Information Security News | AI Aggregator

Ukrainian and German authorities have identified two Ukrainians linked to the Black Basta ransomware group and placed its alleged Russian leader, Oleg Nefedov, on an international wanted list. Active since early 2022, Black Basta has extorted hundreds of companies, including ABB and Ascension, causing significant financial damage. The suspects specialized in breaching systems and deploying ransomware. Digital devices and cryptocurrency were seized during police raids in Ukraine. Nefedov is suspected of orchestrating the group's operations and may be in Russia.

Ukrainian and German authorities have identified two Ukrainians linked to the Black Basta ransomware group, with leader Oleg Nefedov added to the EU's Most Wanted and INTERPOL's Red Notice lists. Nefedov, a Russian national, is accused of orchestrating cyberattacks and extorting money through ransomware. Black Basta, active since April 2022, has targeted over 500 companies and earned hundreds of millions in cryptocurrency. Following leaks of internal communications, the group has reportedly gone silent since February 2025.

Ukrainian and German police conducted operations against the Black Basta ransomware group, identifying two Ukrainian suspects and issuing an international wanted notice for the group's alleged Russian leader, Oleg Nefedov. Black Basta, active since April 2022, has impacted over 500 organizations globally, causing damages exceeding $20 million in Germany alone. The group is linked to over 329 victims and has accumulated at least $107 million in Bitcoin ransoms. Investigations are ongoing, with evidence seized during the raids.

Cisco released security updates for a critical remote command execution vulnerability (CVE-2025-20393, CVSS 10.0) in Cisco AsyncOS Software for Secure Email Gateway, exploited by the China-linked APT UAT-9686. The flaw arises from insufficient validation in the Spam Quarantine feature. Successful exploitation allows root command execution. Cisco advises customers to update to fixed versions and implement hardening measures, including firewall protection and strong authentication.

Cisco confirmed active exploitation of a critical zero-day RCE vulnerability (CVE-2025-20393) in its Secure Email Gateway, allowing unauthenticated attackers to execute commands via crafted HTTP requests. The flaw, stemming from improper input validation, has a CVSS score of 10.0. Exploitation targets appliances with Spam Quarantine enabled. Cisco released patches and recommends immediate upgrades. The U.S. CISA added the CVE to its Known Exploited Vulnerabilities catalog, mandating mitigation by December 24, 2025.

China-linked APT UAT-9686 exploited a critical AsyncOS flaw (CVE-2025-20393, CVSS 10.0) in Cisco Secure Email products, allowing root command execution. Cisco detected attacks on exposed appliances with Spam Quarantine enabled, which is disabled by default. The vulnerability arose from improper HTTP request validation. Attackers deployed a persistence mechanism, AquaShell, and tools for reverse tunneling and log deletion. Cisco confirmed the flaw has been patched, and only misconfigured systems were compromised.

Cisco has released security updates for its Email Security Gateway and Secure Email and Web Manager devices to address CVE-2025-20393, a vulnerability exploited by suspected Chinese attackers since late November 2025. This flaw allows unauthenticated attackers to execute arbitrary commands due to insufficient validation of HTTP requests. Affected appliances had the Spam Quarantine feature enabled. Customers are urged to upgrade to specific AsyncOS versions to mitigate the risk and clear identified persistence mechanisms.

Cisco has patched a critical remote code execution vulnerability (CVE-2025-20393) in its Secure Email appliances, which was reportedly exploited by Chinese state-sponsored hackers for weeks. The flaw, disclosed in December 2025, allowed attackers to execute arbitrary commands with root privileges. The patch removes persistence mechanisms used by the attackers. Cisco urges affected customers to upgrade to the fixed software release, though the extent of the compromise remains unclear.

Cisco has patched a critical zero-day vulnerability, CVE-2025-20393, in its Secure Email Gateway products, affecting AsyncOS Software. The flaw, present since December, allows attackers to gain root access to the appliance when the Spam Quarantine feature is enabled and exposed to the internet. This vulnerability received a CVSS score of 10, indicating its critical severity. Organizations using these products are urged to apply the patch promptly to mitigate risks.

Wiz Research identified a critical vulnerability, CodeBreach, in AWS CodeBuild that allowed attackers to hijack key AWS GitHub repositories, including the AWS JavaScript SDK. The flaw was due to unanchored regex patterns in build triggers, enabling unauthorized access to privileged credentials. AWS promptly remediated the issue and implemented new security measures, including a Pull Request Comment Approval build gate. Organizations are advised to secure their CodeBuild projects by limiting permissions and preventing untrusted builds.

A critical misconfiguration in AWS's CodeBuild service, identified by Wiz researchers, allowed potential takeover of AWS's GitHub repositories, posing a risk to all AWS environments. The flaw stemmed from unanchored regex in webhook filters, enabling unauthorized access. AWS fixed the issue within 48 hours of disclosure, asserting no customer impact. The vulnerability highlights a broader CI/CD security challenge across cloud services, with implications for supply chain attacks and potential exploitation by malicious actors.

A critical vulnerability in the AWS Console, named CodeBreach, could have allowed attackers to take over core AWS GitHub repositories, particularly the AWS JavaScript SDK, impacting two-thirds of cloud environments. Disclosed to AWS in August 2025, the flaw stemmed from a Regex filter issue in AWS CodeBuild CI pipelines. AWS implemented hardening measures, including a Pull Request Comment Approval build gate. No evidence of exploitation exists, but users are advised to create unique access tokens for CodeBuild projects.

A critical misconfiguration in AWS CodeBuild, dubbed CodeBreach, exposed AWS's GitHub repositories, including the AWS JavaScript SDK, to potential takeover. The flaw allowed unauthenticated attackers to breach CI pipelines and leak privileged credentials. AWS fixed the issue in September 2025 after responsible disclosure. Recommendations include ensuring regex patterns in webhook filters are anchored, limiting Personal Access Token permissions, and using unprivileged accounts for CI/CD integration. No evidence of exploitation was found.

A misconfiguration in AWS CodeBuild could have enabled unauthorized access to numerous AWS GitHub repositories and applications, according to researchers at Wiz. The vulnerability arose from a flaw in the CI pipeline's handling of build triggers, where two missing characters in a regex filter allowed attackers to infiltrate the build environment and expose privileged credentials. The regex filter is designed to prevent the leakage of secrets from log outputs.

A critical misconfiguration in AWS CodeBuild allowed unauthenticated attackers to take control of key AWS GitHub repositories, including the AWS JavaScript SDK. The vulnerability stemmed from unanchored regex patterns in webhook filters, enabling bypass through GitHub ID overlaps. Attackers exploited this to submit malicious pull requests, extracting a GitHub Personal Access Token (PAT) with admin privileges. AWS fixed the issue within 48 hours, ensuring no customer data was impacted. Recommendations include anchoring regexes and using fine-grained PATs.

A critical misconfiguration in AWS CodeBuild, named “CodeBreach,” allowed unauthorized privileged builds, risking exposure of GitHub tokens and potential supply chain attacks. Discovered by Wiz, the flaw was reported in late August 2025 and fixed within 48 hours. AWS implemented safeguards, audited public build environments, and found no evidence of exploitation. Users are advised to review CI/CD configurations, anchor regex filters, and limit token privileges to enhance security.

A vulnerability named CodeBreach was discovered in AWS CodeBuild, linked to two missing characters in a security filter, risking the AWS JavaScript SDK and potentially allowing hackers to access privileged credentials and take over the software repository. Wiz Research alerted Amazon on August 25, 2025, and AWS fixed the issue within 48 hours. Users are advised to enable a Pull Request Comment Approval gate to enhance security. The incident highlights the rising risks from small oversights in code.

Mandiant has released a rainbow table that can crack administrative passwords protected by Microsoft’s NTLM.v1 hash algorithm in under 12 hours using consumer hardware costing less than $600. This database, hosted in Google Cloud, targets Net-NTLMv1 passwords used in network authentication. Despite known vulnerabilities, NTLMv1 is still used in sensitive networks due to legacy app dependencies and the costs associated with migration. Mandiant aims to help security professionals demonstrate the protocol's insecurity.

