Daily Signal Note: Infrastructure Management | Privileged Control Plane Exposure

Welcome reader, here’s today’s Cyber Briefing Note.

Brought to you by:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ provides analyst-grade cyber intelligence used by CISOs and security leaders inside the Fortune 100. Each briefing identifies structural security failures and decision breakdowns across identity, machine trust, third-party access, and enterprise attack surfaces. This work exists to inform executive judgment, not to react to headlines.

—

Subscriber access includes weekly CISO briefings, deep-dive intelligence reports, premium research, and supporting tools. Corporate plans available.

Listen to the 2-minute Daily CISO Briefing on Spotify.

Signal 1: SonicWall SMA Zero-Day Chain (CVE-2025-40602)

Google GTIG discovered active exploitation chaining CVE-2025-40602 with CVE-2025-23006 for unauthenticated root RCE on SonicWall SMA 100 series. SMA 100 reached EOL October 31, 2025. Emergency hotfix issued despite EOL status. CISA added to KEV December 17 with December 24 deadline.

Signal 2: HPE OneView Maximum Severity RCE (CVE-2025-37164)

HPE disclosed a CVSS 10.0 unauthenticated RCE affecting all OneView versions prior to 11.00. No workarounds exist. A hotfix is available and must be reapplied after certain upgrades. CISA added the vulnerability to the KEV catalog December 16.

Signal 3: Iranian APT Infy Resurfaces with Telegram C2 (Tonnerre v50)

Infy/Prince of Persia resumed operations August-December 2025 after dormancy since 2022. Targets include Iran, Europe, Iraq, Turkey, India, Canada. Foudre v34 and Tonnerre v50 deployed with new DGA. Telegram API replaces FTP for C2. RSA signature verification prevents takedown.

Signal 4: UEFI Pre-Boot DMA Protection Failure (CVE-2025-11901, CVE-2025-14302, CVE-2025-14303, CVE-2025-14304)

Riot Games researchers disclosed motherboards from ASRock, ASUS, GIGABYTE, MSI incorrectly report DMA protection as active while failing to initialize IOMMU during early boot. Physical attackers can access or modify memory before OS loads. CERT/CC confirmed. Vendors released firmware updates.

Author
Daniel Michan is the founder of CybersecurityHQ, a CISO-grade intelligence platform read weekly across the Fortune 100. He analyzes identity-centric risk, machine identity failures, SaaS integration breakdowns, and emerging AI-speed threats, producing executive briefings and deep-dive research used by enterprise security leaders for decision support.