January 24, 2026

Hello all,

This week’s headliners have a threepeat from Cisco and Fortinet. For three weeks in a row, they’ve managed to top the list of actively exploited items needing fixes. Way to go? And there’s lots more from plenty of others. So, let’s get to it.

Headline NEWS:

• Cisco has issued fixes for an actively exploited zero-day vulnerability in their Unified Communications Manager products that can enable remote code execution (RCE). This affects at least six products in that family, along with Webex Calling. Cisco is urging customers to update to patched versions as soon as possible.
• Fortinet patched a FortiCloud auth bypass back in December 2025. Apparently, the patch was insufficient since threat actors have been exploiting Fortinet firewalls via this defect since at least January 15. The vendor advises customers to disable FortiCloud SSO and to restrict admin access to mitigate this defect. A forthcoming firmware update is coming that should plug this defect.
• Oracle Fusion Middleware has a critical defect in their Oracle HTTP Server and their WebLogic Server Proxy Plug-in that can enable a threat actor to compromise the server. The flaw enables complete bypass of security controls as long as the attacker can access the HTTP server. Admins are urged to apply patches immediately.
• TP-Link VIGI Surveillance Camera series has an authentication bypass defect that needs immediate attention. An attacker on the same network as the camera can reset the administrator password without any verification being required, giving an attacker full admin access. TP-Link urges immediate patching to fixed versions.
• Zoom and GitLab have released fixes for multiple vulnerabilities. Apparently Zoom makes a Multimedia Router, who knew? That defect is the most severe and should be prioritized since meeting participants could perform remote code execution attacks vis this flaw. Update the to latest patches to fix this vulnerability. GitLab has released patches to fix a Denial of Service and a two-factor authentication (2FA) bypass defect. If you use either of these vendor’s products, update soon.

In Ransomware, Malware, and Vulnerabilities News:

• Time to Exploit continues to go down. This week we have a link that shows that just two days after SmarterMail made their authorization bypass flaw public, exploitation began. Threat actors have excellent Open-Source Intelligence (OSINT) for collecting and prioritizing vulnerabilities, flaws, and defects that vendors uncover, or other threat actors share. The race to patch before the bad guys beat you to it is quite real. There’s an excellent article linked this week by VulnCheck that reports on the statistics about the State of Exploitation 2026. It is worth perusing.

In Other News Events of Note and Interest:

• Google is offering free SAT practice tests, which should bring a bit of joy to parents and students that are faced with the prospect of paying for tutoring. The practice engine is powered by Gemini, Google’s AI, and has been tuned and vetted by “education firms like The Princeton Review” to ensure that the practice tests are accurate and don’t hallucinate. One very useful feature is the “Explain answer” button, which will help students to learn the concepts being tested.

Musings

As you are likely aware, Microsoft 365 was down for most of North America, and some other parts of the world this past week for almost an entire day. For the impacted businesses and their support organizations, it was a very bad day indeed. This seems to be happening more and more often lately. I think I will start calling Redmond’s service Microsoft 364.5 and start taking off digits for the length of time that the service is unavailable for large swaths of their clients. If memory serves me correctly, I think that they probably would have ended up being known as Microsoft 360 last year.

Keep the shields up!

Viscount Jan Broucinek
Red Dot Security News

Headline NEWS

• Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex
• Cisco fixes Unified Communications RCE zero day exploited in attacks
• Fortinet admins report patched FortiGate firewalls getting hacked
• Fortinet confirms critical FortiCloud auth bypass not fully patched
• Critical Oracle WebLogic Server Proxy Vulnerability Lets Attackers Compromise the Server
• TP-Link Vulnerability Allows Authentication Bypass Via Password Recovery Feature
• Zoom and GitLab Release Security Updates Fixing RCE, DoS, and 2FA Bypass Flaws 

