UK cyber bill, Firebox exploit, Synnovis update

Today brings a major UK policy move, fresh exploitation against a popular firewall platform, a coordinated takedown of criminal infrastructure, and an NHS supplier issuing new notifications. Below we translate what changed into clear operational steps for UK security teams and suppliers.

UK introduces Cyber Security and Resilience Bill to harden essential services and suppliers

The government has introduced the Cyber Security and Resilience Bill to Parliament. The bill aims to lift resilience across essential services such as healthcare, water, energy, and transport, and to regulate medium and large suppliers that provide IT management, help desk, and cyber services to those sectors. Provisions include faster incident reporting to regulators and the NCSC within 24 hours, turnover based penalties for serious failings, and new powers to designate critical suppliers that must meet minimum security requirements. Data centres are brought into scope and suppliers that could affect essential services will need robust plans for detection, response, and customer notification. The OBR warns that a critical infrastructure cyberattack could add more than £30 billion to borrowing, which frames the urgency. For public bodies and their supply chains, the direction is clear. Expect tighter oversight of third parties, stronger recovery expectations, and a focus on rapid, high quality reporting when incidents occur.
Why it matters: UK organisations that sell into essential services will face higher assurance demands. Preparing now protects revenues and reduces future remediation costs.
Source: GOV.UK

WatchGuard Firebox flaw is under active exploitation and added to CISA KEV

CISA has warned that a critical WatchGuard Firebox vulnerability is being exploited. CVE 2025 9242 is an out of bounds write affecting Fireware OS 11.x, 12.x, and 2025.1 that allows remote code execution. The flaw has been added to the Known Exploited Vulnerabilities catalogue and US federal agencies have a short deadline to remediate. WatchGuard issued patches earlier in the autumn and subsequently confirmed exploitation in the wild. Internet scanning shows tens of thousands of exposed devices worldwide, many in Europe, which raises the chance of opportunistic compromise. For UK SMEs and managed service providers that commonly deploy these appliances, treat this as a priority. Patch to a fixed Fireware release, remove or restrict public management interfaces, and review rules that allow management ports from untrusted networks. If you cannot patch immediately, apply vendor mitigations, add monitoring for anomalous management activity, and consider a configuration export and rebuild to ensure a clean state.
Why it matters: Edge devices are prime entry points for ransomware groups. Quick patching and hardening prevents hands on keyboard attacks that move rapidly from perimeter to domain.
Source: BleepingComputer

Operation Endgame disables over one thousand servers tied to Rhadamanthys, VenomRAT, and Elysium

Law enforcement in multiple countries has taken down more than one thousand servers supporting three malware families used for data theft and remote control. This phase of Operation Endgame included searches across several European jurisdictions, domain seizures, and the arrest of a key suspect connected to VenomRAT. Authorities report that the dismantled infrastructure linked to millions of stolen credentials and widespread victim systems. For UK defenders, this is both good news and a prompt. Takedowns reduce criminal capacity in the short term, yet they also lead to copycat re tooling and credentials being traded elsewhere. Use the window to rotate credentials, check exposure against reputable breach datasets, and audit controls for infostealer derived session hijacking. Ensure your SOC is alerting on abnormal authentications from untrusted infrastructure and on refresh token abuse, especially for cloud admin roles. If your brand or customers use services that might have been abused by these strains, communicate practical steps for password changes and phishing awareness.
Why it matters: Infrastructure disruptions give defenders time. Converting that time into credential hygiene and session hardening cuts the risk of follow on intrusions.
Source: BleepingComputer

Synnovis begins targeted notifications after 2024 NHS ransomware attack

Synnovis has started notifying affected organisations following its 2024 ransomware incident that disrupted London hospital services. After a detailed review of unstructured data taken during the attack, the provider says compromised information includes names, dates of birth, NHS numbers, and in some instances laboratory data. Synnovis will notify partner organisations rather than patients directly, with a timetable that runs through November. Partners are expected to decide on patient communications and any further mitigations. The update underscores how long tail activities continue well beyond service restoration. Healthcare operators and suppliers should expect extended discovery phases, legal steps to limit publication, and iterative notifications as analysis matures. For UK organisations handling health data, now is a sensible moment to confirm incident communications pathways, align data controllers and processors on who notifies whom, and rehearse scenarios where a third party holds patient impacting information.
Why it matters: UK health supply chains remain a key target. Clear roles, tested recovery, and ready to send messaging reduce harm and regulatory exposure when the worst happens.
Source: SecurityWeek

Today’s Key Actions

1. Patch WatchGuard Firebox devices and lock down management interfaces.
2. Map critical suppliers against the bill’s likely scope and collect evidence of testing and recovery.
3. Rotate high value credentials and refresh tokens while Operation Endgame pressure remains on adversaries.
4. Rehearse 24 hour and 72 hour reporting workflows for incidents affecting essential services.
5. For healthcare data handlers, align patient notification plans with partners and validate legal approval routes.

Secarma Insight

Regulation, exploitation, and enforcement are moving in parallel. Treat this as a chance to raise baselines while threat actors regroup. Focus on edge device hygiene, identity hardening, and supplier assurance that proves recovery as well as prevention. If you need a rapid review against the bill’s likely requirements, we can help you prioritise controls that also reduce real risk.

Get in touch with us to prioritise your next steps and strengthen your security posture.