Weekly Exploit Roundup

Generated 2025-12-30T08:00:14.466748+00:00 (UTC)

1. CISA Flags Actively Exploited Digiever NVR Vulnerability Allowing Remote Code Execution
   Source: The Hacker News | Published: 2025-12-25T08:07:00+00:00 | Score: 22.032
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
   The vulnerability, tracked as CVE-2023-52163 (CVSS score: 8.8), relates to a case of command injection that allows post-authentication remote code
2. MongoDB Vulnerability CVE-2025-14847 Under Active Exploitation Worldwide
   Source: The Hacker News | Published: 2025-12-29T09:46:00+00:00 | Score: 18.938
   A recently disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world.
   The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7), which allows an unauthenticated attacker to remotely leak sensitive data from the MongoDB server memory. It has been codenamed MongoBleed.
   "A flaw
3. Exploited MongoBleed flaw leaks MongoDB secrets, 87K servers exposed
   Source: BleepingComputer | Published: 2025-12-28T20:38:15+00:00 | Score: 17.947
   A severe vulnerability affecting multiple MongoDB versions, dubbed MongoBleed (CVE-2025-14847), is being actively exploited in the wild, with over 80,000 potentially vulnerable servers exposed on the public web. […]
4. Fortinet Warns of New Attacks Exploiting Old Vulnerability
   Source: SecurityWeek | Published: 2025-12-29T12:52:49+00:00 | Score: 14.431
   Tracked as CVE-2020-12812, the exploited FortiOS flaw allows threat actors to bypass two-factor authentication. The post Fortinet Warns of New Attacks Exploiting Old Vulnerability appeared first on SecurityWeek .
5. Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks
   Source: BleepingComputer | Published: 2025-12-29T11:16:03+00:00 | Score: 12.883
   Fortinet has warned customers that threat actors are still actively exploiting a critical FortiOS vulnerability that allows them to bypass two-factor authentication (2FA) when targeting vulnerable FortiGate firewalls. […]
6. Fortinet Warns of Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability
   Source: The Hacker News | Published: 2025-12-25T08:22:00+00:00 | Score: 12.039
   Fortinet on Wednesday said it observed "recent abuse" of a five-year-old security flaw in FortiOS SSL VPN in the wild under certain configurations.
   The vulnerability in question is CVE-2020-12812 (CVSS score: 5.2), an improper authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication if the
7. Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection
   Source: The Hacker News | Published: 2025-12-26T09:27:00+00:00 | Score: 11.286
   A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection.
   LangChain Core (i.e., langchain-core) is a core Python package that's part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building
8. Fresh MongoDB Vulnerability Exploited in Attacks
   Source: SecurityWeek | Published: 2025-12-29T09:54:15+00:00 | Score: 10.842
   Dubbed MongoBleed, the high-severity flaw allows unauthenticated, remote attackers to leak sensitive information from MongoDB servers. The post Fresh MongoDB Vulnerability Exploited in Attacks appeared first on SecurityWeek .
9. New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory
   Source: The Hacker News | Published: 2025-12-27T07:52:00+00:00 | Score: 10.453
   A high-severity security flaw has been disclosed in MongoDB that could allow unauthenticated users to read uninitialized heap memory.
   The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency, which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the
10. Traditional Security Frameworks Leave Organizations Exposed to AI-Specific Attack Vectors
    Source: The Hacker News | Published: 2025-12-29T06:34:00+00:00 | Score: 9.343
    In December 2024, the popular Ultralytics AI library was compromised, installing malicious code that hijacked system resources for cryptocurrency mining. In August 2025, malicious Nx packages leaked 2,349 GitHub, cloud, and AI credentials. Throughout 2024, ChatGPT vulnerabilities allowed unauthorized extraction of user data from AI memory.
    The result: 23.77 million secrets were leaked through AI

End of report.