Bulletin — January 2025

January opens 2025 with a dense month on compliance, AI and operational cyber. DORA enters application on the 17th. On the 20th, Trump rescinds Biden’s EO 14110 on AI hours after the inauguration and two days later signs his own EO Removing Barriers to American Leadership in AI. Same 20th, DeepSeek publishes R1 with open weights. On the 21st, Trump announces the Stargate Project at the White House with Altman, Ellison and Son. On the 23rd, OpenAI launches Operator in research preview — the first commercial generalist agent. And in parallel, a chain of perimeter zero-days: Ivanti Connect Secure, Fortinet FortiOS, SonicWall SMA1000.

Five concrete notes and a couple of bullets.

DORA — applicability on 17 January

17 January. Regulation (EU) 2022/2554 — DORA — enters application for the European financial sector and for the ICT third-party providers designated as critical by the ESAs. Twenty categories of entity covered: banks, fintechs, funds, UCITS/AIF managers, insurers, reinsurers, IORPs, MiCA-authorised CASPs, central securities depositories, CCPs, trade repositories, credit rating agencies.

Five pillars of obligations apply at once: ICT risk management framework, ICT-related incident reporting, digital operational resilience testing, third-party risk management, information & intelligence sharing. TLPT (Threat-Led Penetration Testing) every 3 years applies only to important entities and with a realistic first cycle in 2027-2028.

Covered in the dedicated technical post. What to retain here: DORA is lex specialis for finance against NIS2 — where they overlap, DORA prevails. Spain still hasn’t transposed NIS2 as of 17 January; the draft bill is before parliament. Operational coordination with NIS2 will depend on national law.

Source: https://eur-lex.europa.eu/eli/reg/2022/2554/oj

Trump rescinds EO 14110 on AI and signs Stargate

20 January. Hours after the inauguration, Trump signs an Initial Rescissions of Harmful Executive Orders and Actions that revokes Biden’s Executive Order 14110 (October 2023) on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. EO 14110 was the most comprehensive AI governance framework in the US: reporting obligations for model trainers with FLOPs above threshold, NIST coordination on evaluations, red teaming requirements for high-risk models, federal investment framework on AI security.

23 January. Trump signs Removing Barriers to American Leadership in Artificial Intelligence. The new EO declares federal policy to “sustain and enhance America’s global AI dominance” and directs the Assistant to the President for Science and Technology, the Special Advisor for AI and Crypto, and the Assistant to the President for National Security Affairs to review and rescind any policy derived from EO 14110. There is no equivalent replacement framework — this is a dismantling EO, not a building one.

21 January. Between the two EOs, Trump announces from the White House the Stargate Project: $500B in 4-year investment in AI infrastructure for OpenAI, with $100B immediately. Partners: SoftBank (financial), OpenAI (operational), Oracle, MGX. Technology partners: ARM, Microsoft, NVIDIA, Oracle, OpenAI. First data centres in Abilene, Texas. Masayoshi Son as chairman.

What’s operational: the US federal position on AI safety is left without a binding text as of 20 January. The NIST AI Safety Institute continues but without the battery of obligations that EO 14110 sustained. The obligations that survive are those in primary law (export controls on chips, DPA restrictions) or those coming from existing sector regulation. For international deployers, the compliance calculation shifts from working with NIST to the EU AI Act — which in February already has Art. 5 in application.

Sources: https://www.whitehouse.gov/presidential-actions/2025/01/removing-barriers-to-american-leadership-in-artificial-intelligence/ · https://openai.com/index/announcing-the-stargate-project/

DeepSeek-R1 — reasoning model with open weights and visible CoT

20 January. DeepSeek publishes DeepSeek-R1 on Hugging Face under MIT licence, alongside six distilled models (Qwen and Llama) and the technical paper (arxiv 2501.12948). It’s the first time a frontier reasoning model with chain-of-thought trained by reinforcement is available with open weights: R1 (671B MoE, 37B activated), R1-Zero (no initial SFT), R1-Distill-Qwen-32B, R1-Distill-Llama-70B.

For AI security this changes the conversation we opened in September with o1. The CoT that in o1 was opaque appears in R1 between readable <think>...</think> tags. The product operator can log it and build a classifier; the attacker can also read it, prefix-inject it and attack it with full white-box knowledge.

In the first 48 hours: Pliny publishes a jailbreak with [GODMODE: ENABLED], the Chinese content moderation on Tiananmen and Taiwan gets bypassed with English or indirect prompting, Qualys reports a 58% failure rate over 885 attacks, FAR.AI documents that ~1,500 LoRA fine-tune examples remove the residual alignment. The fragility of safety applied via RLHF on open-weights models is confirmed for the reasoning category.

