CCTR.51.DEC.25

Monday morning cyber coffee read CCTR.51.DEC.25

Heartbroken by what happened in Bondi yesterday. Thinking of those who lost their lives and their families. May their memories be a blessing.

China is executing a state driven strategy to achieve global leadership in science and technology, using international research collaboration and foreign talent recruitment as core enablers. While many Chinese organisations participate in this effort, PLA-affiliated research institutes present the most acute risk to UK national security.

The Strider report assesses that since 2020 more than 100 UK organisations have co-authored over 8,000 STEM publications with PLA linked institutes, highlighting how funding arrangements, joint institutes and personnel exchanges can function as channels for influence and technology transfer rather than purely benign academic collaboration.

Apply enhanced due diligence, early research classification, and monitoring of co-authorship, funding sources and personnel exchanges.

Classify research outputs early (not at publication) and enforce controls around datasets, lab access, compute environments, code repositories, and export controlled know how.

I am keen to see whether comparable statistics exist for the Australian research and innovation ecosystem.

https://content.striderintel.com/wp-content/uploads/2025/11/2025-Q4-Innovation-Weaponisation-Report-UK-01-ka.pdf

A critical authentication bypass vulnerability (CVE-2025-13607) affects multiple CCTV camera models from D-Link, Sparsh Securitech and Securus CCTV. The allows unauthenticated attackers to gain access to camera systems, enabling unauthorised surveillance.

D-Link has released a patch, while the other vendors have not publicly coordinated a response.

Patch and limit exposure of CCTV systems. They do not need to be on the Internet.

https://www.cisa.gov/news-events/ics-advisories/icsa-25-343-03

Two additional vulnerabilities have been identified in React Server Components. These issues do not enable remote code execution and the existing React2Shell patch remains effective at preventing RCE.

Track upstream React security advisories and review Server Components usage for potential exposure.

Don’t forget to patch for Reacts.

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components