Daily Brief

MongoDB has issued an urgent advisory for IT administrators to patch a critical memory-read vulnerability, CVE-2025-14847, which can be exploited by unauthenticated attackers remotely. The vulnerability affects multiple versions of MongoDB and MongoDB Server, potentially allowing attackers to execute arbitrary code and control targeted devices. The flaw is due to improper handling of length parameter inconsistency in the zlib implementation, posing a risk of data exposure through uninitialized heap memory. Administrators are advised to upgrade to fixed versions, including MongoDB 8.2.3 and 8.0.17, or disable zlib compression to mitigate risks if immediate upgrading is not feasible. MongoDB's advisory stresses the low complexity of potential attacks, which do not require user interaction, emphasizing the urgency of the patch. The U.S. CISA has previously cataloged related vulnerabilities, reinforcing the need for federal agencies to secure systems against such exploits. MongoDB, used by over 62,500 customers globally, including Fortune 500 companies, emphasizes the critical nature of addressing this vulnerability to protect sensitive data.

Trust Wallet's Chrome extension version 2.68.0 was compromised, leading to over $6 million in cryptocurrency losses for users. The breach involved suspicious code in a JavaScript file that exfiltrated sensitive wallet data to an external server. A phishing campaign compounded the incident, with attackers creating a fake website to harvest users' wallet recovery seed phrases. Trust Wallet released version 2.69.0 to address the issue and advised users to update immediately to secure their wallets. The compromised domain, metrics-trustwallet[.]com, was newly registered, raising concerns about its legitimacy and connection to the attack. Trust Wallet has not confirmed compensation plans for affected users but is providing guidance on securing compromised wallets. Users are urged to move funds to new wallets and treat exposed recovery phrases as compromised to prevent further losses.

A critical vulnerability in LangChain Core, identified as CVE-2025-68664, allows attackers to exploit serialization injection, posing risks to sensitive data and LLM responses. The flaw, with a CVSS score of 9.3, affects the core Python package used for building LLM-powered applications, potentially leading to unauthorized data access and code execution. Security researcher Yarden Porat discovered the issue, codenamed LangGrinch, which involves improper handling of 'lc' keys in serialization functions, enabling arbitrary object instantiation. The vulnerability allows secret extraction from environment variables and arbitrary code execution through Jinja2 templates, impacting business operations reliant on LangChain. LangChain has released a patch, introducing restrictive defaults and disabling automatic secret loading, urging users to update to secure versions immediately. A similar flaw in LangChain.js, CVE-2025-68665, also threatens data security, emphasizing the need for prompt updates across affected npm packages. Organizations must recognize the risks at the intersection of AI and traditional security, as LLM outputs remain untrusted inputs vulnerable to exploitation.

A hacking competition led by Wiz and zeroday.cloud uncovered 11 critical zero-day vulnerabilities in open-source components used in essential cloud infrastructure. The vulnerabilities affect container runtimes, AI infrastructure, and databases, including Redis, PostgreSQL, and MariaDB, with the most severe flaw found in Linux. One critical vulnerability allows for a Container Escape, enabling attackers to break out of isolated cloud services and access the underlying infrastructure. This flaw challenges the core promise of cloud computing, which ensures customer isolation on shared hardware. The findings stress the importance of not relying solely on containers as security barriers in multi-tenant environments. The discovery of these vulnerabilities highlights the ongoing need for rigorous security assessments and proactive patch management in cloud environments.

TRM Labs reports that the 2022 LastPass data breach has led to ongoing cryptocurrency thefts, exploiting weak master passwords to decrypt stolen vaults. The breach exposed encrypted password vaults containing sensitive information, including cryptocurrency keys, impacting users who failed to enhance their password security. Russian cybercriminals are implicated, with funds traced to Russian exchanges, highlighting the breach's international dimension and complexity. Over $35 million in digital assets have been siphoned, with $28 million laundered via Wasabi Wallet and linked to Russian exchanges like Cryptex and Audia6. Cryptex was previously sanctioned by the U.S. Treasury for handling illicit funds, underscoring the ongoing risks associated with these platforms. TRM Labs successfully demixed transactions despite CoinJoin obfuscation, revealing operational patterns and infrastructure reuse by cybercriminals. This incident illustrates the long-term implications of data breaches and the necessity for robust password management and security measures. The case underscores the importance of demixing techniques and ecosystem-level analysis for effective attribution and enforcement in global cybercrime.

