Critical Zero-Days and Actively Exploited Flaws Plague Cisco, Apple, HPE, and MongoDB

University of Sydney Discloses Data Breach After Hacker Accesses IT Code Library

The University of Sydney has announced a significant data breach affecting approximately 27,500 individuals after an unauthorized party gained access to an internal IT code library. The compromised repository contained historical data files with personal information of current and former staff, affiliates, students, and alumni, primarily from 2010-2019. Exposed data includes names, dates of birth, phone numbers, and home addresses. The university has secured the environment and is in the process of notifying all affected individuals while an investigation is ongoing.

PIIEducationCode RepositoryInsider ThreatMisconfiguration

Data Breach

Cyberattack

Policy and Compliance

Nefilim Ransomware Operator Pleads Guilty in U.S. Court

Ukrainian Operator of Nefilim Ransomware, Artem Stryzhak, Pleads Guilty to Conspiracy Charges

Artem Aleksandrovych Stryzhak, a Ukrainian national, has pleaded guilty in a U.S. federal court for his role in the Nefilim ransomware conspiracy. Stryzhak, 35, was a key operator for the ransomware group that targeted high-revenue companies in the U.S. and Europe between 2018 and 2021, causing millions in damages. The group was known for its double-extortion tactics, stealing data before encryption and threatening to leak it on their 'Corporate Leaks' site. Stryzhak faces up to 10 years in prison, while his co-conspirator, Volodymyr Tymoshchuk, remains at large with an $11 million bounty offered by the U.S. Department of State.

Double ExtortionBig Game HuntingCybercrimeDOJExtradition

Ransomware

Threat Actor

Regulatory

URGENT: Cisco Warns of Active Zero-Day Attacks on Email Security Appliances

CRITICAL

Cisco Warns of Actively Exploited Zero-Day Vulnerability in Secure Email Gateway and Web Manager

Cisco has issued an urgent security advisory for an actively exploited zero-day vulnerability in its AsyncOS software, affecting Cisco Secure Email Gateway (formerly IronPort) and Secure Email and Web Manager appliances. Threat actors are leveraging the unpatched flaw to deploy persistent backdoors and tunneling tools, granting them long-term, stealthy access to enterprise email infrastructure. A patch is not yet available, and Cisco is strongly urging administrators to apply interim mitigations, restrict management access, and monitor logs for signs of compromise.

Zero-Day0dayEmail SecurityIronPortBackdoor +1 more

URGENT: Cisco Warns of Active Zero-Day Attacks on Email Security Appliances

Vulnerability

Cyberattack

Threat Intelligence

Warning: "GhostPairing" Attack Hijacks WhatsApp Accounts with Malicious QR Codes

"GhostPairing" Social Engineering Campaign Hijacks WhatsApp Accounts via Device Linking Feature

A new social engineering campaign dubbed "GhostPairing" is exploiting WhatsApp's multi-device linking feature to hijack user accounts. India's CERT-In has issued a high-severity warning about the attack, which tricks victims into scanning a malicious QR code or entering a pairing code from a fraudulent website. This action links the attacker's device to the victim's account, granting them full access to messages, contacts, and media without needing a password or SIM swap. The attack bypasses traditional authentication, relying purely on deceiving the user into performing the linking action themselves.

Social EngineeringWhatsAppAccount TakeoverQR CodeCERT-In

Warning: "GhostPairing" Attack Hijacks WhatsApp Accounts with Malicious QR Codes

Phishing

Mobile Security

Cyberattack

MongoDB 'MongoBleed' Flaw Allows Unauthenticated Data Leaks, Actively Exploited

MongoDB Discloses "MongoBleed" (CVE-2025-14847), a High-Severity Unauthenticated Memory Leak Vulnerability

MongoDB has disclosed a high-severity vulnerability, CVE-2025-14847, nicknamed "MongoBleed." The flaw is an unauthenticated memory leak in the database server's zlib compression functionality. A remote, unauthenticated attacker can send a malformed message to a vulnerable server, causing it to leak contents of its memory. This exposed data can include sensitive information like plaintext passwords, API keys, and session tokens from other user sessions. The vulnerability affects multiple versions of MongoDB, and with a PoC exploit public and active exploitation confirmed, administrators are urged to upgrade immediately or disable zlib compression as a workaround.

Database SecurityMemory LeakUnauthenticatedActive ExploitationPoC +1 more

MongoDB 'MongoBleed' Flaw Allows Unauthenticated Data Leaks, Actively Exploited

Vulnerability

Data Breach

Cloud Security

.NET "SOAPwn" Flaw Allows Authentication Bypass and RCE in Enterprise Apps

CRITICAL

Critical "SOAPwn" Vulnerability in .NET Enables Authentication Bypass and Remote Code Execution

A critical vulnerability nicknamed "SOAPwn" has been discovered in .NET applications utilizing SOAP-based web services. The flaw, reported on December 19, 2025, allows an unauthenticated attacker to send a specially crafted SOAP request to bypass security checks and achieve remote code execution. This poses a severe risk to many enterprise applications that rely on the legacy SOAP protocol for critical business functions. Microsoft has issued guidance and released patches, urging organizations to update their applications immediately and monitor for suspicious SOAP traffic.