Weekly Cybersecurity Threat Bulletin: Dec 22-28, 2025

Reading Time: 5 minutes

Pro-Russia hybrid warfare against Ukraine supporters: France's La Poste Service Affected

In the final week of December 2025, the cybersecurity landscape witnessed a surge in critical vulnerabilities affecting widely used development frameworks and enterprise security appliances. From the "LangGrinch" injection flaw in the LangChain ecosystem to active exploitation of legacy FortiOS bugs, organizations must remain vigilant as threat actors capitalize on misconfigurations and unpatched systems.

1. Critical Vulnerabilities Exposed

1.1 LangChain Core Serialization Injection (CVE-2025-68664)

On December 23, 2025, a critical flaw codenamed LangGrinch was disclosed in the LangChain Core Python package. Boasting a CVSS score of 9.3, this vulnerability resides in the dumps() and dumpd() serialization functions.

• The Risk: Attackers can use serialization injection to extract sensitive secrets and influence the behavior of Large Language Models (LLMs) by manipulating user-controlled dictionaries.

Enterprises using AI orchestration must upgrade urgently to prevent prompt injection risks in metadata or response fields.

Reference: https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm

1.2  MongoDB Server Memory Disclosure (CVE-2025-14847)

MongoDB Server's Zlib compression issue, CVE-2025-14847 (CVSS 8.7), allows unauthenticated remote memory disclosure via malformed headers, exposing heap data pre-authentication across versions 8.2.0-8.2.3 down to legacy 3.6. Fixed releases like 8.2.3 address length inconsistencies; disable Zlib or switch to Snappy/Zstd as interim mitigation.

• The Flaw: A weakness in how the MongoDB server handles Zlib-compressed data can lead to unauthorized disclosure of sensitive server memory.
• Affected Versions: Organizations should immediately review their MongoDB server versions and apply the latest security patches to prevent data leakage.

Reference: https://jira.mongodb.org/browse/SERVER-115508

1.3  n8n Workflow Automation Arbitrary Code Execution (CVE-2025-68613)

The popular workflow automation tool n8n was found to have a critical vulnerability that allows for Arbitrary Code Execution (ACE). This flaw enables an attacker to run malicious code within the context of the automation environment, potentially compromising entire business workflows.

Self-hosted n8n users in enterprise environments should audit access and upgrade to avert full server compromise.

Reference: https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp

2. Major Attack Campaigns

1. WIRED Subscriber Data Leak:

A cyberattack exposed the records of approximately 2.3 million email addresses, nearly 286,000 names, more than 102,000 home addresses, and over 32,000 phone numbers. This breach highlights the ongoing risk to media organizations and the value of subscriber data for secondary phishing attacks.

Data overlaps with infostealer logs, fueling phishing and account takeovers; no passwords leaked but PII risks cascade to interconnected services.

Reference: https://www.infostealers.com/article/wired-database-leaked-40-million-record-threat-looms-for-conde-nast/

2.2 French Postal Service Targeted

A pro-Russian DDoS campaign, Noname057, successfully disrupted the operations of the French Postal Service, demonstrating the continued use of low-complexity, high-impact availability attacks for geopolitical motives. The assault on France's La Poste, disrupting parcel tracking and payments amid holiday peaks, claimed as hybrid warfare against Ukraine supporters.

Recovery lagged days later, straining 200,000+ staff; linked to prior NATO-targeted ops.

Reference: https://www.lapostegroupe.com/en/news/cyberattack-on-22-december

3. Key Security News Highlights

3.1 Trust Wallet Supply-Chain Attack

A sophisticated supply-chain attack targeted the Trust Wallet Chrome Extension v2.68.0, leading to the theft of millions ($7M+) of dollars in cryptocurrency via malicious JS in updates, confirmed by ZachXBT and PeckShield. This incident underscores the extreme risks associated with browser-based wallet extensions and the critical need for verifying the integrity of software updates.

To make Mobile apps safe; upgrade to v2.69 and rotate exposed seeds.

Reference: https://x.com/TrustWallet/status/2004475085168795941

3.2 Google Begins Rolling Out Ability to Change @gmail.com Email Addresses

On December 25, 2025, Google introduced a major quality-of-life update allowing users to change their primary @gmail.com address without losing account data. This new feature keeps all services like Drive, Photos, and YouTube intact by converting the old address into an alias, ensuring that emails sent to either address reach the same inbox. To prevent abuse, Google has implemented a 12-month cooldown period between changes, though users can revert to their original address if necessary. While the update offers significant flexibility for digital identities, users are cautioned that they may need to re-authenticate third-party apps and "Sign in with Google" sessions. The rollout is gradual, and users can check their eligibility under the "Personal Information" section of their Google Account settings.

Reference: https://support.google.com/accounts/answer/19870?dark=0&sjid=13129471057818824497-NA&hl=hi

3.3 Active Exploitation of Fortinet 2FA Bypass

Fortinet has issued a stark warning regarding the active abuse of a known behavior in FortiOS SSL VPN (FG-IR-19-283).

• The Vulnerability: When local FortiGate users are linked to LDAP for authentication and have 2FA enabled, attackers can bypass the second factor by simply altering the capitalization of the username.
• The Consequence: This mismatch causes the system to fall back to LDAP authentication, which may not enforce 2FA, allowing attackers to gain VPN or administrative access.

Reference: https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283

4. Strategic Recommendations for Organizations

To mitigate the risks identified in this week's advisory, security teams should prioritize the following actions:

• Audit 2FA Configurations
• Update AI Frameworks
• Review Memory Compression Settings
• Enhance Monitoring