Mandiant has released a dataset of Net-NTLMv1 rainbow tables, highlighting the security risks of this deprecated protocol. The release allows credential recovery in under 12 hours using consumer-grade hardware, making it a practical attack vector. Organizations are urged to migrate away from Net-NTLMv1, as it can be exploited through known plaintext attacks. Immediate mitigation includes disabling Net-NTLMv1 and configuring systems to use NTLMv2 only. Continuous monitoring is essential to prevent post-compromise downgrades.

Mandiant released tools to crack Microsoft’s Net-NTLMv1 authentication protocol in under 12 hours, highlighting its vulnerability to credential theft. The dataset allows security professionals to demonstrate this weakness using consumer hardware. Mandiant urges organizations to disable Net-NTLMv1 immediately. Additionally, a US Navy sailor was sentenced to 16 years for selling secrets to China, and a hacker pleaded guilty to accessing the US Supreme Court's filing system. Interpol apprehended 34 members of the Nigerian crime syndicate Black Axe.

A vulnerability in Google's Fast Pair feature, dubbed WhisperPair, allows attackers to exploit 17 major headphone and speaker models, potentially enabling them to access microphones, speakers, and track locations. This flaw affects devices from brands like Google, JBL, and Sony. Attackers need only be within Bluetooth range and know the device's model ID. Users are urged to download manufacturer apps for patches, as disabling Fast Pair is not an option. Recommendations include cryptographic enforcement for device pairing.

Researchers from the Belgian University of Leuven identified vulnerabilities in Bluetooth audio accessories using Google Fast Pair, affecting brands like Sony, Jabra, and JBL. The flaw allows attackers to hijack devices without user interaction, potentially enabling eavesdropping and location tracking via Google’s Find Hub. This vulnerability, classified as CVE‑2025‑36911, is critical, requiring firmware updates from manufacturers for mitigation. Users should keep their accessories updated to safeguard against these risks.

A vulnerability in Google's Fast Pair system, named "WhisperPair," allows attackers to silently hijack Bluetooth accessories like earbuds and headphones. Researchers from KU Leuven found that many devices do not enforce pairing mode correctly, enabling unauthorized connections. Once paired, attackers can access audio controls and potentially register devices to their accounts. Google is working on firmware updates, but many cheaper devices may not receive patches. The issue highlights flaws in security implementations by manufacturers.

Cisco Talos is monitoring UAT-8837, a China-nexus APT targeting critical infrastructure in North America since 2025. They exploit vulnerabilities and stolen credentials, using open-source tools to steal data and maintain access. Their evolving techniques can bypass traditional defenses, leading to significant risks. Recommendations include keeping systems patched, monitoring for specific tools, and managing credentials and privileges effectively. BreachForums was breached, exposing 324K users. Target's source code was reportedly stolen. Predator spyware learns from failed attacks.

Chinese hackers, identified as UAT-8837 by Cisco Talos, breached multiple North American critical infrastructure organizations over the past year using compromised credentials and exploitable servers. The group exploited vulnerabilities, notably CVE-2025-53690, affecting SiteCore products. Tools like Earthworm were used to expose internal endpoints. Concerns escalated after the Salt Typhoon group compromised an email platform for Congressional staffers. U.S. officials warn of ongoing threats from Chinese government-backed hackers targeting critical infrastructure.

A China-linked advanced persistent threat (APT) actor, UAT-8837, has been targeting North American critical infrastructure, exploiting a zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS 9.0) for initial access. The group uses open-source tools to harvest sensitive information and disable security features like RestrictedAdmin for RDP. Recent activities include exfiltrating DLL-based libraries, raising supply chain compromise concerns. Western governments have issued alerts regarding threats to operational technology environments.

A China-linked advanced persistent threat group, UAT-8837, has been targeting North American critical infrastructure since at least 2025, utilizing exploits and stolen credentials. The group employs various tools, including Earthworm, DWAgent, and Certipy, to maintain access and conduct attacks. Notably, they exploited CVE-2025-53690, a zero-day vulnerability in SiteCore products. Cisco Talos has published Snort Rules and IOCs to help detect and mitigate this threat.

A critical vulnerability in the WordPress Modular DS plugin, tracked as CVE-2026-23550 (CVSS score: 10.0), allows unauthenticated privilege escalation in all versions up to 2.5.1. Exploitation can lead to admin access and potential site compromise. The flaw, rooted in the plugin's routing mechanism, was first detected on January 13, 2026. Users are urged to update to version 2.5.2 to mitigate risks. The vulnerability underscores the dangers of implicit trust in internal request paths exposed to the public internet.

A critical vulnerability in the Modular DS WordPress plugin (CVE-2026-23550) allows unauthenticated privilege escalation, enabling admin takeover. Exploited since January 13, 2026, the flaw affects versions 2.5.1 and earlier, allowing attackers to bypass authentication and access sensitive routes. The issue was resolved in version 2.5.2. Users are urged to update immediately to mitigate risks. The vulnerability underscores the dangers of implicit trust in internal request paths exposed to the internet.

A critical vulnerability (CVE-2026-23550) in the Modular DS WordPress plugin, affecting over 40,000 websites, allows attackers to bypass authentication and gain admin access. Scored 10/10, it has been exploited since January 13, 2026. Users are urged to upgrade to version 2.5.2, released shortly after the vendor was notified. Recommended actions include reviewing indicators of compromise, regenerating WordPress salts and OAuth credentials, and scanning for malicious files.

Security researchers have identified active exploitation of a critical privilege escalation vulnerability in the Modular DS plugin, tracked as CVE-2026-23550, with a CVSS score of 10.0. This flaw allows unauthenticated attackers to gain full admin access to vulnerable WordPress sites. Affected versions are 2.5.1 and earlier. The issue arises from unprotected API routes, enabling access escalation without credentials. The vulnerability was disclosed by Patchstack.

Palo Alto Networks has issued security updates for a high-severity DoS vulnerability (CVE-2026-0227, CVSS 7.7) affecting GlobalProtect Gateway and Portal in PAN-OS software. An unauthenticated attacker can trigger the flaw, causing firewalls to enter maintenance mode. Affected versions include PAN-OS 12.1, 11.2, 11.1, 10.2, and 10.1, as well as Prisma Access 11.2 and 10.2. No workarounds exist, and while there's no evidence of exploitation, devices should be updated due to increased scanning activity.

Palo Alto Networks addressed a high-severity vulnerability, CVE-2026-0227 (CVSS 7.7), affecting GlobalProtect Gateway and Portal, allowing unauthenticated attackers to cause a denial of service (DoS) to the firewall. Exploiting this flaw can force the device into maintenance mode, disrupting network traffic. The vulnerability impacts only PAN-OS or Prisma Access setups with GlobalProtect enabled and does not affect Cloud NGFW. No known active exploits have been reported.

Palo Alto Networks patched CVE-2026-0227, a high-severity DoS vulnerability (7.7/10) in GlobalProtect Gateway and Portal, allowing unauthenticated attackers to force firewalls into maintenance mode. Affected versions include PAN-OS 12.1 < 12.1.3-h3, 11.2 < 11.2.4-h15, and others. The Cloud NGFW is unaffected. No workarounds exist; applying the patch is essential. Currently, there are no reported instances of exploitation.

Palo Alto Networks has released patches for its PAN-OS firewall platform due to a high-severity denial-of-service vulnerability, CVE-2026-0227, rated 7.7 CVSS. This flaw affects customers using PAN-OS NGFW or Prisma Access with GlobalProtect enabled. If unpatched, an unauthenticated attacker could exploit this vulnerability, causing the firewall to enter maintenance mode after repeated attempts. Users are advised to apply the patches to mitigate this risk.

Microsoft has addressed a vulnerability in its Copilot AI assistant that allowed a multistage attack, discovered by Varonis researchers, to exfiltrate sensitive user data with a single click on a malicious URL. The attack extracted information such as the user's name and location from Copilot chat history, bypassing endpoint security measures. The exploit executed immediately upon clicking the link, even if the user closed the chat tab. The attack utilized a crafted URL to embed personal details in web requests.

