December 22, 2025

22.12.25 Threat Report

By Craig Pepper · 3 minute read

Welcome to Periculo's weekly threat report, where we break down the latest cybersecurity incidents to keep you informed and protected. This week, we saw a major cyberattack on an NHS supplier, affecting 17 million patients, UK Foreign Office finally confirm a breach, and critical vulnerabilities affecting widely used network hardware and software. Read on for the details and our recommendations to stay safe.

NHS Supplier DXS International Hit by Cyberattack

DXS International, a key technology supplier to the NHS, has reported a cyber incident involving unauthorised access to its systems and the theft of data. DXS software supports approximately 2,000 GP practices, covering around 17 million patients across the UK. The company has stated that core clinical systems used directly by GPs were not impacted, but given the scale of its footprint in primary care, this remains a significant security event.

This is a significant concern because it demonstrates that even trusted suppliers underpinning frontline care can be targeted by cybercriminals. When a company of this type is compromised, the potential impact extends across thousands of GP practices and millions of patients, increasing the risk to both operational continuity and confidential information. It underlines the need for robust, proactive cybersecurity across the entire healthcare supply chain, not just within direct care providers, given the highly sensitive nature of the data involved.

Recommendations

For healthcare organisations, this is a wake-up call to check the security of all the companies you work with. It's important to:

Review your suppliers: Make sure any company that has access to your systems or data has strong security measures in place.
Have a plan: Know what to do if one of your suppliers is hacked. This includes how to protect your data and keep your services running.
Stay updated: Keep all your software and systems up to date with the latest security patches.

UK Foreign Office Confirms Cyberattack

The UK government has confirmed that hostile actors gained unauthorised access to Foreign, Commonwealth & Development Office (FCDO) systems. The intrusion has been attributed to a China‑linked threat group known as Storm 1849, which is assessed to have exploited a vulnerability in Cisco networking equipment as the initial access vector. Reporting indicates the attackers may have accessed highly sensitive information, including data from thousands of visa applications.

A successful compromise of a central government department represents a serious national security incident. The information potentially exposed can be leveraged for espionage, coercion, and long‑term targeting of individuals and organisations, directly undermining UK interests at home and abroad. It also reinforces a critical point for defence and wider public sector organisations: even highly secured government environments remain attractive targets, and advanced adversaries will actively seek to exploit unpatched infrastructure and supply chain weaknesses wherever they exist.

Recommendations

This incident highlights the importance of keeping all systems, especially those used by the government, secure. Key recommendations include:

Patching vulnerabilities: It's crucial to update software and hardware as soon as security weaknesses are found.
Monitoring for threats: Organisations need to be constantly on the lookout for signs of a cyberattack.
Strong access controls: Limiting who can access sensitive information can help to reduce the damage if a breach does happen.

Critical Vulnerability in WatchGuard Firebox

A serious security vulnerability has been identified in WatchGuard Firebox appliances, widely used to protect organisational networks, including within health and defence supply chains. Tracked as CVE‑2025‑14733, this flaw allows an unauthenticated attacker on the internet to gain remote control of the device without needing valid credentials. The NHS has issued an alert confirming that this vulnerability is already being actively exploited.

Because Firebox devices often sit at the perimeter of critical networks, this issue presents a high‑impact risk. Once an attacker controls the firewall, they can bypass security controls, pivot further into the internal network, and potentially access or exfiltrate sensitive data. This significantly increases the likelihood of data theft, ransomware deployment, and broader operational disruption across any environment that relies on the affected device for protection.

Recommendations

If your organisation uses a WatchGuard Firebox, it's essential to take action immediately:

Apply the patch: WatchGuard has released an update to fix this vulnerability. You should install it as soon as possible.
Check for signs of compromise: Look for any unusual activity on your network that could indicate that you've already been attacked.
Review your security: Use this as an opportunity to review your overall security posture and make sure you're protected against other threats.

For more information on how to protect your organisation from these and other threats, contact Periculo about our Threat Intelligence services.