Ransomware, Malware, and Vulnerabilities News

• Good News, Government News, and Interesting
• CISA confirms active exploitation of four enterprise software bugs
• INC ransomware opsec fail allowed data recovery for 12 US orgs
• Microsoft gave FBI a set of BitLocker encryption keys to unlock suspects’ laptops
• EU Launches GCVE to Track Vulnerabilities Without Relying on US
• Denmark Orders Public Officials to Turn Off Their Bluetooth Due to High Risk of Being Spied on by U.S. Intelligence
• CISA Releases BRICKSTORM Malware Report with New YARA Rules for VMware vSphere
• Jordanian pleads guilty to selling access to 50 corporate networks
• Microsoft disrupts cybercrime-as-a-service platform tied to $40M in fraud
• Ghana arrests Nigerians accused of running cyber-crime networks in Accra
• Broker who sold malware to the FBI set for sentencing
• North Korea-linked hackers pose as human rights activists, report says
• North Korea-Linked Hackers Target Developers via Malicious VS Code Projects
• Vulnerabilities and Exploits
• VulnCheck State of Exploitation 2026
• Cloudflare Zero-Day Vulnerability Enables Any Host Access Bypassing Protections
• Ancient telnet bug happily hands out root to attackers
• SmarterMail Auth Bypass Exploited in the Wild Two Days After Patch Release
• Google Chrome 144 Update Patches High-Severity V8 Vulnerability
• Chrome 144 fixes 3 high-risk security vulnerabilities. Update now!
• New Kerberos Relay Attack Uses DNS CNAME to Bypass Mitigations – PoC Released
• Go 1.25.6 and 1.24.12 Patch Critical Vulnerabilities Lead to DoS and Memory Exhaustion Risks
• Apache bRPC Vulnerability Enables Remote Command Injection
• Redmi Buds Vulnerability Allow Attackers Access Call Data and Trigger Firmware Crashes
• CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures
• ServiceNow BodySnatcher flaw highlights risks of rushed AI integrations
• Claude Cowork Exfiltrates Files
• Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution
• Microsoft & Anthropic MCP Servers At Risk of RCE, Cloud Takeovers
• Azure Private Endpoint Deployments Exposes Azure Resources to DoS Attack
• Output from vibe coding tools prone to critical security flaws, study finds
• Mandiant Releases Rainbow Tables Enabling NTLMv1 Admin Password Hacking
• Critical OpenSSH Vulnerability Exposes Moxa Ethernet Switches to Remote Code Execution
• Windows SMB Client Vulnerability Enables Attacker to Own Active Directory
• China-linked hackers exploited Sitecore zero-day for initial access
• Lucid’s Vulnerability Reporting Channel Left Inactive for Six Months
• Chainlit Vulnerabilities May Leak Sensitive Information
• CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution
• Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026
• Hackers exploit 29 zero-days on second day of Pwn2Own Automotive
• GitLab warns of high-severity 2FA bypass, denial-of-service flaws
• Phishing, Malware, and similar
• How threat actors are using self-hosted GitHub Actions runners as backdoors
• Don’t click the LastPass ‘create backup’ link
• Gmail’s spam filter and automatic sorting are broken
• Okta SSO accounts targeted in vishing-based data theft attacks
• Phishing Campaign Zeroes in on LastPass Customers
• Pulsar RAT Using Memory-Only Execution & HVNC to Gain Invisible Remote Access
• New PixelCode Attack Smuggles Malware via Image Pixel Encoding
• New PDFSider Windows malware deployed on Fortune 100 firm’s network
• Threat Actors Weaponizing Visual Studio Code to Deploy a Multistage Malware
• Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading
• For the price of Netflix, crooks can rent AI crime ops
• VoidLink cloud malware shows clear signs of being AI-generated
• ACF plugin bug gives hackers admin on 50,000 WordPress sites
• FBI warns of North Korean QR code quishing attacks targeting users
• Attackers Abuse Discord to Deliver Clipboard Hijacker That Steals Wallet Addresses on Paste
• Mass Spam Attacks Leverage Zendesk Instances
• VoidLink Linux Malware Framework Built with AI Assistance Reaches 88,000 Lines of Code
• Python-based Malware SolyxImmortal Leverages Discord to Silently Harvest Sensitive Data
• New Android malware uses AI to click on hidden browser ads
• New Multi-Stage Windows Malware Disables Microsoft Defender Before Dropping Malicious Payloads
• Attackers are Using WSL2 as a Stealthy Hideout Inside Windows Systems
• New Magecart Attack Inject Malicious JavaScript to Skim Payment Data
• Phishing attacks abuse SharePoint, target energy orgs
• Konni hackers target blockchain engineers with AI-built malware
• Wiper malware targeted Poland energy grid, but failed to knock out electricity
• Proxyware Malware Disguised as Notepad++ Tool Leverages Windows Explorer Process to Hijack Systems
• Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access
• Breaches, Leaks, and Ransomware
• Ingram Micro says ransomware attack affected 42,000 people
• Ingram Micro admits ransomware raid exposed staff records
• Huge data breach reveals info on 750,000 investors
• AWS Ends SSE-C Encryption, and a Ransomware Vector
• Researchers Uncovered LockBit’s 5.0 Latest Affiliate Panel and Encryption Variants
• A Broadband Internet Provider Had a Data Breach Impacting Over 1 Million Customers
• Key Apple supplier suffers data breach that could expose confidential product files
• Hackers Weaponized 2,500+ Security Tools to Terminate Endpoint Protection Before Deploying Ransomware
• Under Armour says it’s ‘aware’ of data breach claims after 72M customer records were posted online
• HIBP adds alleged Under Armour data breach impacting 72 million emails
• Minnesota Human services data breach impacts 300K
• ShinyHunters claim to be behind SSO-account data theft attacks
• Warwickshire school to reopen after cyberattack crippled IT
• 149 Million Usernames and Passwords Exposed by Unsecured Database
• New Osiris Ransomware Using Wide Range of Living off the Land and Dual-use Tools in Attacks 