Researchers identified a "Reprompt" attack that exploits Microsoft Copilot's handling of URL parameters, allowing attackers to hijack a user's session and execute malicious prompts without user input. This vulnerability was addressed in Microsoft's January Patch Tuesday update, with no known exploitation reported. Users are advised to install the update, utilize Microsoft 365 Copilot for enhanced security features, and avoid clicking unsolicited links. Awareness of AI assistants' privacy risks is crucial as they may inadvertently process untrusted inputs.

Cybersecurity researchers have identified a new attack method called Reprompt, enabling single-click data exfiltration from Microsoft Copilot, bypassing security controls. The attack requires only one click on a legitimate link and allows continuous data extraction without further user interaction. Microsoft has addressed the issue, which does not affect Microsoft 365 Copilot users. Recommendations include limiting access to sensitive tools and implementing layered defenses to mitigate risks associated with AI systems.

Security researchers at Varonis discovered a new prompt-injection attack method, named "Reprompt," that compromises Microsoft Copilot with a single click via malicious URL parameters. This attack allows cybercriminals to trick Generative AI tools into leaking sensitive data. Microsoft has since patched the vulnerability, preventing such prompt injection attacks through URLs. The flaw was reported to Microsoft, which acted quickly to mitigate the risk.

A vulnerability in Microsoft Copilot, identified as the 'Reprompt' exploit, allows attackers to steal personal data with a single click via a phishing link. This multi-stage prompt injection can bypass security controls, enabling attackers to request sensitive information even when Copilot is closed. Microsoft has patched the flaw, reported in August 2025. Users are advised to be cautious with shared information and vigilant against phishing attempts, including not clicking unexpected links.

A new attack method called ‘Reprompt’ has been identified by Varonis Threat Labs, allowing attackers to bypass security controls after an initial prompt to an AI copilot. This three-step attack grants undetectable access to sensitive information, highlighting the risks of trusting AI assistants with confidential data. Security researcher Dolev Taler emphasizes that while AI assistants are helpful, their gullibility can be exploited, turning them into tools for data exfiltration.

On January 14, Microsoft announced the disruption of RedVDS, a cybercriminal subscription service linked to over $40 million in fraud losses since March 2025. RedVDS provided tools for phishing and business email compromise (BEC) scams, utilizing AI to enhance attacks. Victims included H2-Pharma and Gatehouse Dock Condominium Association. Microsoft urged victims to report cybercrimes and recommended measures like multi-factor authentication and verifying payment requests to mitigate risks.

Microsoft has disrupted the RedVDS cybercrime platform, linked to over $40 million in fraud losses in the U.S. RedVDS provided disposable virtual computers for cybercriminals, enabling phishing and payment diversion scams. Microsoft, in collaboration with law enforcement, seized domains and servers associated with RedVDS. The platform facilitated attacks on over 191,000 Microsoft email accounts across 130,000 organizations, significantly impacting sectors like real estate and healthcare.

Microsoft has disrupted the RedVDS cybercrime subscription service linked to approximately $40 million in fraud losses since March 2025. This service provided criminals with disposable virtual computers for as low as $24 a month, facilitating high-volume phishing and fraud schemes. Over 191,000 organizations, particularly in real estate and healthcare, faced compromised accounts due to attackers inserting fraudulent payment instructions during email communications. The operation involved collaboration with international law enforcement.

Cybercriminals in Germany executed a boss fraud scheme, gaining access to victims' systems through phishing emails to steal money and sensitive data by impersonating executives or partners. RedVDS allegedly provided an online subscription service for criminals to rent infrastructure, offering access to a virtual disposable computer for $24/month. In one month, over 2,600 RedVDS machines sent approximately one million phishing emails daily to Microsoft customers, affecting users across various platforms.

Microsoft has taken legal action in the U.S. and U.K. against the cybercrime service RedVDS, which has allegedly caused $40 million in fraud losses since March 2025. RedVDS offered disposable virtual computers for as low as $24/month, enabling criminals to conduct phishing, BEC scams, and financial fraud. The service was taken offline, disrupting a network that compromised over 191,000 organizations globally. Microsoft identified various threat actors using RedVDS for sophisticated cyber attacks, leveraging tools like generative AI for deception.

Microsoft, Europol, and German police dismantled the RedVDS cybercrime platform, which facilitated phishing, BEC, and malware distribution, causing $40M in losses in 2025. RedVDS offered disposable Windows cloud servers for as low as $24/month, enabling scalable fraud. Affected organizations include H2-Pharma, which lost $7.3M, and the Gatehouse Dock Condominium Association, which lost nearly $500,000. Criminals used AI for phishing and sent over a million phishing emails monthly, compromising about 200,000 Microsoft customers.

Microsoft has initiated civil actions in the UK and US against RedVDS, a cybercrime-as-a-service platform facilitating phishing and fraud. The operation, in collaboration with Europol and German law enforcement, has led to the seizure of RedVDS's domains and infrastructure. RedVDS has reportedly caused $40 million in fraud losses in the US, affecting over 191,000 organizations globally. Victims include H2-Pharma and Gatehouse Dock Condominium Association. Microsoft aims to combat such services that enable widespread cybercrime.

A joint operation by Microsoft and international law enforcement dismantled a business email compromise (BEC) attack chain using the RedVDS fraud engine. RedVDS provided disposable virtual machines for criminals to send phishing emails and stage payment diversion schemes, affecting over 191,000 organizations globally. The operation seized RedVDS domains and disrupted payment channels, highlighting the importance of targeting shared crime infrastructure to reduce BEC attacks.

Microsoft's Digital Crimes Unit disrupted the RedVDS cyber-crime-as-a-service network, collaborating with UK and US authorities. RedVDS, which offered disposable virtual computers for £18/month, was linked to over 191,000 compromised organizations since September 2025, generating at least $40 million in profits. The service facilitated various cyber-crimes, particularly business email compromise, and utilized AI for targeting and phishing. Two domains were seized, aiding in identifying the perpetrators.

California's Attorney General Rob Bonta has launched an investigation into xAI's Grok AI tool for generating nonconsensual sexually explicit material, including deepfakes of minors. The probe follows similar investigations by Britain's Ofcom and the Paris Prosecutor’s Office. Indonesia and Malaysia announced plans to block access to Grok. Elon Musk stated he is unaware of any illegal images produced by Grok and emphasized the tool's compliance with laws.

California Attorney General Rob Bonta has launched an investigation into xAI, alleging its AI model Grok is used to create nonconsensual sexually explicit images of women and children. The probe focuses on Grok’s “spicy mode,” which generates explicit content. Bonta emphasized the need for immediate action to prevent further dissemination of such material. This announcement follows the Senate's passage of the DEFIANCE Act, allowing victims of nonconsensual deepfakes to pursue civil action.

Elon Musk's xAI will block its Grok AI tool from creating sexualized images of real people following backlash over its misuse to generate explicit imagery. This decision comes amid investigations by California's attorney general and regulatory scrutiny in the UK, Malaysia, and Indonesia. Musk stated Grok is programmed to refuse illegal requests. X's changes will apply to all users, but it's unclear if the standalone Grok app will still allow such images. The UK is set to criminalize the creation of these images.

SpyCloud launched its Supply Chain Threat Protection solution on January 14, 2026, enhancing identity threat protection for organizations and government agencies. This solution offers real-time monitoring of vendor identity exposures, moving beyond static risk assessments. It utilizes data from breaches and malware to identify active threats, addressing a critical gap in enterprise security. The service aims to improve vendor management and incident response, enabling proactive measures against identity threats in supply chains.

SpyCloud has launched Supply Chain Threat Protection, enhancing identity threat defense across vendor ecosystems. This solution provides real-time awareness of identity exposures affecting third-party partners, addressing a critical gap in enterprise security. It aggregates data from breaches and malware, enabling organizations to identify compromised suppliers and assess risks. Key features include an Identity Threat Index, compromised application identification, and integrated response capabilities, facilitating proactive vendor management and incident response.

SpyCloud launched its Supply Chain Threat Protection solution on January 14, 2026, to enhance identity threat visibility for enterprises and government agencies. This solution shifts from static risk scoring to real-time monitoring of vendor identity exposures, leveraging data from breaches and malware. The 2025 Verizon report noted a rise in third-party breaches, emphasizing the need for proactive measures. Key features include an Identity Threat Index and compromised application identification, enabling better vendor management and response capabilities.

