🎉 Happy Sunday and a Happy New Year!
As we wrap up 2025, I want to thank you for sticking around for Mandos Brief and reflect on this year.
In August, I embarked on a solopreneur journey focusing on two things that I always wanted to work on:
1) Advisory - using my expertise to help organizations improve their security, resilience, and enable business growth
2) Building a product - building CybersecTools into the number 1 destinations for security teams to discover cybersecurity products
The journey is never smooth and full of ups and downs, but the truth is that I love every moment I spend on these two items, learning a lot about sales, marketing, accounting (yes, even that), coding, AI agents, and, of course, catching up with the cybersecurity industry through this Brief.
There is one additional product I am working on currently to truly bring clarity to this crazy, overloaded market of cybersecurity products. This time, helping cybersecurity companies win customers and crush competition through data-based decisions they can't get anywhere else. Coming in Q1 2026, if you work for a cybersecurity company and are interested, let me know.
Wishing you and your loved ones a wonderful holiday season and all the best for 2026! 🥂
And back to the newsletter... Here is what you can expect in this brief:
- Cisco email security appliances are under active attack by UAT-9686 threat actors, with complete rebuilds being the only way to remove persistent backdoors from compromised systems
- NIST published its AI Cybersecurity Framework Profile for public comment, giving us the first structured approach to balance AI adoption with emerging security risks
- Nearly all CISOs now see hybrid infrastructure as their best bet for resilience, with 97% agreeing it beats putting all eggs in one cloud or on-premises basket
-
The UAT-9686 threat actor is actively exploiting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances that have the Spam Quarantine feature exposed to the internet, allowing root privilege command execution.
-
Affected appliances show evidence of a persistence mechanism planted by attackers to maintain ongoing access, with Cisco recommending complete appliance rebuilding as the only viable option to eradicate the threat.
-
The attack specifically targets appliances with both the Spam Quarantine feature enabled and exposed to the internet, assigned CVE-2025-20393 with Critical severity affecting all releases of Cisco AsyncOS Software.
-
CVE-2025-14847 is a high-severity memory-read vulnerability affecting multiple MongoDB versions that allows unauthenticated attackers to exploit the server's zlib implementation remotely without user interaction.
-
The flaw stems from improper handling of length parameter inconsistency in zlib compressed protocol headers, potentially allowing attackers to read uninitialized heap memory and gather sensitive information from targeted systems.
-
MongoDB strongly recommends immediately upgrading to patched versions (8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30) or disabling zlib compression on MongoDB servers as a temporary workaround until patches can be applied.
-
Fortinet has observed recent exploitation of CVE-2020-12812 (FG-IR-19-283) in FortiGate devices where attackers bypass two-factor authentication by exploiting case-sensitive username handling differences between FortiGate and LDAP directories.
-
The vulnerability allows attackers to authenticate using alternate case variations of usernames (e.g., "Jsmith" instead of "jsmith") which causes FortiGate to fail local user matching and fall back to LDAP group authentication, bypassing 2FA requirements entirely.
-
Organizations can mitigate this issue by upgrading to FortiOS 6.0.10, 6.2.4, or 6.4.1 and setting "username-case-sensitivity disable" on all local accounts, or removing unnecessary secondary LDAP group configurations that enable the authentication bypass.
