged service accounts:

  • Explicit identities for each agent/integration

  • Behavioral baselines and rate-limits

  • Session governance and central logging

  • Revocation and kill-switch capability

Decision

Formally classify AI agents as privileged identities and bring them under your existing PAM/machine identity governance by end of Q1 2026.

2.2 React2Shell (CVE-2025-55182) - Framework-Level Blast Radius

What Happened

  • CVE-2025-55182 (React2Shell) is a CVSS 10.0 unauthenticated RCE in React Server Components, affecting React 19.x and downstream frameworks (notably Next.js App Router).

  • CISA added it to the Known Exploited Vulnerabilities catalog with a near-term remediation deadline for federal agencies. Multiple vendors now report active exploitation by China-nexus groups including Earth Lamia and Jackpot Panda.Wiz and Unit 42 estimate nearly 40% of cloud environments contain vulnerable React/Next.js instances, with approximately 29,000 internet-exposed IPs still vulnerable as of December 7.

Executive Meaning

Your framework choices - not just your infrastructure - are now deterministic exploitation surfaces at cloud scale.

Decision

  • Instruct teams to prioritize React2Shell remediation outside normal change windows for any internet-facing service.

  • Require a one-page attestation from app/platform owners: Where React/Next.js RSC is used, what patch level they are on, whether WAF/RASP rules are in place.

2.3 Third-Party Blast Radius - Marquis Software and SonicWall

What Happened

  • Marquis Software Solutions, a US fintech/marketing vendor to banks and credit unions, suffered a ransomware/data theft incident on August 14, 2025, via a SonicWall firewall vulnerability (CVE-2024-40766).

  • The breach has impacted customers of at least 74 banks and credit unions, with over 400,000 individuals confirmed and some estimates rising above 780,000 as notifications expand.

Executive Meaning

This is not a SonicWall story. It is a vendor access governance story: a mid-tier marketing/compliance vendor became a national-scale blast radius for financial data because their patching and MFA were weaker than their customers.

Decision

Run an emergency vendor audit focused on: SonicWall/firewall exposure among your providers, MFA coverage on remote access, breach notification SLAs and evidence of prior incidents. 

3. Signals That Actually Matter This Week

3.1 Browser Extension Trust Model Collapse - ShadyPanda

Threat actor ShadyPanda ran a seven-year campaign weaponizing Chrome/Edge extensions that accumulated 4.3M+ installs and even gained Featured/Verified status before receiving malicious updates that turned them into spyware and RCE platforms.

Control That Failed

Marketplace trust and Verified/Featured tags are not security controls; auto-update became the delivery mechanism for compromise.

Board Metrics

  • Percentage of corporate browsers with only allow-listed extensions

  • Time to detect permission changes on installed extensions

3.2 BRICKSTORM - Hypervisor-Level Persistence

A joint CISA/NSA/Canadian Cyber Centre report describes BRICKSTORM, a Go-based backdoor used by PRC state actors for long-term persistence in VMware vSphere/vCenter and Windows environments, including one victim where attackers maintained access from April 2024 through at least September 3, 2025.

Control That Failed

Traditional EDR/NDR deployed at the OS/network layer cannot see malware living in the hypervisor/control plane.

Board Metrics

  • Days since last vCenter/hypervisor audit

  • Presence of BRICKSTORM detection rules and logging on management planes

3.3 Oracle EBS / Cl0p - Supply Chain Concentration

CVE-2025-61882 (Oracle EBS) has been weaponized by Cl0p and others for mass data theft, with exploitation dating back to August 2025 before patches were available. Victims include Washington Post, Harvard, Allianz UK, GlobalLogic, Envoy Air, and NHS entities.

Control That Failed

Assuming major enterprise software plus maintenance contract equals acceptable risk. Frameworks and ERP suites are single points of deterministic failure once a zero-day appears.

Board Metrics

  • Inventory of internet-exposed ERP/EBS instances

  • Mean time from vendor patch release to deployment for critical CVEs

4. Operational Annex (For Your Team)

AI Agents / GTG-1002

  • Inventory where Claude Code, Copilot, and other AI agents can touch production credentials, code, or infrastructure.

  • Treat those as service identities: add them to PAM/secret stores, log every action, rate-limit, and set revocation paths.

React2Shell - CVE-2025-55182

  • Patch RSC packages to 19.0.1 / 19.1.2 / 19.2.1 and Next.js to vendor-recommended fixed versions.

  • Use scanning tools / vendor scripts to find RSC usage even in apps that do not think they use server functions.

Oracle EBS - CVE-2025-61882

  • Confirm patches applied on any Oracle EBS reachable from the internet.

  • Assume compromise if you were unpatched after Oct 4 and have no detailed log review.

Android / Windows Zero-Days

  • Push December 2025 Android security updates (CVE-2025-48572 / 48633) and Windows patches to all managed fleets; prioritize high-risk populations (execs, admins, field staff). CISA KEV deadline: December 23 for Android.

Marquis / SonicWall

  • Require vendors to attest they have patched CVE-2024-40766 and rotated VPN credentials. If they cannot, treat them as an incident in progress.

ShadyPanda Extensions

  • Enforce browser policy: remove named malicious extensions (Clean Master, WeTab); move to allow-listing, not block-listing. 

5. Board-Level Summary

Financial Exposure

  • AI-orchestrated intrusions now operate at a level where slow detection is functionally equivalent to no detection. Remediation and regulatory fallout are in the multi-million range per incident.

  • Cl0p's Oracle EBS campaign and similar supply-chain incidents show multi-million dollar potential ransom demands and secondary costs when ERP/identity systems are hit.

Regulatory Liability

  • AI-assisted autonomous attacks are now on Congress' radar; expect governance-trail and AI-use evidence to become examinable in regulatory and litigation contexts.

  • CISA KEV entries for React2Shell, Android, Oracle, and Windows move these from optional hardening to you were on notice.

Operational Risk

AI agents + vulnerable frameworks + concentrated vendors = an environment where small governance gaps create system-wide blast radii (AI, web front-ends, and third-party platforms).

Five Metrics to Show the Board

1. AI agents with explicit identity governance (count and percentage of integrations)

2. Time from CISA KEV addition to remediation for React2Shell, Oracle EBS, Android, and Windows

3. Number of high-blast-radius vendors with independently verified MFA + patching on edge devices

4. Percentage of corporate browsers compliant with extension allow-list

5. Percentage of VMware/hypervisor environments covered by BRICKSTORM-aligned detection + logging

6. Week Ahead

  • Dec 17 - Congressional AI intrusion hearing (Anthropic, Google, Quantum Xchange)

  • Dec 23 - CISA KEV deadline: Android Framework (CVE-2025-48572, CVE-2025- 48633)

  • Dec 26 - CISA KEV deadline: React Server Components (CVE-2025-55182)

7. The Bottom Line

The core assumption that AI-augmented intrusions require continuous human direction is now invalid. Autonomous agents can execute full intrusion chains at speeds that render human detection irrelevant.

Organizations that act now will be positioned to detect AI-driven compromise across their identity and integration surfaces. Organizations that wait will discover breaches only after completion - long after exfiltration has occurred.

The new mandate: Prove every AI agent with access to your systems operates within a defined behavioral baseline - and prove you can detect the moment it does not.

CybersecurityHQ | Intelligence for Security Leaders

Reply

or to participate.