Fortinet has addressed a critical OS injection vulnerability in FortiSIEM (CVE-2025-64155, CVSS 9.4) allowing unauthenticated remote code execution. It affects Super and Worker nodes in versions 6.7.0-6.7.10, 7.0.0-7.0.4, 7.1.0-7.1.8, 7.2.0-7.2.6, 7.3.0-7.3.4, and 7.4.0. Users should upgrade to fixed releases. Additionally, a critical flaw in FortiFone (CVE-2025-47855, CVSS 9.3) allows unauthorized access to device configurations. Users are advised to update to the latest versions and limit access to port 7900.

A critical vulnerability (CVE-2025-64155) in FortiSIEM allows unauthenticated remote code execution via crafted CLI requests, exposing systems to root compromise. Discovered by Horizon3.ai, the flaw enables arbitrary file writes and privilege escalation. Affected versions include 7.3.0-7.3.1, 7.2.0-7.2.5, 7.1.0-7.1.7, 7.0.0-7.0.3, and 6.7.0-6.7.9, with recommendations to upgrade to fixed releases. Fortinet advises immediate patching and monitoring for indicators of compromise.

Fortinet addressed two critical vulnerabilities in FortiFone and FortiSIEM. CVE-2025-64155 (CVSS 9.4) allows unauthenticated attackers to execute unauthorized commands via crafted TCP requests in FortiSIEM, affecting versions 7.4.0 and below. CVE-2025-47855 (CVSS 9.3) enables unauthorized access to device configurations in FortiFone through crafted HTTP/HTTPS requests, impacting versions 3.0.24 and 7.0.2. Patches and recommendations for limiting access to affected components were provided.

A critical command injection vulnerability in Fortinet FortiSIEM, tracked as CVE-2025-64155, has been disclosed, allowing unauthenticated remote root access for nearly three years. The flaw affects the phMonitor service, which runs with elevated privileges. Public exploit code was released by Horizon3.ai, revealing that attackers can inject commands and execute arbitrary files as the root user. Fortinet was informed in August 2025, and fixes were released on Tuesday.

A critical vulnerability (CVE-2025-64155) in Fortinet’s FortiSIEM allows unauthenticated remote code execution via crafted TCP requests targeting the phMonitor service. Discovered by Horizon3.ai, it has a publicly released PoC exploit. Fortinet advises upgrading to fixed versions (7.4.1+, 7.3.5+, 7.2.7+, 7.1.9+) or limiting access to port 7900 if upgrades are not possible. The vulnerability does not affect FortiSIEM Cloud or Collector nodes. Indicators of compromise include suspicious phMonitor log entries.

Fortinet FortiSIEM vulnerability CVE-2025-64155 is actively exploited, allowing unauthenticated remote code execution via OS command injection. Attackers target storage configuration endpoints with crafted TCP requests to port 7900, enabling arbitrary file writes and privilege escalation to root. Affected versions include FortiSIEM 6.7 (6.7.0-6.7.10), 7.0 (7.0.0-7.0.4), 7.1 (7.1.0-7.1.8), 7.2 (7.2.0-7.2.6), and 7.3 (7.3.0-7.3.4). Organizations must upgrade immediately and block external access to TCP 7900.

A critical vulnerability in Fortinet FortiSIEM, tracked as CVE-2025-64155, is being actively exploited, following a proof of concept release. The flaw allows unauthorized command execution due to improper neutralization of special elements. Fortinet issued an advisory after researchers from Horizon3.ai disclosed the issue. Previous related vulnerabilities include CVE-2023-34992 and CVE-2024-23108. Despite remediation efforts, Fortinet's measures have not fully addressed the vulnerabilities, which were noted in Black Basta's chat logs.

A proof-of-concept (PoC) exploit for a critical vulnerability (CVE-2025-64155) in Fortinet’s FortiSIEM has been released, allowing unauthenticated remote attackers to execute unauthorized commands on vulnerable systems via crafted TCP requests. Organizations are urged to patch their FortiSIEM deployments immediately to mitigate potential risks. Additionally, Instagram denied reports of a data breach affecting 17.5 million accounts, attributing password reset requests to other issues.

Microsoft's January 2026 Patch Tuesday update addresses 112 vulnerabilities, including 8 critical ones. Notable vulnerabilities include CVE-2026-20805 (information disclosure), CVE-2026-20854 (RCE in LSASS), and CVE-2026-20922 (NTFS RCE). Several critical vulnerabilities involve remote code execution in Microsoft Office applications and Windows services. Talos has released new Snort rules to detect exploitation attempts, with specific rules provided for both Snort 2 and Snort 3.

Microsoft's January 2026 Patch Tuesday update addressed 112 vulnerabilities, including the zero-day CVE-2026-20805, an information disclosure flaw in Desktop Window Manager with a CVSS score of 5.5. This vulnerability can expose sensitive information and is now in the CISA's exploited vulnerabilities catalog. Other notable defects include CVE-2026-20947 and CVE-2026-20963 affecting SharePoint, and CVE-2026-20944 impacting Word. Eight vulnerabilities were flagged as likely to be exploited.

A Windows vulnerability, CVE-2026-20805, allows authorized attackers to leak memory addresses from a remote ALPC port, potentially leading to arbitrary code execution. It has a medium severity rating (5.5 CVSS) and is now in CISA's Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by February 3. Microsoft also disclosed two other vulnerabilities: CVE-2026-21265 (6.4 CVSS) related to secure boot certificate expiration and CVE-2023-31096 (7.8 CVSS) in Agere Modem drivers.

Microsoft's January 2026 Patch Tuesday addressed 113 vulnerabilities, including eight rated "critical." Notably, CVE-2026-20805, a zero-day flaw in the Desktop Window Manager, is actively exploited. Other critical flaws include two Microsoft Office remote code execution vulnerabilities (CVE-2026-20952, CVE-2026-20953). Microsoft removed legacy modem drivers due to CVE-2023-31096. Additionally, CVE-2026-21265 affects Windows Secure Boot, with expiring certificates posing future risks. Mozilla also patched 34 vulnerabilities in Firefox.

Microsoft's January 2026 Patch Tuesday revealed eight critical vulnerabilities, including an actively exploited zero-day. Most vulnerabilities affect Office products, with two SharePoint flaws scoring 8.8 on the CVSS scale. Nick Carroll from Nightwing emphasized the risk posed by SharePoint vulnerabilities, referencing previous exploitation by Chinese APTs using ToolShell against organizations. Immediate attention and patching are recommended to mitigate potential threats.

Microsoft patched a critical zero-day vulnerability in its Desktop Window Manager (DWM) on January 13, 2026, tracked as CVE-2026-20805. This flaw allows low-privilege local attackers to expose sensitive user-mode memory, potentially aiding privilege escalation. It has a CVSS score of 5.5 and affects older Windows versions in extended support. Administrators are urged to prioritize updates and restrict local low-privilege accounts. No public proof-of-concept exists yet.

Microsoft's January 2026 Patch Tuesday addresses 114 vulnerabilities, including CVE-2026-20805, an exploited-in-the-wild information disclosure vulnerability in Windows DWM, rated medium severity (CVSS 5.5). Additionally, CVE-2023-31096, an elevation of privilege vulnerability in legacy Agere modem drivers, has functional exploit code. A critical security feature bypass, CVE-2026-21265, affects Windows Secure Boot, with impending expiration of old root certificates. Visual Studio 2022 LTSC 17.10 and Dynamics CRM 2016 reach end of support.

Microsoft's January 2026 Patch Tuesday addressed 112 security flaws, including eight critical vulnerabilities across various products. Notably, CVE-2026-20805, a Windows flaw, is actively exploited, allowing attackers to leak memory information, potentially aiding further exploits. Other significant vulnerabilities include CVE-2023-31096 and CVE-2024-55414, both allowing elevated privileges via outdated modem drivers, and CVE-2026-21265, related to Secure Boot certificate expiration. Microsoft removed the vulnerable drivers in the update.

