U.S. Government cuts, Majorana 1 Chip, CVEs for Mongoose and OpenSSH

Notable news for the week of February 17th through February 24th.  Your editor this week is Chris from the F5 Security Incident Response Team. For this edition, we discuss U.S. government cuts to cyber security and consumer protections; Microsoft’s advancement in the field of quantum computing, and new flaws found in both MongoDB as well as OpenSSH. 

Cuts to Cyber and Consumer Protections 

With the new administration in the US, there have been a large amount of job cuts throughout the federal government.  This also includes at least 130 employees being fired from the Cybersecurity and Infrastructure Security Agency (CISA). These cuts are reported to include staff dedicated to election security, fighting misinformation, and foreign influence operations. Along with the cuts, the Department of Government Efficiency (DOGE) arrived at CISA and were given access to the agency’s email and files. DOGE has been gaining access to many sensitive federal agencies that contain a large amount of personal and financial information on Americans.  These agencies include the Social Security Administration (SSA), the Department of Homeland Security, the Office of Personnel Management (OPM), and the Treasury Department. DOGE has also been trying to gain access to the systems of the Internal Revenue Service (IRS).  From a security standpoint, this is extremely alarming because it appears to be bypassing many security safeguards and measures. This sentiment is reported by many security experts.  Another aspect that does not inspire confidence is that the doge.gov website administrators had left their database wide open, allowing someone to publish messages making fun of the insecurity that the site has. 

On the aspect of consumer protection, the Consumer Financial Protection Bureau (CFPB) was ordered to stop most work. The CFPB was created in 2011 to protect consumers from financial institutions that violate consumer protection laws. The newly appointed CFPB director, Russell Vought, has publicly favored abolishing the agency which is alarming since it would remove some of the regulations that exist. 

https://krebsonsecurity.com/2025/02/trump-2-0-brings-cuts-to-cyber-consumer-protections/

Microsoft's Majorana 1 Chip 

Microsoft has announced the world's first quantum processor that uses topological qubits.  They have named this the Majorana 1.  They have designed this to scale to a million qubits on a single chip. Typical qubits are highly sensitive to noise in the environment. This can cause them to lose their quantum state introducing errors. This is known as decoherence.  To counter this there needs to be many more qubits added for error correction which means a lot more room needed for just one qubit to work. Topological qubits work by encoding information in the topology of the physical system which in theory, makes each qubit more fault tolerant. Essentially, this means few are needed in the long run to produce a quantum computer. This is a huge achievement but along with it comes the security concerns. The main concern being the ability to do quantum decryption. This technology brings the reality of a fault tolerant protype to years instead of decades.  Many believe this will be within 5 to 10 years.  

https://www.securityweek.com/what-microsofts-majorana-1-chip-means-for-quantum-decryption/ 

Critical MongoDB Library Flaws 

Two critical vulnerabilities in a third-party library that MongoDB relies on was found which can lead to stolen data or code to be ran. Mongoose is an Object Data Modeling (ODM) library used by MongoDB to enable database integrations in Node.js applications. Researchers at OPSWAT revealed two critical security flaws that threaten the integrity of data stored in MongoDB as well as opening it up to theft, manipulation, or destruction.  

This first CVE is CVE-2024-53900 which is given a CVSS score of 9.1. This is an SQL injection bug which allows a specially crafted query to bypass MongoDB's server-side JavaScript restrictions potentially leading to a remote code execution (RCE). This was reported in November and patched in version 8.8.3.  

The second CVE is CVE-2025-23061 with a CVSS score of 9.0. This was found by the same researcher and is actually a bypass in the patched version that still allowed for RCE. This was addressed in version 8.9.5. 

https://www.theregister.com/2025/02/20/mongoose_flaws_mongodb/ 

New OpenSSH Flaws  

Two new security vulnerabilities have been found in the OpenSSH suite which could result in an active Machine-in-the-Middle (MitM) or a Denial-of-Service (DoS) attack under specific conditions.  

The first is CVE-2025-26465 with a CVSS score of 6.8. The OpenSSH client contains a logic error between versions 6.8p1 to 9.9p1 (inclusive) that makes it vulnerable to a MitM attack if the VerifyHostKeyDNS option is enabled. 

The second is CVE-2025-26466 with a CVSS score of 5.9. The OpenSSH client and server are vulnerable to a pre-authentication DoS attack between versions 9.5p1 to 9.9p1 (inclusive) that causes memory and CPU consumption.  

A successful exploitation of the first one could permit malicious actors to compromise and hijack SSH sessions and possibly gain access to sensitive data. The VerifyHostKeyDNS is disabled by default.  

Exploitation of the second CVE can result in availability issues as indicated by labeling as a DoS vulnerability. 

Both of these CVEs have been addressed in version 9.9p2 of OpenSSH which was released on February 18th.  

https://thehackernews.com/2025/02/new-openssh-flaws-enable-man-in-middle.html