The final week of 2025 saw a fragmented cybersecurity landscape, with numerous small-scale incidents collectively shaping the threat environment. This period was characterized by trusted tools behaving unexpectedly, the resurgence of older vulnerabilities, and the rapid exploitation of newly discovered flaws. A recurring theme was the persistent challenge of attackers outpacing remediation efforts. Access points intended for legitimate work, updates, or support were frequently abused, and the repercussions of these breaches often extended far beyond the initial incident, surfacing months or even years later. This recap synthesizes the key cyber news from the past week, highlighting events that defined the threat landscape in late 2025.
A significant development was the active exploitation of a critical MongoDB vulnerability, codenamed MongoBleed (CVE-2025-14847). This flaw, with a CVSS score of 8.7, allows unauthenticated attackers to remotely exfiltrate sensitive data from MongoDB server memory. Over 87,000 susceptible instances were identified globally, with a substantial portion in the U.S., China, Germany, India, and France. Wiz reported that 42% of cloud environments contained at least one vulnerable MongoDB instance. Users are strongly advised to update to the latest secure versions of MongoDB to mitigate this risk. The speed at which this vulnerability was weaponized underscores the ongoing arms race between defenders and attackers in the cybersecurity domain.
MongoDB Vulnerability Actively Exploited, Prompting Urgent Updates
The newly disclosed security vulnerability in MongoDB, tracked as CVE-2025-14847 and dubbed MongoBleed, has become a primary target for cybercriminals. The critical flaw, boasting a CVSS score of 8.7, grants unauthenticated attackers the ability to remotely access and leak sensitive information residing in MongoDB server memory. Cybersecurity firm Censys reported the identification of over 87,000 potentially compromised instances across the globe. The United States, China, Germany, India, and France emerged as countries with the highest concentration of vulnerable systems.
Further analysis from Wiz revealed that a significant 42% of all cloud environments house at least one instance of MongoDB susceptible to this exploit. This number encompasses both internet-exposed and internal network resources, highlighting the widespread exposure. In response to the escalating threat, users have been urged to promptly update their MongoDB installations to versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. The exact nature of the attacks leveraging this vulnerability remains under investigation, but the active exploitation signifies an immediate risk to organizations utilizing affected MongoDB versions, demanding swift patching to secure sensitive data.
Key Cyber Incidents and Trends in Late 2025
The past week featured several other notable cybersecurity events. Trust Wallet experienced a significant security incident involving its Google Chrome extension, resulting in an estimated $7 million loss. The company urged users to update to version 2.69, stating that mobile-only users and other browser extensions were unaffected. The attacker is believed to have compromised a Chrome Web Store API key to publish a malicious version of the extension.
Meanwhile, the China-linked advanced persistent threat (APT) group Evasive Panda was implicated in a sophisticated cyber espionage campaign. This operation involved DNS poisoning to distribute its MgBot backdoor, targeting entities in Türkiye, China, and India between November 2022 and November 2024. Kaspersky reported that the group utilized adversary-in-the-middle (AitM) attacks to deliver trojanized updates for popular software, ultimately deploying the MgBot implant. The exact method of DNS poisoning remains unclear, with suspicions pointing to compromised ISPs or local network devices.
The repercussions of the 2022 LastPass breach continued to surface, with threat actors exploiting weak master passwords to steal approximately $35 million in cryptocurrency assets as of September 2025. TRM Labs identified links to the Russian cybercriminal ecosystem through the use of cryptocurrency exchanges and mixers commonly associated with that group.
Fortinet issued a warning regarding renewed activity exploiting CVE-2020-12812, a five-year-old vulnerability in FortiOS SSL VPN. Under specific configurations, this flaw allowed authentication bypass if the username’s case was altered, circumventing multi-factor authentication. Fortinet advised affected customers to contact their support team and reset credentials if evidence of compromised authentication was found.
A deceptive npm package, lotusbail, posing as a functional WhatsApp API, was discovered to steal messages and link attacker devices to victims’ WhatsApp accounts. The package, downloaded over 56,000 times before removal, allowed the threat actor to intercept messages, send new ones, and access contact lists. Crucially, uninstalling the package did not revoke the persistent link to the user’s WhatsApp account.
Trending Vulnerabilities to Watch
This week’s threat landscape also highlighted several other significant Common Vulnerabilities and Exposures (CVEs) that demand immediate attention. Attackers are known to move with alacrity, often leveraging newly discovered flaws within hours. A single unpatched vulnerability can pave the way for widespread breaches.