Microsoft's January 2026 Patch Tuesday addressed 114 security flaws, including one actively exploited vulnerability (CVE-2026-20805) affecting Desktop Window Manager, rated CVSS 5.5. Eight flaws are Critical, and 106 are Important. Notable vulnerabilities include CVE-2026-21265 (Secure Boot bypass, CVSS 6.4) and CVE-2026-20876 (VBS Enclave privilege escalation, CVSS 6.7). CISA has added CVE-2026-20805 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by February 3, 2026.

Microsoft's January 2026 Patch Tuesday addressed over 100 CVEs, including three zero-days. CVE-2026-20805 is an information disclosure vulnerability in the Desktop Window Manager, allowing local attackers to leak sensitive memory details. CVE-2026-21265 is a security feature bypass related to the expiration of Root of Trust certificates, requiring hardware audits and coordinated updates. CVE-2023-31096 is an elevation of privilege vulnerability in the Agere Modem driver, with patches removing affected drivers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Microsoft Windows vulnerability CVE-2026-20805 (CVSS Score 8.7) to its Known Exploited Vulnerabilities catalog. This flaw, part of January 2026's Patch Tuesday updates, allows attackers to leak memory information, potentially aiding further exploits. CISA mandates federal agencies to remediate by February 3, 2026, while private organizations are advised to review and address vulnerabilities in their infrastructure.

Microsoft has issued a warning regarding a critical vulnerability (CVE-2026-21265) affecting Windows Secure Boot due to expiring 2011 certificates. This flaw could allow attackers to disrupt boot integrity if not patched. Rated Important (CVSS 6.4), it requires local access and high privileges. Microsoft urges immediate deployment of replacement certificates before mid-2026 to prevent boot-time attacks. Patches are available for legacy Windows Server and extended-support editions, requiring customer action.

U.S. government agencies must patch a vulnerability in Microsoft’s Desktop Windows Manager, tracked as CVE-2026-20805, due to confirmed exploitation by threat actors. CISA added it to its exploited bugs catalog. The vulnerability, part of 113 disclosed on the first Patch Tuesday of 2026, has a severity score of 5.5 and can lead to information leakage. Attackers need local access to exploit it, and the DWM process runs with elevated privileges, facilitating potential attacks. Agencies have until February 3 to patch.

Microsoft's January 2026 Patch Tuesday addressed 115 vulnerabilities, including eight Critical and 106 Important. Key fixes include three zero-day vulnerabilities: CVE-2026-20805 (Desktop Window Manager), CVE-2023-31096 (Agere Soft Modem Driver), and CVE-2026-21265 (Secure Boot). Critical Remote Code Execution flaws in Office and Windows were also patched. Experts emphasize the urgency of applying these updates, particularly for businesses, with the next update scheduled for February 10, 2026.

Microsoft's January 2026 Patch Tuesday addresses 114 vulnerabilities, including one active zero-day flaw (CVE-2026-20805) affecting the Desktop Windows Manager, with a CVSS score of 5.5. This flaw allows unauthorized access to sensitive information. Other notable vulnerabilities include CVE-2026-21265, which could enable malware to run during boot, and CVE-2026-20876, granting hackers elevated privileges. Users are advised to install updates promptly and enhance their online security practices.

A high-risk alert has been issued for Microsoft users due to an active exploit of a vulnerability in the Windows Desktop Window Manager, identified as CVE-2026-20805. This flaw enables attackers with local access to extract sensitive information discreetly. The urgency of the situation is emphasized by the potential for unnoticed exploitation leading to significant damage. Users are advised to take immediate precautions to mitigate risks associated with this vulnerability.

Critical security updates have been released for CVE-2026-20824, a vulnerability in Windows Remote Assistance that allows attackers to bypass the Mark of the Web defense. Disclosed on January 13, 2026, it affects Windows 10 through Windows Server 2025. The flaw requires local access and user interaction, posing confidentiality risks. Microsoft has issued patches for 29 Windows configurations. Patching is urgent, with updates classified as "Required" for security. Exploitation is currently deemed "Less Likely.

CERT-UA reported on PLUGGYAPE malware targeting Ukrainian defense forces from October to December 2025, attributed to the Russian group Void Blizzard. The malware is distributed via Signal and WhatsApp, disguised as charity links. PLUGGYAPE, written in Python, communicates with remote servers using WebSocket or MQTT, with command-and-control addresses stored in base64 on external services. Recent phishing campaigns also involved FILEMESS and GAMYBEAR malware targeting various Ukrainian entities.

Threat actors targeted Ukraine’s Defense Forces with a malware campaign from October to December 2025, using charity-themed social engineering. The PLUGGYAPE backdoor, a Python-based malware, was distributed via fake charity websites, prompting downloads of disguised executable files. The threat group, UAC-0190 (Void Blizzard), utilized sophisticated techniques for persistence and communication, evolving to PLUGGYAPE.V2 with enhanced obfuscation. CERT-UA analysts identified the campaign, highlighting its impact on military personnel.

CERT-UA reported PLUGGYAPE malware attacks targeting Ukraine’s defense forces, attributed with medium confidence to the Russian group Void Blizzard. The attack utilizes social engineering via instant messaging, leading victims to download malicious files disguised as documents. The PLUGGYAPE backdoor, developed in Python, allows remote access and employs MQTT for communication. Recent variants include anti-analysis checks and obfuscation techniques. The report highlights the evolving cyberthreat landscape and the use of legitimate accounts for initial contact.

A widespread Magecart campaign has been identified, targeting users of major credit cards since January 2022. Attackers use seemingly harmless domains to host malicious scripts that replace legitimate payment forms with fake ones, capturing sensitive information. The malware evades detection by deleting itself when a site administrator is logged in. Users are advised to watch for unusual requests to re-enter payment info, while store owners should control script permissions to mitigate risks.

A long-running web skimming campaign, active since January 2022, targets major payment networks including American Express and Mastercard. Researchers from Silent Push found that the campaign uses obfuscated JavaScript to harvest credit card and personal information from e-commerce sites. The skimmer evades detection by checking for WordPress admin elements and manipulates payment forms to trick users. Stolen data is sent to "lasorie[.]com," and the skimmer erases its traces post-exfiltration.

A renewed Magecart attack in 2026 targets e-commerce websites, stealing customer credit card information during checkout. This campaign, active since early 2022, uses JavaScript injection to embed malicious code into sites, activating on checkout pages. It captures sensitive data, including card details and personal information, and employs psychological tactics to mislead victims. The malware evades detection by disabling itself for site administrators, indicating a sophisticated and persistent threat to online retail security.

A Magecart campaign targeting major payment providers, including American Express, Diners Club, Discover, and Mastercard, has been active since early 2022. Attackers inject malicious JavaScript into checkout pages to steal payment data. The campaign exploits vulnerabilities in supply chains and third-party scripts. Recommendations for shoppers include using virtual cards, enabling transaction alerts, and employing strong passwords. Web skimmers can bypass traditional fraud controls, making vigilance essential for both customers and merchants.

Cybersecurity researchers from Check Point Research have identified a sophisticated Linux malware framework named VoidLink, designed for stealthy access to cloud environments. Discovered in December 2025, it features custom loaders, rootkits, and over 30 plugins, enabling adaptability and long-term operations. VoidLink targets major cloud platforms like AWS and Azure, focusing on software developers for data theft and supply chain attacks. Its advanced capabilities include anti-forensics, credential harvesting, and evasion strategies, showcasing high technical expertise from its developers.

A new malware framework named VoidLink, linked to Chinese-affiliated actors, targets Linux-based cloud environments. Discovered by Check Point Research in December 2025, it features over 30 plugins for persistence and operational security. VoidLink can detect various cloud infrastructures, including AWS and Azure, and includes capabilities for reconnaissance, lateral movement, and privilege escalation. Researchers emphasize the need for enhanced security measures in Linux and cloud environments due to this evolving threat.

Researchers have identified a new Linux malware framework named VoidLink, which features over 30 customizable modules for advanced attack capabilities, including stealth, reconnaissance, privilege escalation, and lateral movement. It can target cloud services like AWS, GCP, Azure, Alibaba, and Tencent by examining metadata through vendor APIs. The framework indicates a shift towards targeting Linux systems and cloud infrastructures, suggesting a higher level of sophistication typically associated with professional threat actors.

