Threatwire Report Highlights Critical Vulnerabilities and Security Incidents

31 Dec 2025

CybersecurityVulnerabilitiesDataBreachesHacking

The Threatwire report of December 29, 2025 highlights several vulnerabilities and security incidents. A critical flaw, CVE-2025-14847 (named Mongol Bleed), affects MongoDB with a CVSS score of 8.7. It exploits the Z-Lib compression protocol to read unauthenticated heap memory, exposing sensitive data (PII, tokens, secrets). More than 87,000 servers are reportedly vulnerable. The fix modifies the return of the size of decompressed data in zlib.cpp to prevent memory leakage.

Ubisoft suffered an attack on Rainbow Six Siege on December 27, 2025, involving three distinct groups: one banned players and distributed 339 trillion in-game credits, another exploited Mongol Bleed to access internal Git repositories and historical source code, and a third extorted Ubisoft via the same flaw. There is no official confirmation from Ubisoft.

Spotify confirmed the download of 300 TB of data by Anna’s Archive, carried out through third-party user accounts and stream ripping techniques, without compromising its internal systems.

Other vulnerabilities include DMA flaws in motherboards (UEFI), a serialization injection in langchain-core (CVSS 9.3), and arbitrary code execution in N8N (CVSS 9.9).

Spotify confirmed the download of 300 TB of data by Anna’s Archive, carried out through third-party user accounts and stream ripping techniques, without compromising its internal systems.

Other vulnerabilities include DMA flaws in motherboards (UEFI), a serialization injection in langchain-core (CVSS 9.3), and arbitrary code execution in N8N (CVSS 9.9).