The last 24 hours have seen a critical escalation in attacks targeting Australian infrastructure, with a particular focus on database integrity and network perimeter devices. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) and AusCERT have issued urgent alerts regarding active exploitation of MongoDB and WatchGuard vulnerabilities.

Here is your daily deep dive into the threat landscape affecting Australian organisations.

Top Story: "MongoBleed" (CVE-2025-14847) Active Exploitation

The most significant threat observed in the last 24 hours is the rapid weaponisation of CVE-2025-14847, dubbed "MongoBleed". This critical vulnerability affects MongoDB servers and is caused by an improper handling of length parameter inconsistency in the zlib compression logic.

• The Threat: Unauthenticated attackers can repeatedly probe the server to leak uninitialized heap memory. This "bleeding" of data can expose sensitive credentials, session keys, and internal state data without requiring a login.
• Australian Impact: Security telemetry indicates over 87,000 instances globally are exposed, with a significant cluster in the Australian SaaS and FinTech sectors.
• Immediate Action: Assess all cloud-hosted and on-premise MongoDB instances. If immediate patching is not feasible, disable zlib compression to mitigate the leak vector.

Network Security: WatchGuard Firebox Under Siege

Threat actors are actively scanning for and exploiting CVE-2025-14733 in WatchGuard Firebox devices. This critical vulnerability allows for authentication bypass, granting attackers administrative access to the network perimeter.

• Sector Risk: This is particularly dangerous for Retail and IoT deployments where Firebox devices are often used as edge gateways.
• Observed Behaviour: Attackers are using this access to deploy webshells and establish persistence within corporate networks, often moving laterally to target internal file servers.

Sector-Specific Briefing

Healthcare & FinTech

The "MongoBleed" vulnerability poses a catastrophic risk to Healthcare and FinTech organisations. With patient records and financial transaction logs often stored in NoSQL databases like MongoDB, the potential for silent data exfiltration is high. We strongly advise detailed log analysis to detect anomalous memory read operations.

Government & Education

The ASD has renewed warnings regarding the React2Shell (CVE-2025-55182) vulnerability. Despite patches being available, over 500 Australian organisations, including several in the Education/EdTech sector, remain vulnerable. State-sponsored actors, notably linked to China, have been observed automating the exploitation of this flaw to compromise web servers.

eCommerce & SaaS

API Security Warning: A new wave of automated attacks targeting "Shadow APIs" (undocumented API endpoints) has been detected. Attackers are leveraging AI-driven fuzzing tools to identify weak authentication points in eCommerce platforms. Ensure all API endpoints are catalogued and behind a WAF (Web Application Firewall).

Emerging Threat: AI System Poisoning

As Australian enterprises rush to deploy internal Large Language Models (LLMs), we are seeing early indicators of Prompt Injection attacks targeting customer service AI agents. In the last 24 hours, reports have surfaced of attackers manipulating AI chatbots in the Banking sector to bypass identity verification workflows.

Vulnerability Watchlist (Last 24 Hours)

• MongoDB: CVE-2025-14847 (Critical - Memory Leak)
• WatchGuard: CVE-2025-14733 (Critical - Auth Bypass)
• React2Shell: CVE-2025-55182 (High - RCE, actively targeted)
• Mozilla Firefox/Thunderbird: Multiple vulnerabilities patched in yesterday's AusCERT bulletin (ESB-2026.0059). Immediate updates required for corporate endpoints.

Recommendations

1. Patch Immediately: Prioritise MongoDB and WatchGuard appliances.
2. Hunt for Indicators: Check logs for abnormal zlib compression errors (MongoDB) and unexpected administrative logins (WatchGuard).
3. Review AI Logic: If you are running customer-facing AI, test for prompt injection vulnerabilities that could disclose backend logic.

Contact us for a quote for penetration testing service or adversary simulation.