Check Point Research has identified a sophisticated Linux malware framework named VoidLink, designed for cloud environments. It features over 30 plugins, enabling stealthy, persistent control over compromised systems. VoidLink adapts to various cloud platforms (AWS, Azure, GCP) and targets DevOps engineers and cloud admins by harvesting credentials and metadata. Currently, there is no evidence of active exploitation, suggesting it may be under development for future use, potentially linked to Chinese state-sponsored espionage.

In December 2025, Check Point Research identified VoidLink, a sophisticated Linux malware targeting major cloud providers like AWS, Google Cloud, and Microsoft Azure. Likely developed by a Chinese-affiliated group, it hunts for credentials and can hide within Docker and Kubernetes. VoidLink employs advanced stealth techniques, adapting its behavior based on security software detection. It features a modular design with 37 plugins and can self-delete if analyzed. Experts recommend enhancing cloud defenses against this emerging threat.

A new Linux malware named VoidLink targets cloud infrastructure, featuring over 30 plugins for activities like credential theft and lateral movement. Discovered by Check Point Research in December, it is written in Zig and appears to originate from a Chinese-affiliated environment. VoidLink can delete itself if tampered with and includes advanced capabilities such as kernel-level rootkits and anti-forensics. Its focus on cloud services like AWS and Azure marks a shift in malware targeting, posing significant risks to high-value targets.

Researchers have identified a sophisticated malware framework named VoidLink, targeting Linux cloud servers. Developed by Chinese creators, it operates stealthily within Linux systems and containers, adapting its behavior based on the cloud environment, including Kubernetes and Docker. Check Point's analysis suggests that while the malware is still in development, it is advanced enough to be used soon for cyberespionage or supply-chain attacks, as it can harvest credentials from cloud environments and source code repositories.

ServiceNow patched a critical vulnerability (CVE-2025-12420) in its AI Platform, allowing unauthenticated user impersonation with a CVSS score of 9.3. The flaw was addressed on October 30, 2025, with updates for Now Assist AI Agents (5.1.18+, 5.2.19+) and Virtual Agent API (3.15.2+, 4.0.4+). Discovered by Aaron Costello of AppOmni, there is no evidence of exploitation, but users are urged to apply updates promptly to mitigate risks.

ServiceNow patched a critical vulnerability (CVE-2025-12420) in its AI platform that allowed unauthenticated user impersonation, rated 9.3/10 in severity. Discovered by AppOmni in October 2025, fixes were deployed on Oct. 30, 2025. Affected components include Now Assist AI Agents and Virtual Agent API. Recommendations include upgrading to specific patched versions and implementing security measures like human supervision and agent segmentation to mitigate risks associated with AI configurations.

ServiceNow patched a critical vulnerability (CVE-2025-12420) in its AI Platform, allowing user impersonation with a severity score of 9.3/10. Discovered by AppOmni, the flaw could enable unauthenticated users to perform actions as legitimate users. The patch was deployed on October 30, 2025, for various app versions, including Now Assist AI Agents and Virtual Agent API. No exploitation has been reported yet, but unpatched systems remain at risk.

CISA has warned of active exploitation of a high-severity vulnerability in Gogs, tracked as CVE-2025-8110 (CVSS score: 8.7), allowing code execution via path traversal in the PutContents API. Wiz reported 700 compromised instances among approximately 1,600 exposed servers. No patches are currently available, but code changes are underway. Users are advised to disable open-registration and limit access. Federal agencies must implement mitigations by February 2, 2026.

CISA has issued a critical warning regarding a path traversal vulnerability in Gogs, tracked as CVE-2025-8110, which is actively exploited. This flaw allows attackers to escape restricted directories and execute arbitrary code due to improper symbolic link handling in the PutContents API. Organizations must address this by February 2, 2026, and are urged to apply patches immediately. If no mitigations are available, CISA recommends discontinuing the use of the vulnerable product.

CISA has mandated federal agencies to cease using Gogs or secure it immediately due to a high-severity vulnerability (CVE-2025-8110) that allows authenticated users to overwrite files and achieve remote code execution. Discovered by Wiz researchers, the flaw affects over 700 compromised Gogs instances. Agencies are advised to implement mitigations or discontinue use, as Gogs has not yet issued a fix. The vulnerability exploits a bypass in previous security measures related to symbolic links.

CISA has added Gogs CVE-2025-8110 to its Known Exploited Vulnerabilities catalog, highlighting a critical symlink bypass that allows unauthenticated Remote Code Execution via the PutContents API. Over 700 Gogs servers are compromised, with a severity score of 8.7/10. Federal agencies must patch by February 2, 2026, or cease using the software. The fix, available on GitHub, implements symlink-aware path validation to mitigate the vulnerability.

A high-severity vulnerability in Gogs, tracked as CVE-2025-8110, is actively exploited, allowing authenticated users to overwrite files outside a repository, potentially leading to remote code execution. CISA has added it to its Known Exploited Vulnerabilities catalog. Over 700 Gogs instances are compromised, with no patch currently available. Recommended mitigations include disabling open registration, restricting access, and monitoring unusual API usage. The flaw affects Gogs versions up to 0.13.3.

Cyber-enabled fraud is now the primary concern for corporate executives, surpassing ransomware, according to a World Economic Forum report. In 2025, 73% of respondents reported being affected by cyber-enabled fraud. The report highlights shifting priorities in cybersecurity, with high-resilience organizations focusing on AI risks and low-resilience ones on fraud. Geopolitical risks also influence strategies, with 66% of CEOs adjusting their approaches. Confidence in national responses to major cyber incidents is low, particularly in Latin America.

In 2026, 64% of business leaders assessed AI security risks before deployment, up from 37% the previous year, highlighting AI security's growing priority. The World Economic Forum found 94% believe AI will drive cybersecurity changes, with 87% noting increased vulnerabilities. Geopolitical factors shape cyber risk strategies, especially for larger organizations. Cyber-enabled fraud is the top concern for CEOs, while ransomware remains a primary fear for CISOs. The focus on cyber resilience is emphasized, with 64% meeting minimum standards.

The World Economic Forum's Global Cybersecurity Outlook 2026 highlights the pressures on security teams from AI misuse, geopolitical instability, and cybercrime. AI is seen as both a tool for enhancing security and a source of new vulnerabilities, particularly in data exposure and social engineering. Cyber-enabled fraud, including phishing and identity theft, is a growing concern, with CEOs ranking it as a top risk. Organizations report improved resilience but face challenges from legacy systems and inequities in cyber capabilities across regions.

CEOs are increasingly concerned about cyber-enabled fraud, surpassing ransomware as the top threat, according to the World Economic Forum's Global Cybersecurity Outlook 2026. Nearly 73% of CEOs reported personal exposure to fraud, primarily through phishing (62%) and identity theft (32%). AI-related vulnerabilities are rising rapidly, with 87% noting an increase. Organizations are adapting, with 64% assessing AI security pre-deployment. Geopolitical factors are also reshaping risk strategies, particularly concerning supply chain vulnerabilities.

Businesses are increasingly addressing AI security risks, with 64% assessing risks before deployment, up from 37% last year. The World Economic Forum's 2026 Global Cybersecurity Outlook indicates that 94% believe AI will drive cybersecurity changes. Key concerns include data leaks (34%) and AI vulnerabilities. While 77% use AI for cybersecurity, barriers include skill shortages (54%) and risk uncertainty (39%). Phishing remains the top threat, with emerging risks like deepfake scams noted.

Cyber-attacks, particularly ransomware, remain the top risk for businesses, with 42% of firms citing it as their primary concern, according to the Allianz Risk Barometer. AI-related risks have surged to the second position, reflecting growing awareness of operational, legal, and reputational implications. Companies express a need for significant investment to address AI-driven threats. Additionally, reliance on a few cloud service providers raises concerns about business continuity and supply chain disruptions.