Fortinet reports active exploitation of a five-year-old vulnerability in FortiOS SSL VPN, identified as CVE-2020-12812, which allows bypassing two-factor authentication under specific configurations. The flaw involves improper authentication, enabling successful login without 2FA if username case sensitivity differs between local and LDAP settings. The U.S. government has previously recognized this vulnerability as part of attacks on perimeter devices in 2021, indicating its significant risk profile. Fortinet advises updating to FortiOS versions 6.0.10, 6.2.4, or 6.4.1 to remediate the issue, or disabling username case sensitivity to prevent authentication bypass. Organizations are urged to remove unnecessary secondary LDAP groups to eliminate potential attack vectors and ensure robust authentication policies. Fortinet recommends affected entities reset credentials and contact support if unauthorized admin or VPN access is detected, ensuring system integrity. The advisory lacks detailed insights into the nature or success of current exploitation attempts, emphasizing the need for proactive security measures.

CISA has added a critical Digiever NVR vulnerability, CVE-2023-52163, to its Known Exploited Vulnerabilities catalog due to active exploitation by threat actors. The vulnerability, with a CVSS score of 8.8, allows remote code execution through command injection post-authentication, affecting the DS-2105 Pro model. Reports from Akamai and Fortinet indicate the flaw is being used to deploy botnets such as Mirai and ShadowV2, posing significant security risks. The vulnerability remains unpatched as the affected devices have reached end-of-life status, complicating remediation efforts for users. Users are advised to avoid internet exposure of the device and change default credentials to mitigate risks in the absence of a patch. CISA recommends Federal Civilian Executive Branch agencies apply mitigations or discontinue use by January 12, 2025, to protect against ongoing threats. The situation highlights the critical need for proactive vulnerability management, especially for devices nearing or at end-of-life.

Pen Test Partners identified four security vulnerabilities in Eurostar's AI chatbot, including HTML injection and prompt manipulation, posing potential risks for data leaks and phishing attacks. The disclosure process faced challenges, with Eurostar initially unresponsive and later accusing researchers of "blackmail" despite their adherence to the vulnerability disclosure program. Eurostar's transition to a new vulnerability disclosure platform led to communication lapses, raising concerns about lost security reports and delayed issue resolution. The chatbot's design flaw allowed manipulation of chat history, bypassing guardrails by only verifying the latest message, enabling unauthorized data extraction. Vulnerabilities included potential HTML injection and cross-site scripting (XSS) risks, which could facilitate malicious code execution or phishing within trusted responses. Eurostar has reportedly patched some issues, but it remains unclear if all identified vulnerabilities have been addressed, leaving potential security gaps. This incident underscores the importance of robust security measures in consumer-facing AI systems to prevent exploitation and protect user data.

A typosquatted domain mimicking Microsoft Activation Scripts (MAS) was used to spread Cosmali Loader malware, affecting users who mistyped the legitimate domain during Windows activation. Users reported receiving pop-up alerts about the Cosmali Loader infection, which were linked to a malicious PowerShell script distributed through the fraudulent domain. The Cosmali Loader malware delivered cryptomining utilities and the XWorm remote access trojan, posing significant security risks to infected systems. A security researcher accessed the malware's control panel and likely issued warnings to compromised users, highlighting the vulnerability of the malware's infrastructure. MAS, an open-source project for Windows activation, is seen by Microsoft as a piracy tool, which complicates the security landscape for its users. Users are advised to double-check command inputs, avoid executing unfamiliar remote code, and use sandbox environments to mitigate risks from typosquatted domains. The incident underscores the persistent threat of malware delivery through unofficial Windows activators, emphasizing the need for user vigilance and caution.

Cybersecurity experts have identified a new MacSync information stealer variant, using a digitally signed Swift app to bypass Apple's Gatekeeper on macOS devices. The malware is distributed via a disk image named "zk-call-messenger-installer-3.9.2-lts.dmg," hosted on a suspicious website, allowing it to evade standard security checks. By utilizing a notarized application, the malware can execute without triggering Apple's built-in defenses, though users are prompted to bypass safeguards manually. Apple has revoked the code signing certificate associated with this malware, aiming to curb its spread and mitigate potential damage. Technical adjustments in the malware include changes in the curl command and the use of dynamically populated variables, enhancing evasion and reliability. The malware's payload, a rebranded version of Mac.c, includes remote command and control features, expanding its threat beyond simple data theft. This incident reflects a growing trend of attackers leveraging signed and notarized executables to disguise malware as legitimate applications, posing increased risks to macOS users.