Technical detail in the dedicated extra. The operational echo for 2025: with R1 available, any adversarial research technique on CoT (deliberation hijacking, CoT exfiltration, prefix injection) can be reproduced on your own GPU without a complicit provider. The gap between attacker researcher and defender operator that existed with o1 closes for both sides.

Sources: https://arxiv.org/abs/2501.12948 · https://huggingface.co/deepseek-ai/DeepSeek-R1 · https://simonwillison.net/2025/Jan/20/deepseek-r1/

OpenAI Operator — the first commercial generalist agent

23 January. OpenAI launches Operator in research preview for ChatGPT Pro users in the US ($200/month). Operator is an agent that operates a full browser in a VM — no APIs, no specific integrations — and completes tasks: booking restaurants, online shopping, filling forms, navigating websites.

What drives it is CUA (Computer-Using Agent), a new model that combines GPT-4o vision with reasoning trained by reinforcement on GUI tasks. CUA processes pixels directly (no DOM, no APIs) and emits keyboard and mouse actions. The architecture is the generalisation of the Computer Use that Anthropic presented in October 2024 with Claude 3.5 Sonnet, but taken to commercial product with a dedicated paid tier.

For AI security the launch is relevant for three reasons:

1. Attack surface shifted to the full browser. The agent consumes HTML, JavaScript, images, PDFs, anything that appears on screen. Any instruction injection that lives on a web page reaches the model — and the model has execution capability (purchases, bookings, forms). It’s the commercial-scale materialisation of the confused deputy we covered for MCP in November on amplified surfaces.
2. Reset audit model. Operator does a checkpoint and asks for human confirmation before sensitive actions (entering a credit card, sending email). That list of “sensitive actions” is OpenAI’s decision, not a standard. There’s a gap between what Operator considers sensitive and what the company deploying it would consider sensitive in a corporate workflow.
3. Limited telemetry. The Operator session is hosted in OpenAI’s VM; the product operator has no logs of the CUA’s CoT, or of actions taken on each page, beyond the post-task summary. Reconstructing an incident post-hoc without that trace is a known problem of agentic deployment that Operator replicates.

OpenAI publishes the Operator System Card the same day. It documents evaluations on prompt injection from web pages (Operator has a specific defence layer), prohibited task categories, and capability benchmarks. What 2025 opens in AI: the 2024 beta of Computer Use is the GA of 2025. The category will populate fast — expect Anthropic, Google and Microsoft with equivalent products during the year.

Sources: https://openai.com/index/introducing-operator/ · https://openai.com/index/computer-using-agent/

SonicWall SMA1000 CVE-2025-23006 — pre-auth deserialization with MS Threat Intelligence reporting exploitation

22 January. SonicWall publishes advisory SNWLID-2025-0002 on CVE-2025-23006, an unauthenticated deserialization of untrusted data (CWE-502) vulnerability in the Appliance Management Console (AMC) and Central Management Console (CMC) of SonicWall SMA1000. Affected versions: SMA1000 12.4.3-02804 and earlier. CVSS 9.8. Exploitation allows arbitrary OS command execution without authentication under specific conditions.

What’s significant: Microsoft Threat Intelligence Center reports possible active exploitation of the bug at advisory time — it’s a zero-day exploited as zero-day. CISA adds the CVE to KEV with due date 14 February. SonicWall publishes a hotfix in version 12.4.3-02854. Operational recommendation: restrict access to AMC/CMC to trusted management networks; don’t expose the admin interface to the internet.

The pattern is familiar: perimeter appliance with admin console, pre-auth endpoint deserialization, mass exploitation before the patch. Reproduction of the Ivanti Connect Secure, Fortinet, Citrix, Cisco IOS XE playbook throughout 2024. The operational difference of SMA1000 is that it’s a product with a relatively small installed base, but located at the VPN perimeter — tunnel heads into the internal networks of medium and large companies.

Sources: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002 · https://nvd.nist.gov/vuln/detail/CVE-2025-23006

BeyondTrust → US Treasury — forensics closed, CFIUS and Office of Financial Research affected

6-7 January. CISA confirms that the BeyondTrust SaaS intrusion reported by Treasury on 30 December was limited to Treasury — it didn’t extend to other federal agencies. BeyondTrust completes the forensic investigation. New detail in January: the attackers accessed workstations of employees of the Committee on Foreign Investment in the United States (CFIUS) and the Office of Financial Research. CFIUS is the committee that reviews foreign investment for national security risk; the scope of the compromise amplifies the intelligence reading of the incident.