Cybersecurity remains the top risk concern for corporate leaders for the fifth consecutive year, according to Allianz Commercial's annual Risk Barometer. AI has surged to the second position from tenth, reflecting its potential for productivity improvements and new security challenges. The report, based on a survey of over 3,300 experts, indicates that companies face operational, legal, and reputational risks with AI adoption. In the U.S., AI risk ranks fourth, following cybersecurity, business interruption, and regulatory changes.

Mandiant has released AuraInspector, an open-source tool for Salesforce admins to detect misconfigurations that may expose sensitive data. Launched on Monday, it targets access control issues in Salesforce Aura, which can lead to unauthorized data access. The tool automates the identification of potential abuse techniques and offers remediation strategies. AuraInspector operates in a read-only mode, ensuring no modifications to Salesforce instances. Misconfigurations in Aura have been linked to significant data exposure risks.

Google's Mandiant has released AuraInspector, an open-source tool for auditing Salesforce Aura access control misconfigurations in Experience Cloud applications. It examines Aura endpoints to identify excessive data exposure risks, focusing on record list components and object permissions. The tool automates checks for potential misconfigurations, addressing challenges in auditing Salesforce's complex permission structures. AuraInspector is available for free on GitHub.

Mandiant has released AuraInspector, an open-source tool for auditing access-control misconfigurations in Salesforce's Aura framework. It addresses critical security gaps in Salesforce Experience Cloud, where misconfigurations can expose sensitive data. AuraInspector automates detection of these issues, including self-registration endpoints and accessible records, using techniques like GraphQL to bypass record limits. Mandiant advises auditing permissions and following Salesforce security best practices. The tool is available on GitHub.

A critical vulnerability (CVE-2026-21858) in the n8n workflow automation platform could allow attackers to bypass automation, posing a severe risk with a score of 10. Researchers found over 105,000 vulnerable instances, now reduced to about 59,500. The flaw may expose sensitive credentials from services like Salesforce and AWS. Patches were released on Nov. 18, and users are advised to upgrade to version 1.121.0. No evidence of exploitation has been reported.

A critical vulnerability (CVE-2026-21858) in the n8n workflow automation platform exposes over 100,000 instances to remote code execution (RCE) attacks, allowing unauthenticated attackers to execute arbitrary code and take over instances. The flaw, stemming from content-type confusion in webhook handling, affects versions 1.65.0 to 1.120.x. Organizations must upgrade to version 1.121.0 or later immediately and implement security measures like firewalls and monitoring to mitigate risks.

Nearly 60,000 n8n instances are vulnerable to the Ni8mare CVE-2026-21858 flaw, allowing unauthenticated remote server takeover. This maximum-severity vulnerability affects versions 1.65.0 and below, with a fix available in version 1.121.0. Shadowserver reported 59,559 exposed instances as of January 11, 2026, primarily in the US, Europe, and Asia. The only defense is to upgrade, though admins can block attacks by restricting public endpoints. The flaw was discovered in November 2025.

A breach has exposed the personal data of approximately 17.5 million Instagram users, including usernames, physical addresses, phone numbers, and email addresses. Since January 10, 2026, a million users received password reset emails, raising concerns of a cyberattack. The stolen data is being sold on cybercrime forums, with risks of stalking and identity theft. Users are advised to reset passwords via the app, enable two-factor authentication, and review third-party app permissions.

Instagram confirmed no system breach occurred despite recent password reset emails sent to users, which were triggered by an external party exploiting a now-fixed issue. The company reassured that user accounts remain secure and advised users to ignore the unsolicited emails. The incident coincided with reports of a dataset containing details of 17.5 million accounts being advertised on cybercrime forums, raising concerns about potential phishing attacks. Security experts recommend enabling two-factor authentication and using unique passwords.

On January 9, 2026, Malwarebytes reported a data breach involving 17.5 million Instagram accounts, claiming hackers leaked usernames, emails, and phone numbers. However, Hackread.com confirmed the data was a repackaged scrape from 2022, originally leaked in June 2023. Instagram later clarified that no breach occurred, attributing unsolicited password reset emails to an external issue. Users are advised to remain vigilant against phishing attempts using the leaked data, despite its age.

Instagram has stated there has been no breach despite users receiving suspicious password reset requests. This follows a claim by Malwarebytes that 17.5 million accounts had their sensitive information stolen and is being sold on the dark web. Instagram clarified that it fixed an issue allowing an external party to request password resets and advised users to ignore the emails. No details about the external party or the specific issue were provided.

Meta fixed a flaw in Instagram that allowed third parties to generate password reset emails but denied any data breach occurred. Malwarebytes claimed 17.5 million accounts were compromised, but Instagram stated no personal information was stolen. Veeam patched four vulnerabilities, including a critical RCE flaw (CVE-2025-59470) that could be exploited by ransomware actors. Gulshan Management Services reported a data leak affecting 377,082 customers due to a phishing attack. Higham Lane School closed after a cyberattack disrupted operations.

Meta has denied reports of a data breach after Instagram users received unsolicited password reset emails. The company stated this was due to an error allowing third parties to trigger these emails, assuring that accounts remain secure. Malwarebytes reported that data from 17.5 million accounts may have been leaked, possibly from past API incidents in 2022 or 2024. Users are advised to verify information directly on Meta's sites and ignore suspicious emails to avoid phishing risks.

Malwarebytes reported a potential data breach affecting 17.5 million Instagram accounts, leading to numerous password reset requests. However, Meta denied any breach, stating an issue allowed external parties to request resets. A threat actor claimed to have leaked data from 2024 via a poorly secured API, containing public information like usernames and phone numbers, but no passwords. Users are advised to ignore unsolicited reset requests, enable two-factor authentication, and watch for phishing attempts.

Instagram users received unexpected password reset emails affecting 17.5 million accounts, raising concerns of a data breach. Instagram clarified that no breach occurred, attributing the issue to an "external party" triggering the requests. Users are advised to avoid clicking links in these emails to prevent phishing attempts. Recommendations include changing passwords directly through the app and enabling two-factor authentication for enhanced security. The incident may relate to a previous API breach, but Instagram has not confirmed this connection.

Instagram has denied a data breach after users received password reset emails. The company stated it resolved an issue that allowed an external party to trigger legitimate reset requests, asserting user accounts remain secure. However, Malwarebytes claimed that cybercriminals stole sensitive information from 17.5 million accounts, linking the emails to a sale of private data on a hacker forum. Some researchers suggest the data may originate from publicly accessible information rather than a recent breach.

Meta addressed a vulnerability in Instagram's password reset process that allowed third parties to send reset emails. Despite user concerns about leaked data, Meta denied any breach. However, researchers found a database for sale containing sensitive information of nearly 18 million users, including physical addresses linked to Instagram IDs. Additionally, a dataset of over 17 million records, including emails and user data, was posted on a hacking forum, allegedly scraped via an Instagram API.

Last week, many Instagram users received unsolicited password reset emails amid reports of a data dump containing information on 17 million users for sale on the Dark Web. The data includes usernames, full names, email addresses, and phone numbers, but no passwords. Instagram denied a connection between the two events, stating they fixed an issue allowing external password reset requests. Users are advised to enable 2FA, change passwords directly in the app, and monitor account activity for security.

On January 9, 2026, a database of 323,986 users from BreachForums was leaked, revealing metadata, user display names, email addresses, Argon2i password hashes, and links to external accounts. The leak was attributed to an unsecured directory during a forum restoration in August 2025, not a server compromise. BreachForums claimed the incident was misrepresented. The leak could disrupt criminal networks and deter future recruitment, highlighting vulnerabilities even among cybercriminals.

A database leak from BreachForums has exposed the identities of cybercriminals using the dark web site. Released by shinyhunte[.]rs, the archive contains data of 323,986 users from a MySQL database, potentially due to a web application vulnerability. While some records are authentic, others may have been altered for operational security. The current BreachForums administrator dismissed claims about the leak and the identity of the leaker, asserting that the information is false.

BreachForums experienced a data breach in August 2025, exposing details of approximately 324,000 user accounts, including email addresses, usernames, and Argon2-hashed passwords. The data was posted online by a user named "James" and included records of individuals linked to cybercrime. The breach coincided with the shutdown of the previous BreachForums site. The current administrator acknowledged the incident, attributing it to improper handling during a restoration process. The leak poses risks for those named in the data.

