Weekly Threat Landscape Digest – Week 4

1) Oracle Critical Patch Update – January 2026 (337 Vulnerabilities Patched)

Oracle has released its quarterly Critical Patch Update (CPU) for January 2026, addressing 337 new security vulnerabilities across 30+ Oracle product families including Oracle Database, Java SE, Fusion Middleware, MySQL, Communications, E-Business Suite, and Financial Services. Many of the vulnerabilities are remotely exploitable without authentication, increasing the risk of unauthorized access, data manipulation, and denial-of-service if patching is delayed.

Key Details

• Advisory: Oracle Critical Patch Update (CPU) – January 2026
• Total Fixes: 337 vulnerabilities patched
• Unique CVEs: 158
• Severity Breakdown:

  – Critical (CVSS 9.0–10.0): ~8%

  – High (CVSS 7.0–8.9): ~45.7%

  – Medium/Low: Remaining vulnerabilities

• Exploitation Risk: Many issues are remotely exploitable without authentication
• Affected Families: Database, Java SE, WebLogic, Oracle HTTP Server, MySQL, Communications, PeopleSoft, Primavera, Financial Services

Technical Summary

Oracle’s CPU includes security fixes across multiple product stacks where vulnerabilities could lead to remote code execution, server-side request forgery, unauthorized access, data exposure or manipulation, and denial-of-service. Several maximum severity CVSS 10.0 vulnerabilities were identified, especially impacting enterprise-facing middleware and application components.

Notable CVEs

• CVE-2026-21962 (CVSS 10.0)

  – Affected: Oracle HTTP Server and WebLogic Server Proxy Plug-in

  – Versions: 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0

• CVE-2025-66516 (CVSS 10.0)

  – Affected: Commerce Guided Search, Communications Order and Service Management, Unified Assurance, PeopleSoft PeopleTools

• CVE-2025-49844 (CVSS 9.9)

  – Affected: Communications Operations Monitor (5.2)

• CVE-2021-43113 (CVSS 9.8)

  – Affected: Primavera Unifier (21.12.0–25.12.0)

• CVE-2025-6965 (CVSS 9.8)

  – Affected: MySQL Server (8.4.0–8.4.7, including Docker images), PeopleSoft PeopleTools (8.60–8.62)

• CVE-2024-52046 (CVSS 9.8)

  – Affected: Healthcare Health Sciences Information Manager (4.0.0)

• CVE-2026-21969 (CVSS 9.8)

  – Affected: Supply Chain Agile PLM for Process (6.2.4)

• CVE-2025-54874 (CVSS 9.8)

  – Affected: Supply Chain AutoVue Office (21.1.0 and related variants)

• CVE-2025-49796 (CVSS 9.1)

  – Affected: Multiple Oracle Financial Services modules and related Oracle HTTP Server components

• CVE-2026-21945 (SSRF)

  – Affected: Oracle Java SE and Oracle GraalVM (multiple supported versions)

  – Risk: Remotely exploitable without authentication

Impact

• Increased risk of remote exploitation against Oracle enterprise applications
• Potential remote code execution and SSRF-based internal access paths
• Unauthorized access to sensitive business systems and applications
• Data manipulation or service disruption (DoS)
• Higher risk for environments hosting exposed WebLogic, Oracle HTTP Server, Java SE, and PeopleSoft components

Recommendations

• Apply the January 2026 CPU patches promptly across all supported Oracle systems
• Prioritize patching for critical and high severity vulnerabilities first
• Focus on internet-facing middleware services and high business impact systems
• Restrict unnecessary exposure of Oracle services using firewall/WAF controls
• Monitor for scanning activity, abnormal middleware requests, and exploitation patterns
• Circulate advisory across subsidiaries and partners and share any findings internally

Reference

https://www.oracle.com/security-alerts/cpujan2026.html 

2) Security Updates – Atlassian (January 2026)

Atlassian has released January 2026 security updates addressing multiple critical and high-severity vulnerabilities affecting Bamboo, Bitbucket, Confluence, Crowd, Jira Software, and Jira Service Management for Data Center and Server deployments. Most issues originate from third-party dependencies and may lead to denial of service, XXE injection, SSRF, man-in-the-middle attacks, cross-site scripting, improper authorization, and remote code execution if systems are not updated.

Key Details

• Vendor: Atlassian
• Affected Products: Bamboo, Bitbucket, Confluence, Crowd, Jira Software, Jira Service Management
• Deployment Type: Data Center and Server
• Risk Types: DoS, XXE, SSRF, MITM, XSS, Improper Authorization, RCE
• Primary Root Cause: Vulnerable third-party dependencies

Technical Summary

The vulnerabilities addressed in this release are mainly introduced via bundled libraries and dependency components used by Atlassian products. Successful exploitation may allow attackers to disrupt services (DoS), read internal resources through XXE or SSRF, intercept traffic via MITM weaknesses, execute scripts through XSS, bypass authorization controls, or execute code remotely depending on the affected component and exposure level.