The U.S. Justice Department has shut down web3adspanels.org, a platform that facilitated the theft of banking credentials through SEO poisoning campaigns. Criminals used the platform to create fake banking websites, tricking users into entering passwords that were stored for unauthorized access and fraudulent transfers. At least 19 victims, including two companies, were identified, with $28 million in attempted illegal transfers and $14.6 million in actual losses tied to this scheme. Law enforcement has received over 5,100 complaints related to similar account takeover tactics this year, with losses exceeding $262 million. The FBI's Internet Crime Complaint Center noted a rise in cyber-enabled fraud, which accounted for 83% of the $16.6 billion in e-crime losses in 2024. Social engineering tactics, including obtaining MFA codes, were employed to bypass security measures, allowing cybercriminals to transfer funds and purchase cryptocurrencies. The Justice Department's announcement did not detail methods used to circumvent security controls, highlighting ongoing vulnerabilities in user authentication processes.

MongoDB has issued an urgent advisory to patch a critical vulnerability, CVE-2025-14847, which allows remote code execution on affected servers. The flaw arises from improper handling of length parameter inconsistency, enabling unauthenticated attackers to execute arbitrary code. MongoDB versions impacted include several iterations, with a recommended upgrade to versions like 8.2.3 and 8.0.17 to mitigate risks. The vulnerability can be exploited through low-complexity attacks without user interaction, posing a significant threat to global users. Administrators are advised to disable zlib compression if immediate upgrades are not feasible to prevent exploitation. MongoDB's advisory follows CISA's previous inclusion of a similar RCE flaw in its catalog, emphasizing the need for proactive security measures. MongoDB's DBMS is utilized by over 62,500 customers, including numerous Fortune 500 companies, underscoring the importance of swift action.

The FBI has taken control of the 'web3adspanels.org' domain, used by cybercriminals to store stolen bank login credentials from U.S. victims. Cybercriminals targeted American citizens through phishing campaigns using fraudulent ads on Google and Bing, leading to fake banking portals. The operation resulted in confirmed financial losses of $14.6 million, with attempted losses estimated at $28 million. At least 19 victims, including two companies in Georgia, were identified as having compromised accounts due to this scheme. The domain hosted a server with thousands of stolen login credentials and was active until November, according to the FBI. The seizure was executed with the assistance of Estonian law enforcement and other international partners, though no arrests have been made yet. Since January, over 5,100 bank account takeover complaints have been reported, with losses exceeding $262 million. Users are advised to bookmark official banking sites or use ad blockers to avoid fraudulent search results.

The Nomani investment scam has grown by 62%, expanding from Facebook to platforms like YouTube, as reported by cybersecurity firm ESET. Over 64,000 unique URLs linked to the scam were blocked this year, with significant activity in Czechia, Japan, Slovakia, Spain, and Poland. The scam uses AI-generated video testimonials and malvertising to lure victims into investing in non-existent products, promising false returns. Victims are further targeted with Europol and INTERPOL-themed scams, promising recovery of lost funds but resulting in additional financial losses. ESET notes improvements in the scam's AI-generated videos, making them more realistic and harder to detect, with enhanced resolution and A/V synchronization. Tactics include short ad durations to evade detection and utilizing social media ad tools for information harvesting instead of external phishing forms. Despite a decline in detections in H2 2025, law enforcement pressure is likely forcing scammers to adapt their strategies. A Reuters investigation revealed that 19% of Meta's ad sales in China involved scams and illegal content, prompting a review of the company's advertising practices.

Recent analysis reveals a shift in cybercriminal focus towards small and medium-sized businesses (SMBs), driven by increased security investments by larger firms. In 2025, four out of five SMBs experienced data breaches, highlighting their growing vulnerability due to limited cybersecurity resources. Cybercriminals have adapted tactics, increasing attack volumes on SMBs to compensate for smaller individual paydays. Key breaches from 2025 demonstrate common patterns and security failings among SMBs, emphasizing the need for improved defenses. Effective protection strategies for 2026 include implementing two-factor authentication and adopting stringent access control measures. Businesses are advised to enforce strong password policies and use password managers to mitigate risks associated with credential theft. Secure storage of sensitive data through centralized, protected repositories is recommended to prevent unauthorized access and data leaks.