Other News Events of Note and Interest

• Cool Tool: WinGet is Windows’ best-kept secret—here’s what it can do for you
• Cool Tool: WinToUSB 10.5
• TikTok forms US joint venture, names Adam Presser CEO
• ReactOS For “Open-Source Windows” Achieves Massive Networking Performance Boost
• What is headless Chrome, and why would anyone want a headless browser?
• WhatsApp Web to finally get voice and video call support for group chats
• Microsoft veteran explains the flawed yet cool old Windows trick to restart PCs much faster
• EU plans cybersecurity overhaul to block foreign high-risk suppliers
• Hacker who stole 120,000 bitcoins wants a second chance—and a security job
• Gmail is dropping this long-supported feature
• AI, LLM’s, and Skynet
• Our approach to advertising and expanding access to ChatGPT
• University of Manchester first university in the world to provide Microsoft 365 Copilot to all students and staff
• Google begins offering free SAT practice tests powered by Gemini
• Google says Gemini won’t have ads – yet, as ChatGPT prepares to add them
• New Study Shows GPT-5.2 Can Reliably Develop Zero-Day Exploits at Scale
• Apple is turning Siri into an AI bot that’s more like ChatGPT
• Introducing FastMCP 3.0
• Microsoft
• PowerShell architect retires after decades at the prompt
• Microsoft 365 outage drags on for nearly 10 hours
• Microsoft 365 and Outlook were down for many – here’s what went wrong
• Microsoft releases emergency OOB update to fix Outlook freezes
• Microsoft Entra ID to auto-enable passkey profiles and synced passkeys in March 2026
• Microsoft Intune changes to start biting unprepared admins
• Microsoft begins blocking work email access for unprepared Intune users
• Microsoft announces new security baseline for Office apps
• Microsoft Teams to add brand impersonation warnings to calls
• Winapp is Microsoft’s new command line utility for developers
• Microsoft issues security advisory for IT admins managing Windows Domain Controllers
• Microsoft confirms Windows 11 January 2026 Update issues, releases fix for at least two bugs
• Microsoft suspects some PCs might not boot after Windows 11 January 2026 Update
• Microsoft forced to issue emergency out of band updates for Windows 11 after latest security patches broke PC shutdowns and sign-ins
• Saving files is currently broken on Windows 11 and Windows 10
• Microsoft makes Outlook “completely unusable” as Windows 11 25H2/24H2 update breaks it
• Windows 11 Is Full of Hidden Tools. These Are the Weirdest Ones You’ve Never Used