Vector reconstruction:

1. Root compromise on BeyondTrust multi-tenant SaaS via CVE-2024-12356 (pre-auth RCE, CVSS 9.8, advisory 17 Dec 2024) and CVE-2024-12686 (post-auth command injection, advisory 19 Dec 2024).
2. Access to 17 Remote Support SaaS instances via stolen API key.
3. One of those instances was Treasury’s.
4. From inside, access to workstations of the Office of the Secretary, OFR and CFIUS. ~400 PCs, ~3,000 unclassified files accessed.

Public attribution: Silk Typhoon (APT27 per DoJ indictment of March 2025) — China-nexus, not Volt Typhoon or Salt Typhoon. Differentiating the Chinese Typhoons has been a recurring source of confusion during 2024-2025; Silk Typhoon (Hafnium) has a history of SaaS and cloud workload exploitation, distinct from Volt’s living off the land on critical infrastructure or Salt’s telco compromises.

The operational lesson from December is confirmed: the threat model for PAM SaaS has to include “the SaaS is compromised” as a named case. CISA issues an internal directive for federal agencies forcing patching and exposure review — similar to the Emergency Directives for perimeter zero-days.

Sources: https://www.bleepingcomputer.com/news/security/treasury-hackers-also-breached-us-foreign-investments-review-office/ · https://thehackernews.com/2025/01/cisa-no-wider-federal-impact-from.html

Rest of the month

• Ivanti Connect Secure CVE-2025-0282 (8 Jan) — pre-auth stack buffer overflow in Ivanti Connect Secure, Policy Secure and Neurons for ZTA. CVSS 9.0. Exploitation as zero-day since mid-December 2024 by UNC5221 (China-nexus, same actor as the January 2024 chain). Mandiant publishes analysis on 8 Jan with TTPs: ZIPLINE, THINSPOOL, SPAWNSNARE. Patch in Connect Secure 22.7R2.5; Policy Secure and Neurons unpatched at advisory time. CISA issues alert the same day.
• Fortinet FortiOS CVE-2024-55591 (14 Jan) — authentication bypass via Node.js websocket (CWE-288) in FortiOS and FortiProxy. CVSS 9.8. Exploitation as zero-day since mid-November 2024 according to Arctic Wolf, “Console Chaos” campaign. On 15 Jan, Belsen Group publishes on the dark web data from 15,000 FortiGates — credentials, configs, VPN keys — allegedly exfiltrated during the campaign. It’s the largest perimeter data leak of the month.
• Patch Tuesday January (14 Jan) — Microsoft publishes 159 CVEs, 10 critical, 8 zero-days — three under active exploitation: CVE-2025-21333, CVE-2025-21334, CVE-2025-21335, all three elevation of privilege in Hyper-V NT Kernel Integration VSP (CVSS 7.8). Notable critical: CVE-2025-21307 (RCE in RMCAST, CVSS 9.8), CVE-2025-21298 (RCE in Windows OLE via malformed email, CVSS 9.8), CVE-2025-21311 (EoP in NTLMv1, CVSS 9.8).
• Volt Typhoon resurfacing — SecurityScorecard publishes analysis of the KV/JDYFJ botnet rebuild by Volt Typhoon during the second half of 2024. The FBI had dismantled the botnet in January 2024; the reconstruction is documented with C2 servers in the Netherlands, Latvia, Germany. The pattern is confirmed: botnet disruption on EOL edge devices is a temporary lever, not a structural fix.
• MasterCard DNS misconfiguration disclosed — Philippe Caturegli (Seralys) reports at the end of January a typo in a MasterCard DNS NS record that allowed subdomain takeover. Mitigated after responsible notification; useful reminder that DNS hygiene remains an ignored baseline.

Closing

January leaves two structural changes for 2025. In regulation: with the rescinding of EO 14110 on 20 January, the US federal framework on AI safety stops existing as a binding text. The real obligations for international deployers will be read against the EU AI Act + DORA, not against NIST. In technology: the reasoning model open-weights category appears with R1, and the commercial generalist agent category appears with Operator. What in 2024 was research frontier — CoT manipulation, computer-using agents — in 2025 is bought by enterprise.

February brings the next EU regulatory step — Art. 5 of the AI Act — and the next cyber incident of calibre with ByBit. Open threads: first designations of critical TPPs under DORA, official list of GPAI Code of Practice signatories, first Operator-in-production incidents reported.