Patch Exploited MongoDB Memory Leak; Former Cyber Pros Plead Guilty to Ransomware; Fortinet SSL VNP Flaw Exploited After Five Years

On December 19, 2025, MongoDB disclosed and patched a flaw that allows an unauthenticated attacker to read uninitialized heap memory due to mismatched length fields in Zlib compressed protocol headers (CVE-2025-14847, CVSS 8.7). One week later, on December 26, a researcher from Elastic Security published proof-of-concept (PoC) exploit code for this vulnerability, dubbed "MongoBleed," and by December 29 the flaw was added to the Cybersecurity and Infrastructure Security's catalog of Known Exploited Vulnerabilities (CISA KEV). Rapid7, who confirmed the effectiveness of the PoC code, urge self-managed MongoDB instance users to remediate immediately instead of waiting for normal patch cycles, and to rotate all database and application credentials. The researchers note that "the severity is underscored by the fact that [CVE-2025-14847] allows attackers to bypass authentication entirely to extract sensitive information directly from server memory. [...] This memory often contains high-value secrets such as cleartext credentials, authentication tokens, and sensitive customer data from other concurrent sessions." Users must upgrade to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30. Vulnerable EOL versions will not receive official patches; in this case, or if immediate patching is not feasible, users can mitigate the vulnerable memory allocation path by disabling the Zlib network compressor in the server configuration. Federal Civilian Executive Branch agencies must patch by January 19.

On Monday, December 29, 2025, Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty to "one count of conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion," following their October indictment by the US Department of Justice for conducting ransomware attacks against five US companies in 2023. Goldberg was formerly an incident response manager for Cygnia Cybersecurity Services, and both Martin and an unnamed third co-conspirator were former ransomware threat negotiators at DigitalMint; all three were employed at the time of the attacks, which the trio carried out as affiliates of the ALPHV BlackCat ransomware scheme, extorting organizations for cryptocurrency in exchange for a decryption key and a promise not to publish stolen data. Only one company paid the ransom, totalling approximately US$1,274,781.2 at the time, 20% of which was then paid to ALPHV BlackCat administrators. Martin and Goldberg are scheduled to be sentenced on March 12, 2026, and face a maximum penalty of 20 years in prison.

Fortinet says that a vulnerability first disclosed more than five years ago is still being actively exploited. CVE-2020-12812 is an improper authentication vulnerability in SSL VPN in certain configurations of FortiGate SSL VPN that allows attackers to bypass multi-factor authentication (MFA). In a December 24, 2025 blog post, Fortinet writes that "In specific configurations, due to differences in behavior of LDAP Directories, FortiGates can allow LDAP users with two-factor authentication (2FA) configured to bypass 2FA and instead authenticate against LDAP directly. This particular authentication behavior is caused by FortiGate treating usernames as case-sensitive by default, when the LDAP Directory does not. To trigger this issue, an organization must have the following configuration present: Local user entries on the FortiGate with 2FA, referencing back to LDAP: The same users need to be members of a group on the LDAP server. Example: user jsmith is a member of 'Domain Users', 'Helpdesk'. [And] at least one LDAP group the two-factor users are a member of needs to be configured on FortiGate e.g. 'Domain Users', 'Helpdesk', and the group needs to be used in an authentication policy which could include for example administrative users, SSL or IPSEC VPN." When the vulnerability was first disclosed in July 2020, Fortinet issued updated versions of FortiOS to address the issue. The Shadowserver Foundation has recently observed more than 10,000 instances of unpatched Fortinet firewalls.

An investigation conducted by South Korea's Ministry of Science and ICT (MSIT) found that South Korean telecommunications and digital services provider KT mismanaged the security of femtocell mobile base stations, allowing criminals to snoop on customer communications and conduct micropayment fraud. KT deployed thousands of femtocells, all with the same network authentication certificate. According to analysis from Yongdae Kim (Professor at KAIST, IEEE Fellow, KAIST ICT Endowed Chair), KT had deliberately disabled end-to-end encryption on some femtocell models. The devices had no root passwords and stored keys in plaintext, and because SSH was enabled, the devices were remotely accessible. Once criminals were able to retrieve the certificate, they could use it to clone femtocells and snoop on devices that connected to them. The MSIT investigation revealed that 368 KT customers fell victim to micropayment fraud, resulting in losses of US$169,000. Yongdae Kim observes that the amount lost to micropayment fraud "is absurdly small for this infrastructure sophistication, [leading to the] rational inference [that] large-scale data collection was primary. Someone's greed exposed it. Without micropayment fraud, undetectable." The South Korean government has called for KT to waive early termination fees for customers; the company has agreed.

