Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On January 7, 2026, fixes were released for a maximum severity vulnerability (CVE-2026-21858) impacting n8n, a workflow automation application primarily used with artificial intelligence. Labeled “Ni8mare” by the researchers who discovered it, the vulnerability allows unauthenticated remote threat actors to take over locally deployed instances via publicly accessible webhook and form endpoints.

Arctic Wolf entered 2025 with momentum and a clear focus: advancing security operations in ways that deliver measurable outcomes for organizations facing an increasingly complex threat environment. As the year comes to a close, we’re building on that momentum — strengthening our platform, expanding globally, and laying the foundation for what comes next in 2026.

On December 19, 2025, MongoDB issued an advisory for CVE-2025-14847, known as “MongoBleed,” a high-severity vulnerability in the server’s zlib-based network compression functionality. This vulnerability affects how the database handles compressed network communications and can cause it to accidentally leak sensitive information from its memory when abused by unauthenticated threat actors. The problem occurs when MongoDB receives a specially crafted message.

On December 17, 2025, Cisco published an advisory detailing a new threat campaign identified on December 10, affecting the Cisco AsyncOS software used on Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The campaign is exploiting an unpatched zero-day vulnerability, which only affects deployments with the Spam Quarantine feature enabled. It allows threat actors to execute arbitrary commands with root privileges on affected devices. This feature is not enabled by default.

On December 18, 2025, WatchGuard released fixes for CVE-2025-14733, a critical out-of-bounds write vulnerability in the Internet Key Exchange daemon (iked) process used to establish VPN tunnels in Fireware OS, which powers Firebox firewall appliances. Exploitation of this vulnerability allows a remote, unauthenticated threat actor to execute arbitrary code. WatchGuard has confirmed in-the-wild exploitation in their advisory.

On December 17, 2025, SonicWall released fixes for an actively exploited medium-severity zero-day vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC), tracked as CVE-2025-40602. The vulnerability allows local threat actors to escalate privileges due to insufficient authorization in the SMA1000 AMC and does not affect SSL VPN functionality on SonicWall firewalls.

On December 11, 2025, Push Security published research detailing a newly observed browser-based phishing technique called ConsentFix. The name ConsentFix is derived from its similarity to the previously documented ClickFix technique using fake CAPTCHA pages. ConsentFix, enables threat actors to gain cloud account access without capturing passwords, multifactor authentication (MFA) codes, or other credentials by abusing legitimate OAuth authentication and consent flows.

The holiday season is traditionally a period of goodwill, gift giving, and time with loved ones, but if you are responsible for your enterprise’s cyber defenses it’s also a time when you should have a heightened awareness of cyber risk. Cybercriminals often treat this time of year as a prime opportunity to exploit the unprepared and unwary.

In December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter.