CydentiCydenti

Cloud Security Awareness Weekly — Week (December 28, 2025 - January 3, 2026)

Cloud Security Awareness Weekly — Week (December 28, 2025 - January 3, 2026)

Reading time: ~4 min Focus: What happened, what it means for defenders, and what to do next (official sources).

Quick nav: 60 seconds | Top stories | Advisories | Spotlight | IOCs | Detection

This week in 60 seconds

•MongoDB: "MongoBleed" (CVE-2025-14847) under active exploitation, added to CISA KEV — Official: https://mongodb.com/company/blog/news/mongodb-server-security-update-december-2025

•Oracle Health: Legacy Cerner servers breached, ~80 hospitals impacted — Official: https://www.hipaajournal.com/oracle-health-data-breach/

•PowerSchool: 62M students, 9.5M teachers' data stolen; school boards now extorted — Official: https://www.powerschool.com/security/sis-incident/

•Fortinet: 5-year-old 2FA bypass (CVE-2020-12812 ) actively exploited again — Official: https://www.fortiguard.com/psirt/FG-IR-19-283Top stories

MongoDB "MongoBleed" — MongoDB — Status: Confirmed — Dec 29, 2025

•What happened: Memory disclosure vulnerability (CVE-2025-14847 ) in MongoDB Server's zlib handling is actively exploited. CISA added to KEV.

•Who/what is affected: MongoDB Server (Community/Enterprise). Atlas already patched.

•Why it matters: Unauthenticated attackers can read heap memory, exposing credentials and keys.

•What to do now: Update to latest patched MongoDB Server versions. Atlas users: no action required.

•Evidence to collect: MongoDB server logs; network traffic for unusual patterns.

•Official link: https://mongodb.com/company/blog/news/mongodb-server-security-update-december-2025

Oracle Health Breach — Oracle — Status: Confirmed — Dec 30, 2025

•What happened: Hacker used stolen credentials to access legacy Cerner servers not yet migrated to Oracle Cloud.

•Who/what is affected: ~80 hospitals, millions of patients. Threat actor "Andrew" extorting customers.

•Why it matters: Exposed SSNs, medical records, diagnoses. CISA issued alert.

•What to do now: Reset passwords; review configs for embedded credentials; monitor auth logs; implement phishing-resistant MFA.

•Evidence to collect: Server/auth logs for unauthorized access.

•Official link: https://www.hipaajournal.com/oracle-health-data-breach/

PowerSchool Breach — PowerSchool — Status: Confirmed — Jan 2, 2026

•What happened: Attacker breached PowerSource portal via stolen credentials, exfiltrated data from PowerSIS databases.

•Who/what is affected: 62.4M students, 9.5M teachers across 6,505 districts. School boards now receiving ransom demands.

•Why it matters: One of largest education sector breaches. SSNs exposed for ~25% of victims.

•What to do now: PowerSchool offering 2 years free identity protection. Monitor for official communications.

•Official link: https://www.powerschool.com/security/sis-incident/

Exploitation & advisories

Fortinet 2FA Bypass (CVE-2020-12812 ) — Fortinet — Dec 24, 2025

•What changed: Fresh warning about renewed attacks on 5-year-old vulnerability.

•Who is affected: FortiGate SSL VPN with 2FA/LDAP. 10,000+ firewalls exposed.

•Exploit status: Active by ransomware groups and APTs.

•What to check: FortiOS version (patched in 6.0.10, 6.2.4, 6.4.1+)

•What to do now: Update FortiOS; disable username-sensitivity; reset credentials if compromised.

•Official link: https://www.fortiguard.com/psirt/FG-IR-19-283

Adobe ColdFusion Campaign — Adobe — Jan 2, 2026

•What changed: Massive holiday exploitation campaign targeting dozen ColdFusion CVEs.

•Who is affected: ColdFusion servers globally; US, Spain, India most targeted.

•Exploit status: Active, likely initial access broker operation.

•What to do now: Patch all 2023-2024 ColdFusion vulnerabilities; implement WAF rules for JNDI injection.

•Official link: https://viz.greynoise.io/tags

Google Cloud Phishing — Google Cloud — Jan 2, 2026

•What changed: Attackers abused Application Integration to send phishing from legitimate Google domain.

•Who is affected: ~3,200 orgs, primarily manufacturing.

•Exploit status: Confirmed; Google blocked the campaign.

•What to do now: Review OAuth consents in Azure AD; train users on verification.

•Secondary analysis: https://thehackernews.com/2026/01/cybercriminals-abuse-google-cloud-email.html

Platform spotlight

Platform

Score

MongoDB. ████████░░ 8/10

Oracle. ███░░░░░░░ 3/10

Fortinet █████░░░░░ 5/10

Google Cloud. ███████░░░ 7/10

Spotlight: MongoDB — Proactive discovery, rapid Atlas patching, transparent communication.

IOC & hunting corner

•Fortinet: Hunt for auth logs with username case variations (jsmith vs JSmith )

•ColdFusion: Hunt for outbound connections to interactsh domains

•Google Phishing: Hunt for emails from noreply-application-integration@google.com with links to storage.cloud.google.com

Detection idea of the week

•Detection: Google Cloud Application Integration phishing abuse

•Goal: Identify suspicious emails from noreply-application-integration@google.com

•Telemetry: Email logs, DNS logs, web proxy logs

•Logic: Correlate emails from this sender with DNS requests to suspicious domains; alert on emails containing file-hosting links sent to many recipients

•Thresholds: Any email leading to known malicious domain

•Triage notes: Investigate link destinations and landing page content

•Response: Block sender if necessary; educate users