"Everything you thought you knew about the security of the internal network behind your Internet router probably is now dangerously out of date," writes Brian Krebs about the expanding Kimwolf botnet, in an article he characterizes as an "urgent Internet-wide security advisory." Kimwolf appears to have compromised over 2 million devices worldwide, enabling ad fraud, account takeovers, mass content scraping, DNS hijacking, and distributed denial-of-service (DDoS) attacks, among other malicious activity. A significant vector for Kimwolf's spread is unsecure IoT devices, especially third-party Android TV boxes and internet-connected digital picture frames, infected before purchase or requiring the installation of apps containing malware. Kimwolf secretly turns a device into a node for a monetized residential proxy service, which Krebs emphasizes may occur as easily as a guest's infected device connecting to a home Wi-Fi network. The botnet appears to be spreading into several major proxy services including IPIDEA, a residential proxy network based in China, believed to be the largest in the world. The malware circumvents typical proxy network restrictions against requests for RFC-1918 private network addresses, tunneling upstream to infect proxy endpoint devices ostensibly protected by firewalls and routers. Synthient Founder Kevin Brundage has been analyzing and tracking Kimwolf, and responsibly notified affected proxy providers in mid-December 2025. Both IPIDEA and Oxylabs, another major proxy provider, appear to have "successfully patched the vulnerabilities [Brundage] identified." While determining compromise may be difficult for many users, Synthient's website will check whether a visitor's IP address is in the database of known compromised devices, and Brundage has compiled a list of the most commonly infected Android TV boxes, which should be removed immediately. Users are urged to cultivate skepticism of devices offering media for free, and to "stick to known brands" for networked devices.

Sedgwick Government Solutions, a subsidiary of claims administration company Sedgwick, has confirmed that they are "dealing with a cybersecurity incident." Sedgwick Government Solutions provides claims and risk management services to multiple US government entities, including the Department of Homeland Security (DHS), Immigration and Customs Enforcement, Customs and Border Protection, Citizenship and Immigration Services, the Department of Labor, the Cybersecurity and Infrastructure Security Agency (CISA), the Smithsonian Institution, the Port Authority of New York and New Jersey, and municipal agencies in all 50 states. The incident affected an "isolated file transfer system," according to a Sedgwick Government Solutions spokesperson, who also clarified that "Sedgwick Government Solutions is segmented from the rest of our business, and no wider Sedgwick systems or data were affected."

The US Cybersecurity and Infrastructure Security Agency (CISA) recently added two more vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog: a missing authorization vulnerability in Digiever DS-2105 Pro network video recorders (CVE-2023-52163), and an improper handling of length parameter inconsistency issue in MongoDB Server (CVE-2025-14847). Both are being actively exploited. The Digiever vulnerability allows command injection leading to post-authentication remote code execution. The NIST entry for the CVE notes that the "vulnerability only affects products that are no longer supported by the maintainer." The vulnerability was added to the KEV on December 22, 2025, and has a mitigation deadline of January 12, 2026 for US Federal Civilian Executive Branch (FCEB) agencies. The MongoDB Server vulnerability is detailed in its own story in this issue of NewsBites; the CVE was added to KEV on December 29, 2025, and has a mitigation deadline of January 19, 2026 for FCEBs.

New Zealand's health minister has ordered a governmental review of a cybersecurity incident affecting the Manage My Health healthcare portal. Manage My Health acknowledged the incident on January 1, 2026, and writes that they "are working with independent cyber security specialists, the Privacy Commissioner, the New Zealand Police and Health New Zealand to coordinate [their] response." The organization estimates that roughly 126,000 individuals, between six and seven percent of their 1.8 million registered patients, are affected by the incident. Manage My Health detected the incident on December 30, 2025, and acknowledged it publicly on January 1, 2026.

Massachusetts-based Covenant Health now says that a May 2025 breach of its network compromised sensitive information of 478,188 individuals. The exposed data include names, addresses, birth dates, medical record and Social Security numbers, health insurance information, and medical diagnoses. The breach disrupted operations at Covenant's hospitals: wait times increased, and availability of lab services was limited. Covenant Health has begun notifying affected individuals by mail. Intruders had access to Covenant systems between May 18 and 26, 2025; the organization concluded its investigation on December 10, 2025. Covenant initially disclosed the breach to the Maine Attorney General's office in July 2025, at which time it indicated that the total number of affected individuals was 7,864. That number has been revised to 478,188. Covenant operates several hospitals and other healthcare facilities in New England and parts of Pennsylvania.

The HIPAA Journal's current analysis of healthcare breach data gathered by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) indicates that while 2025 included a number of significant care sector breaches, the number of large breaches and total number of individuals affected have decreased relative to prior years. The HHS OCR portal shows 15 reported large breaches in 2025, including Aflac (22,650,000), Conduent Business Services LLC (10,515,849), Yale New Haven Health System (5,556,702), Episource, LLC (5,418,866), and Blue Shield of California (4,700,000). Of the 15 large incidents, seven were breaches of business associates. The HIPAA Journal notes that the listings for both the Conduent breach and the Aflac breach on the HHS OCR portal do not reflect these figures. However, the Oregon Department of Justice Consumer Protection website indicates that the Conduent breach affects 10.5 million individuals. The Aflac breach was initially reported to HHS OCR in August 2025 with a "placeholder figure of 500." In late December, Aflac confirmed that the number of affected individuals is approximately 22.65 million. In addition, the HIPAA Journal writes, "There is a delay between data breaches being reported to OCR and being added to the OCR breach portal. While the delay between OCR being notified and the breach being added to the data breach portal is usually up to two weeks, data breach additions came to a grinding halt due to the 43-day government shutdown, and based on the low totals for October and November, it appears that the backlog has yet to be cleared, so the figures are likely to increase over the coming weeks."