Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On December 12, 2025, the MongoDB Security Engineering team disclosed a high-severity vulnerability in MongoDB that allows unauthenticated memory disclosure. The issue is tracked as CVE-2025-14847 and has a CVSS score of 8.7 and was quickly nicknamed MongoBleed in the security community due to the way it exposes server memory.

Zero-day vulnerabilities often attract attention and concern because of their unpredictability. They are, by definition, weaknesses that are unknown to software vendors and therefore have no official fix at the point of discovery. When discovered and exploited by malicious actors, they allow attackers to bypass controls before organisations even realise there is a problem.

Cyber risk is often discussed in technical language, often in a way which is difficult to decipher the real business impact. CVSS scores, vulnerabilities, attack paths and threat actors all have their place but for many decision‑makers, this language doesn’t translate into real-world business outcomes. Small business leaders and non-technical executives need to understand what cyber risk means for revenue, reputation and operational continuity.

In December 2025, a critical remote code execution vulnerability was disclosed in DeepChat, an open-source desktop AI agent platform built using Electron. The issue, tracked as CVE-2025-67744, affects all DeepChat versions prior to 0.5.3 and carries a CVSS score of 9.6. The vulnerability arises from the interaction between two separate weaknesses. The first allows attacker-controlled JavaScript execution through unsafe rendering of Mermaid diagrams.

During our research into Microsoft 365 security, we discovered a flaw in Outlook on the web (OWA) that exposed information about users and their mailboxes. By manipulating certain request headers against the “/owa/service.svc” endpoint, an attacker could not only confirm whether a user account existed, but also determine if that account had a mailbox associated with it.

Incident response (IR) plans are a cornerstone of organisational resilience. Many businesses maintain policies, run tabletop exercises, and document procedures, but high-impact incidents still expose gaps in real-world response. Red team exercises provide a practical, objective-driven way to test incident response readiness.

On 29 November 2025, researcher Lachlan Davidson reported a critical React vulnerability that allows unauthenticated remote code execution via specially crafted React Server Function payloads. This vulnerability was disclosed as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) and is rated CVSS 10.0. A public proof concept has also been released so patching is of utmost importance.

Cyber security is a critical business enabler. Proactive cyber security measures, such as penetration testing, threat monitoring, and staff training, reduce the likelihood of breaches and operational disruption. However, demonstrating the return on investment (ROI) of these initiatives can be difficult to quantify.

ISO 27001 provides a comprehensive framework to ensure organisations understand and manage their information security risks, and validates that appropriate controls are in place to mitigate those risks. Penetration testing plays a critical role in this process by validating security measures and exposing vulnerabilities before they become incidents.

Penetration testing and auditing are both methods of gaining assurance, but they operate from different angles. A pentest evaluates how well security controls stand up to real-world attack scenarios, while an audit examines whether those controls are designed, implemented, and maintained according to policy or recognised standards.