This past week in cybersecurity wasn’t defined by one massive breach or headline-grabbing attack. Instead, it revealed something more troubling: a steady wave of smaller failures happening all at once. Trusted tools broke down. Old vulnerabilities resurfaced. And attackers moved faster than many organizations could respond.
What stood out most was how easily everyday systems were misused. Access designed for convenience was repeatedly turned into an entry point for abuse. In several cases, the real damage didn’t appear immediately—it unfolded weeks or even months later.
Below is a clear breakdown of the most important security events shaping the current threat landscape and what security teams should be paying attention to now.
🚨 Threat of the Week: MongoDB Vulnerability Actively Exploited
A newly disclosed vulnerability in MongoDB, tracked as CVE-2025-14847, is already being exploited in the wild. The flaw allows unauthenticated attackers to extract sensitive data directly from server memory. Security researchers have identified more than 87,000 potentially exposed MongoDB instances worldwide, with the highest concentration in the U.S., China, Germany, India, and France.
The vulnerability affects multiple MongoDB versions and has been assigned a CVSS score of 8.7, making it a high-risk issue. Cloud security firm Wiz reports that over 40% of cloud environments currently run at least one vulnerable MongoDB instance.
Administrators are strongly advised to update immediately to the patched releases:
- 8.2.3
- 8.0.17
- 7.0.28
- 6.0.27
- 5.0.32
- 4.4.30
🔔 Top Security Stories This Week
Trust Wallet Chrome Extension Compromised
A malicious update to the Trust Wallet Chrome extension led to roughly $7 million in losses. Attackers uploaded a tainted version of the extension using a compromised API key. The malicious version silently drained user wallets. Trust Wallet confirmed affected users will be reimbursed and urged everyone to upgrade immediately.
China-Linked Group Uses DNS Poisoning to Spread Malware
A threat actor known as Evasive Panda launched a sophisticated campaign abusing DNS poisoning to distribute the MgBot backdoor. Victims were tricked into downloading infected versions of popular software like QQ, iQIYI, and IObit tools. The malware enabled deep system surveillance and long-term persistence across systems in China, Turkey, and India.
Stolen LastPass Vaults Continue to Be Exploited
New findings show that data stolen during the 2022 LastPass breach is still being abused. Attackers cracked weak master passwords and drained cryptocurrency wallets as recently as late 2025. Investigators link at least $35 million in losses to the breach, with funds traced to wallets connected to Russian cybercrime groups.
Fortinet Warns of Renewed Exploitation of Old VPN Flaw
Fortinet confirmed active exploitation of a five-year-old vulnerability (CVE-2020-12812) in FortiOS SSL VPNs. The bug allows attackers to bypass multi-factor authentication by manipulating username case sensitivity. Organizations are urged to review logs and reset credentials immediately.
Fake WhatsApp API Package Spies on Users
A malicious npm package posing as a WhatsApp API library was discovered stealing messages, contacts, and media files. Even worse, uninstalling the package does not remove attacker access unless the user manually disconnects linked devices from WhatsApp settings.
⚠️ Trending Vulnerabilities to Watch
Security teams should prioritize patching the following high-risk CVEs:
- CVE-2025-14847 – MongoDB
- CVE-2025-68664 – LangChain
- CVE-2023-52163 – Digiever NVR
- CVE-2025-68613 – n8n
- CVE-2025-13836 – Python http.client
- CVE-2025-26794 – Exim
- CVE-2025-68615 – Net-SNMP
- CVE-2025-44016 – TeamViewer DEX
- CVE-2025-13008 – M-Files Server
🌍 Cyber Developments Around the World
- Former Coinbase contractor arrested in India after allegedly selling customer data to cybercriminals.
- Cloud Atlas espionage group continues targeting telecom and government networks using multi-stage malware loaders.
- BlackHawk malware spreads via heavily obfuscated loaders, targeting small businesses.
- Spike in Cobalt Strike infrastructure observed across newly registered hosting networks.
- Russian cybercriminal marketplace operator identified as the administrator of a major credential-trading forum.
- Fake job scams surge across the Middle East and North Africa, luring victims through WhatsApp and Telegram.
- EmEditor compromise allowed attackers to distribute malware through a tampered installer.
- Docker releases hardened images for free, improving supply chain security.
- Critical Livewire vulnerability allowed remote code execution in Laravel apps.
- New Android spyware used in targeted surveillance operations against journalists.
- Former incident responders plead guilty to participating in ransomware attacks.
- U.S. lawmakers accuse China of exploiting federally funded research programs.
🧠 Final Takeaway
The common thread this week is simple: attackers are no longer relying on zero-days alone. They are exploiting trust — in software updates, developer tools, cloud services, and even security vendors themselves.
Security teams must assume compromise is possible, audit continuously, and treat every tool and integration as a potential attack surface. The cost of delay is no longer theoretical.
Stay alert. Patch early. Verify everything.