Threat Brief: MongoDB Vulnerability (CVE-2025-14847)
On Dec. 19, 2025, MongoDB publicly disclosed MongoBleed, a security vulnerability (CVE-2025-14847) that allows unauthenticated attackers to leak sensitive heap memory by exploiting a trust issue in how MongoDB Server handles zlib-compressed network messages. This flaw occurs prior to authentication, meaning an attacker only needs network access to the database’s default port to trigger it.
Source: Palo Alto Networks Unit 42

Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution
Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances. The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system. “An improper neutralization of special elements used in an OS command (‘OS command injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests,” the company said in a Tuesday bulletin.
Source: The Hacker News

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow
Node.js has released updates to fix what it described as a critical security issue impacting “virtually every production Node.js app” that, if successfully exploited, could trigger a denial-of-service (DoS) condition. “Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability,” Node.js’s Matteo Collina and Joyee Cheung said in a Tuesday bulletin.
Source: The Hacker News

Microsoft January 2026 Patch Tuesday: 115 Vulnerabilities Fixed
Microsoft has released its first Patch Tuesday of 2026, delivering a massive wave of security fixes to protect users from various digital threats. This month, the tech giant addressed 115 vulnerabilities, out of which eight are considered Critical, the highest risk level, while 106 are labelled Important. For those unfamiliar with the term, Patch Tuesday is the day Microsoft regularly releases updates to fix security holes. This January, the updates cover everything from Windows 11 and Microsoft Office to the Edge browser.
Source: Hackread

“Untrustworthy Fund”: Targeted UAC-0190 Cyberattacks Against SOU Using PLUGGYAPE
During October-December 2025, the National Cyber Incident Response Team, Cyber Attacks, and Cyber Threats CERT-UA, in cooperation with the Cyber Incident Response Team of the Armed Forces of Ukraine (military unit A0334), took measures to investigate a number of targeted cyber attacks against representatives of the Defense Forces of Ukraine, carried out under the guise of charitable foundation activities using the PLUGGYAPE software tool. Based on certain characteristics, the activity is associated with a medium level of confidence with the activities of a group known as Void Blizzard (Laundry Bear), for tracking which the identifier UAC-0190 is used. To implement the malicious plan, the target of the cyberattack is encouraged via instant messengers to visit a website that imitates the webpage of a supposedly charitable foundation, from which it is proposed to download “documents” – executable files, which are usually located in a password-protected archive.
Source: CERT-UA