Key vulnerabilities identified include CVE-2025-14847 (MongoDB), CVE-2025-68664 (LangChain Core), CVE-2023-52163 (Digiever DS-2105 Pro), CVE-2025-68613 (n8n), CVE-2025-13836 (Python http.client), CVE-2025-26794 (Exim), CVE-2025-68615 (Net-SNMP), CVE-2025-44016 (TeamViewer DEX Client), and CVE-2025-13008 (M-Files Server). Organizations must prioritize the assessment and remediation of these critical security flaws to maintain a robust defense posture.
Global Cyber Landscape: Arrests, Espionage, and Emerging Threats
In India, a former Coinbase customer service agent was arrested as part of an ongoing investigation into hackers bribing representatives to access customer data. Coinbase CEO Brian Armstrong confirmed the arrest, emphasizing the company’s zero-tolerance policy for misconduct and commitment to working with law enforcement. The incident, which affected over 69,000 individuals, involved contractors bribed to steal sensitive customer information.
The threat actor known as Cloud Atlas has been observed targeting Russia and Belarus with sophisticated phishing campaigns. These attacks utilize malicious Microsoft Word documents to download trojanized components, leading to the deployment of various backdoors, including VBShower, PowerShower, and CloudAtlas. The telecommunications, construction, and government sectors have been primary targets.
A new MSIL loader named BlackHawk has emerged, featuring AI-generated obfuscation. ESET reports that this loader is actively used in campaigns distributing Agent Tesla and Phantom malware, particularly targeting small and medium-sized businesses in Romania.
A notable surge in Cobalt Strike servers was detected between early and mid-December 2025, primarily hosted on the networks of AS138415 (YANCY) and AS133199 (SonderCloud LTD). Censys observed rapid increases and decreases in these servers, suggesting temporary infrastructure deployment by threat actors.
Intrinsec identified a threat actor named “Fly” as the probable administrator of Russian Market, an underground forum for selling stolen credentials. The investigation linked “Fly” to the marketplace’s promotion and initial domain registrations.
A new scam campaign is targeting the Middle East and North Africa (MENA) region with fake job offers, aiming to collect personal data and illicitly obtain funds. These scams often impersonate reputable organizations and move conversations to private messaging platforms for financial fraud.
The Windows text editing program EmEditor experienced a security breach. Emurasoft reported that a malicious installer was temporarily available via a compromised download link on their website, distributing an infostealer capable of harvesting extensive system and application data.
Docker has made its Hardened Images available for free, aiming to enhance software supply chain security. These minimal, production-ready images are managed by Docker and are compatible with widely used open-source foundations like Alpine and Debian, facilitating easier adoption for developers.
Details have emerged regarding a critical, now-patched flaw in Livewire (CVE-2025-54068), a Laravel framework. This vulnerability could allow unauthenticated attackers to achieve remote command execution under specific circumstances, particularly when the application’s APP_KEY is compromised.
New malware dubbed ChimeraWire has been identified, capable of artificially boosting website search engine rankings by performing hidden internet searches and mimicking user clicks on infected Windows devices. This malware typically acts as a second-stage payload for other downloaders.
Further information has surfaced regarding the LANDFALL Android spyware campaign, which exploited a zero-day flaw in Samsung Galaxy devices (CVE-2025-21042). The campaign targeted individuals in the Middle East, leveraging specially crafted image files likely delivered via WhatsApp.
Belarusian authorities are reportedly employing a new spyware, ResidentBat, on the phones of local journalists following confiscation during interrogations. The spyware is capable of collecting extensive device data and can self-remove.
Two former cybersecurity professionals, Ryan Clifford Goldberg and Kevin Tyler Martin, have pleaded guilty to participating in BlackCat ransomware attacks between May and November 2023 while employed by cybersecurity firms. They allegedly used their positions to facilitate these attacks.
A congressional report claims that China is exploiting U.S.-funded research, particularly in nuclear technology, to advance its military and technological capabilities. The report highlights research collaborations between U.S. entities and Chinese organizations involved in the country’s defense industrial base.
A Moscow court sentenced a Russian scientist, Artyom Khoroshilov, to 21 years in prison for treason, accused of colluding with the Ukrainian IT Army to conduct DDoS attacks and plotting sabotage against Russian infrastructure.
Malicious actors are increasingly utilizing DIG AI, a dark LLM accessible via the Tor browser, for generating phishing emails and instructions for illegal activities. Resecurity noted a notable increase in its use for harmful purposes.
The Chinese government asserted that the U.S. improperly seized cryptocurrency assets belonging to the Chinese firm LuBian. The U.S. Justice Department had previously seized $15 billion worth of Bitcoin, which China claims originated from a 2020 hack of LuBian.
This weekly recap provides a consolidated view of the significant cybersecurity events that transpired in the closing days of 2025. By focusing on these key developments and recurring patterns, organizations can better assess the evolving threat landscape and prepare for emerging risks anticipated in 2026.