Daily Digest

MongoBleed Exploit Unleashed, React2Shell Deadline Passes Amid Active Attacks, and Ransomware Strikes European Critical Infrastructure

MongoBleed Exploit Unleashed, React2Shell Deadline Passes Amid Active Attacks, and Ransomware Strikes European Critical Infrastructure

December 27, 2025
5 articles (5 new)
15 min read

Summary

In the period of December 26-27, 2025, the cybersecurity landscape was dominated by the release of a public exploit for the critical 'MongoBleed' vulnerability (CVE-2025-14847), triggering widespread scanning and placing tens of thousands of MongoDB databases at immediate risk. Concurrently, the CISA deadline passed for patching the 'React2Shell' flaw (CVE-2025-55182), which is already under active exploitation by state-sponsored actors. The holiday period saw targeted ransomware attacks, with the 'Gentlemen' group hitting a major Romanian energy producer and LockBit 5.0 claiming a breach of a Greek luxury hotel brand. Other significant events include the discovery of a critical RCE in the n8n automation platform, a supply chain attack on Trust Wallet leading to a $7 million theft, and a sophisticated DNS poisoning campaign by the China-linked 'Evasive Panda' APT.

Filter by Category

New Articles (5)

Critical RCE Flaw in n8n Puts 103,000+ Workflow Automation Servers at Risk

CRITICAL

Critical RCE Vulnerability (CVE-2025-68613) in n8n Platform Allows Full Server Compromise

A critical remote code execution (RCE) vulnerability, CVE-2025-68613, with a CVSS score of 9.9, has been disclosed in the n8n workflow automation platform. The flaw affects over 103,000 publicly exposed instances. It allows an authenticated attacker with low-level privileges (the ability to create or edit workflows) to execute arbitrary commands on the underlying server by exploiting an expression injection weakness. This can lead to a full server compromise, data exfiltration, and lateral movement into connected systems. Users are urged to upgrade to patched versions (1.120.4, 1.121.1, or 1.122.0) immediately.

December 27, 2025
4 min read
n8nRCEVulnerabilityWorkflow AutomationExpression Injection +1 more
Critical RCE Flaw in n8n Puts 103,000+ Workflow Automation Servers at Risk
Vulnerability
Cloud Security
Patch Management

LockBit 5.0 Ransomware Claims Attack on Greek Luxury Hotel Group EM Resorts

HIGH

LockBit 5.0 Adds Greek Hospitality Brand EM Resorts to its Leak Site

On December 26, 2025, the prolific LockBit 5.0 ransomware group claimed responsibility for a cyberattack against EM Resorts, a luxury hotel operator based in Crete, Greece. The group posted a notice on its dark web leak site, threatening to publish exfiltrated data unless a company representative makes contact. This incident follows LockBit's typical double-extortion model, where they both encrypt victim data and steal it for leverage. The full scope of the breach and the type of data stolen have not yet been disclosed, but the attack highlights the ongoing threat ransomware poses to the hospitality industry.

December 27, 2025
4 min read
LockBitRansomwareDouble ExtortionHospitalityGreece +1 more
LockBit 5.0 Ransomware Claims Attack on Greek Luxury Hotel Group EM Resorts
Ransomware
Data Breach
Cyberattack

Typo in Windows Activation Script Leads to Cosmali Loader Malware Infection

MEDIUM

Typosquatted Domain Impersonating Microsoft Activation Scripts (MAS) Delivers Cosmali Loader and XWorm RAT

A typosquatting campaign discovered on December 26, 2025, is targeting users of the popular Microsoft Activation Scripts (MAS) tool. Attackers registered the domain `get.activate[.]win`, a common misspelling of the legitimate domain. Users who mistype the command are redirected to the malicious site, which infects their systems with the Cosmali Loader malware. This loader, in turn, deploys additional payloads, including cryptominers and the XWorm Remote Access Trojan (RAT), giving attackers full control over the victim's machine. In a strange twist, some victims received a pop-up warning them of the infection, believed to be from a third party who hacked the malware's C2 panel.

December 27, 2025
4 min read
Cosmali LoaderXWorm RATTyposquattingMalwarePowerShell +1 more
Typo in Windows Activation Script Leads to Cosmali Loader Malware Infection
Malware
Phishing
Threat Actor

Malicious Trust Wallet Chrome Extension Pushed via Leaked API Key, $7M Stolen

HIGH

Trust Wallet Confirms Supply Chain Breach Led to $7 Million Cryptocurrency Theft via Malicious Chrome Extension

Trust Wallet confirmed on December 26, 2025, that a malicious version of its Chrome browser extension (v2.68) was published, leading to the theft of approximately $7 million in cryptocurrency from 2,596 wallet addresses. The attackers bypassed internal security checks by using a leaked Chrome Web Store API key to publish the compromised version directly. The malicious code was hidden within the application's analytics logic, using the PostHog library to exfiltrate user data to an attacker-controlled server. Over $4 million of the stolen funds have already been laundered through centralized exchanges. Trust Wallet has suspended the malicious domain and is processing reimbursements for affected users.

December 27, 2025
5 min read
Trust WalletSupply Chain AttackCryptocurrencyChrome ExtensionMalware +1 more
Malicious Trust Wallet Chrome Extension Pushed via Leaked API Key, $7M Stolen
Supply Chain Attack
Malware
Data Breach

Debian Patches High-Severity SQL Injection Flaw in PgBouncer

HIGH

Debian Issues Security Update for High-Severity SQL Injection Vulnerability (CVE-2025-12819) in PgBouncer

On December 27, 2025, the Debian project released a security update for a high-severity SQL injection vulnerability, CVE-2025-12819, in PgBouncer, a widely used connection pooler for PostgreSQL. The flaw, which has a CVSS score of 8.1, allows an unauthenticated remote attacker to execute arbitrary SQL commands. The vulnerability can be triggered by injecting a malicious 'search_path' parameter during the authentication process. The issue has been fixed in PgBouncer version 1.25.1 and backported to Debian 11 'bullseye' in version 1.15.0-1+deb11u2. Administrators are urged to upgrade their packages to mitigate the risk.

December 27, 2025
4 min read
DebianPgBouncerPostgreSQLSQL InjectionVulnerability +1 more
Debian Patches High-Severity SQL Injection Flaw in PgBouncer
Vulnerability
Patch Management
Cloud Security

📢 Share This Publication

Help others stay informed about cybersecurity threats