BreachForums experienced a data breach exposing 323,988 user accounts, including usernames, registration dates, and IP addresses. The breach originated from an unsecured backup during a restoration process in August 2025. While most IPs were loopback addresses, over 70,000 were public, potentially identifying users. The ShinyHunters group denied involvement in the leak, which was confirmed by the forum's administrator, stating the data was downloaded only once from a temporary unsecured location.

BreachForums, a notorious hacking site, experienced a significant data breach with the exposure of a MySQL database containing 323,986 user records. This incident, revealed on January 9, involved data stolen in August, prior to the site's police takedown. The breach was made public when the database appeared on a domain unrelated to the extortion group Scattered Lapsus$ Hunters, which had threatened to release one billion records from Salesforce customers.

Europol, in collaboration with the Spanish National Police and Bavarian State Criminal Police, arrested 34 members of the Black Axe criminal organization across Spain, including 10 key Nigerian nationals. The operation disrupted fraud activities causing over €5.93 million in damages, freezing €119,352 in bank accounts and seizing €66,403 in cash. Black Axe engages in various crimes, including cyber-enabled fraud, and exploits vulnerable individuals for recruitment. The operation underscores the importance of international cooperation in combating organized crime.

Europol announced the arrest of 34 members of the Black Axe criminal organization in Spain, linked to €5.93 million in fraud. The operation involved the Spanish National Police and Bavarian State Criminal Police. Arrests occurred in Seville, Madrid, Málaga, and Barcelona. Authorities froze €119,352 in bank accounts and seized €66,403 in cash. Black Axe, originating in Nigeria, is involved in various cyber-enabled crimes, including business email compromise and romance scams.

Europol, in collaboration with the Spanish National Police and Bavarian authorities, arrested 34 members of the Black Axe cybercrime ring across Spain, primarily in Seville. This group, known for online fraud including romance scams and phishing, targets vulnerable individuals as money mules. The operation revealed nearly €6 million in fraud losses in Spain, with authorities freezing over €119,352 in accounts and seizing €66,403 in cash. While significant, the arrests do not dismantle the entire organization, which operates globally.

The Spanish National Police, in collaboration with the Bavarian State Criminal Police and Europol, dismantled the Black Axe cyber fraud network, leading to 34 arrests across Spain. This organization, originating from Nigeria, is linked to various criminal activities, including cyber-enabled fraud, resulting in losses exceeding €5.93 million. Authorities froze €119,352 in bank accounts and seized €66,403 in cash. Europol facilitated the operation by mapping the group's structure and supporting investigations.

Spanish police arrested 34 suspected members of the Black Axe cybercrime gang during raids in Seville, Madrid, Malaga, and Barcelona. The group, linked to the Neo-Black Movement of Africa, is involved in cyber-fraud, drug trafficking, and other criminal activities, reportedly scamming billions of euros. The operation, supported by German law enforcement, seized nearly $140,000 from bank accounts and $77,000 in cash. Black Axe has around 30,000 members globally and recruits money mules in impoverished areas.

Europol and Spanish Police arrested 34 members of the Black Axe criminal network in a joint operation on January 12, 2026, primarily in Seville, with additional arrests in Madrid, Málaga, and Barcelona. The group is linked to cyber fraud, causing over €5.93 million in losses. Authorities froze €119,352 in bank accounts and seized €66,403 in cash. Black Axe, originating in Nigeria, recruits vulnerable individuals as money mules and operates globally with an estimated 30,000 members.

Spanish police arrested 34 alleged members of the Black Axe criminal organization across four cities, disrupting their operations linked to business email compromise and money laundering. The operation, supported by Europol, froze $139,000 in bank accounts and seized $77,000 in cash and vehicles. Black Axe, led by Nigerian nationals, is estimated to have generated over $6.9 million in fraud and is involved in various criminal activities, including drug trafficking and human trafficking. Four leaders remain in custody facing multiple charges.

The FBI issued a warning about ongoing North Korean phishing campaigns using QR codes, targeting think tanks and government entities in 2025. Notable incidents include emails spoofing foreign advisors and embassy employees, leading victims to malicious QR codes. These attacks, termed "quishing," exploit mobile devices' vulnerabilities, enabling credential theft and bypassing MFA. The FBI advises organizations to implement multi-layered defenses against such threats, which are increasingly sophisticated and resilient.

North Korean state-sponsored group Kimsuky is targeting U.S. organizations through spearphishing campaigns using malicious QR codes, referred to as "Quishing." The FBI warns that think tanks, NGOs, and government-linked entities are being lured by emails that invite scanning QR codes to access conferences or surveys. These codes redirect users to fake login portals for services like Microsoft 365, harvesting credentials and session tokens, leading to account takeovers and prolonged access to cloud resources.

North Korean hackers, specifically the Kimsuky group, are using QR codes in phishing attacks, termed "quishing," to steal credentials. The FBI warns that these codes, embedded in spear phishing emails, redirect victims to fake Microsoft 365 or VPN login pages. This method targets think tanks and government organizations related to North Korea policy. The FBI advises against scanning unknown QR codes and emphasizes the need for security controls to inspect QR links before use.

The FBI warns that the North Korean hacking group Kimusky is using "quishing" attacks, embedding malicious URLs in QR codes within emails to target US citizens. This scheme, active since May 2025, aims to trick victims into downloading malware or revealing sensitive information. The attacks primarily target individuals in think tanks and government. The FBI advises verifying QR code sources and avoiding unsolicited QR codes to mitigate risks associated with these phishing attempts.

North Korean hackers, identified as Kimsuky, are employing QR code phishing, or "quishing," to steal credentials from U.S. government institutions, think tanks, and academia. The FBI warns that these attacks bypass multi-factor authentication (MFA) by stealing session tokens through malicious QR codes scanned on unmanaged mobile devices. Recommendations for defense include employee training, QR reporting protocols, and mobile device management (MDM) to analyze QR-linked URLs.

The FBI warns that North Korea-linked APT group Kimsuky is conducting quishing attacks targeting governments, think tanks, and academic institutions. These spear-phishing campaigns use malicious QR codes to redirect victims to credential-harvesting sites. Notable incidents occurred in May and June 2025, where attackers impersonated trusted figures to lure victims. Recommendations include staff training, securing mobile devices, and enforcing phishing-resistant MFA. Kimsuky has a history of cyberespionage, primarily targeting South Korea and other regions.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is retiring 10 emergency directives issued between 2019 and 2024, aimed at safeguarding Federal Civilian Executive Branch agencies. CISA confirmed that required actions have been implemented or enforced through Binding Operational Directive 22-01. CISA emphasizes its commitment to operational collaboration and advancing Secure by Design principles to enhance defenses against emerging threats and hostile nation-state actors.

On January 8, 2026, CISA retired ten Emergency Directives issued between 2019 and 2024, marking a significant milestone in federal cybersecurity. The retired directives addressed vulnerabilities in Windows, Netlogon, VMware, SolarWinds, and Microsoft Exchange. CISA confirmed that necessary security measures were implemented or covered by existing regulations. This consolidation reflects CISA's commitment to enhancing federal cybersecurity while remaining prepared to issue new directives as threats evolve.

CISA has retired ten Emergency Directives (EDs) issued between 2019 and 2024, stating they are no longer needed due to successful implementation or redundancy under Binding Operational Directive (BOD) 22-01. This directive mandates Federal Civilian Executive Branch agencies to address known exploited vulnerabilities (KEVs) within strict deadlines. The retired EDs include those addressing vulnerabilities in DNS, Windows, SolarWinds, Microsoft Exchange, and VMware, marking the largest simultaneous retirement of EDs.

The US Cybersecurity and Infrastructure Security Agency (CISA) has retired ten Emergency Directives issued from 2019 to 2024, concluding their objectives were met. This decision reflects a shift in cyber-risk management among federal agencies. The directives included those addressing DNS tampering, Windows vulnerabilities, SolarWinds, and Microsoft email system compromises. CISA now focuses on ongoing controls through Binding Operational Directive 22-01, which addresses known exploited vulnerabilities.