Vulnerability Details

Critical Severity

• CVE-2025-12383 – Race condition in jersey-client (Bamboo) – CVSS 9.4
• CVE-2025-66516 – XXE vulnerability in Confluence dependency – CVSS 10.0

High Severity

• CVE-2025-54988 – XXE in org.apache.tika:tika-core (Bamboo, Confluence, Crowd)
• CVE-2025-55163 – DoS in io.netty:netty-codec-http2 (Bamboo)
• CVE-2025-27152 – SSRF in axios (Bamboo)
• CVE-2025-52999 – DoS in jackson-core (Bitbucket)
• CVE-2024-38286 – DoS in Apache Tomcat (Bitbucket)
• CVE-2025-48989 – DoS in Apache Tomcat (Bitbucket)
• CVE-2025-55752 – Remote code execution in Apache Tomcat (Bitbucket)
• CVE-2025-41249 – Improper authorization in Spring Core (Bitbucket)
• CVE-2025-53689 – XXE in Apache Jackrabbit (Confluence)
• CVE-2025-49146 – MITM in PostgreSQL JDBC driver (Confluence)
• CVE-2026-21569 – XXE vulnerability (Crowd)
• CVE-2025-48976 – DoS in Commons FileUpload (Crowd)
• CVE-2025-64775 – DoS in Apache Struts (Crowd)
• CVE-2025-15284 – DoS in qs dependency (Jira, JSM)
• CVE-2025-52434 – DoS in tomcat-coyote (Jira, JSM)
• CVE-2024-21538 – DoS in cross-spawn (Jira, JSM)
• CVE-2021-3807 – DoS in ansi-regex (Jira, JSM)
• CVE-2025-9288 – Injection in sha.js (Jira, JSM)
• CVE-2025-9287 – Injection in cipher-base (Jira, JSM)
• CVE-2024-45801 – Cross-site scripting in dompurify (Jira, JSM)
• CVE-2022-25883 – DoS in semver (JSM)
• CVE-2024-45296 – DoS in path-to-regexp (JSM)
• CVE-2022-45693 – DoS in org.codehaus.jettison:jettison (JSM)

Fixed Versions

Bamboo Data Center and Server

• 12.0.2
• 10.2.13 to 10.2.14 (LTS)
• 9.6.21 to 9.6.22 (LTS)

Bitbucket Data Center and Server

• 10.1.1 to 10.1.4
• 9.4.15 to 9.4.16 (LTS)
• 8.19.26 to 8.19.27 (LTS)

Confluence Data Center and Server

• 10.2.2 (LTS)
• 9.2.13 (LTS)

Crowd Data Center and Server

• 7.1.3
• 6.3.4

Jira Data Center and Server

• 11.3.0 to 11.3.1 (LTS)
• 11.2.1
• 10.3.16 (LTS)
• 9.12.26 to 9.12.31 (LTS)

Jira Service Management Data Center and Server

• 11.3.0 to 11.3.1 (LTS)
• 11.2.1
• 10.3.16 (LTS)
• 5.12.29 to 5.12.31 (LTS)

Impact

• Denial-of-service leading to service disruption and degraded availability
• XXE exploitation potentially enabling data disclosure and internal file access
• SSRF enabling access to internal services and cloud metadata endpoints
• MITM attacks risking interception or manipulation of communications
• XSS enabling session hijacking or user redirection
• Authorization bypass or privilege misuse in impacted components
• Remote code execution risk in Tomcat-related issues if exposed

Recommendations

• Upgrade all affected Atlassian products to the fixed versions or latest available releases immediately
• Prioritize patching for internet-facing systems and externally accessible admin/application portals
• Restrict direct exposure of Data Center/Server portals using VPN, IP allowlisting, or reverse proxy controls
• Monitor application logs for unusual requests, scanning behavior, and exploitation attempts (XXE/SSRF patterns)
• Review dependency and plugin update procedures to ensure timely remediation of third-party issues
• Validate services after patching and ensure backup/rollback plan is available before applying updates

Reference

https://confluence.atlassian.com/security/security-bulletin-january-20-2026-1712324819.html 

3) Security Updates – NVIDIA (CUDA Toolkit and Merlin Transformers4Rec)

NVIDIA released security updates for high and medium severity vulnerabilities affecting CUDA Toolkit (Nsight components) and NVIDIA Merlin (Transformers4Rec). Exploitation may lead to code execution, privilege escalation, data tampering, denial of service, and information disclosure.

Key Details

• Products: NVIDIA CUDA Toolkit (Windows/Linux), NVIDIA Merlin Transformers4Rec (Linux)
• Severity: High / Medium
• Main Risks: Command Injection, Code Injection, Insecure DLL Search Path
• Fixed Versions:

  – CUDA Toolkit: 13.1 or later

  – Merlin Transformers4Rec: Branch including commit 27ddd49

Notable CVEs

• CVE-2025-33228 (CVSS 7.3) – Command injection in Nsight Systems (gfx_hotspot recipe)
• CVE-2025-33229 (CVSS 7.3) – Code execution via Nsight Monitor (Windows)
• CVE-2025-33230 (CVSS 7.3) – Command injection in Nsight Systems Linux .run installer
• CVE-2025-33231 (CVSS 6.7) – Insecure DLL search path in Nsight Systems (Windows)
• CVE-2025-33233 (CVSS 7.8) – Code injection in Merlin Transformers4Rec

Impact

• Arbitrary code execution and possible privilege escalation
• Service disruption (DoS) and data tampering risk
• Information disclosure depending on access level

Recommendations

• Upgrade CUDA Toolkit to 13.1+ on all systems
• Update Merlin Transformers4Rec to commit 27ddd49 branch
• Restrict access to developer tools and monitor for abnormal command execution

Reference

https://nvidia.custhelp.com/app/answers/detail/a_id/5755 

https://nvidia.custhelp.com/app/answers/detail/a_id/5761 

4) Critical Vulnerability in Advanced Custom Fields: Extended (WordPress Plugin) (CVE-2025-14533)

A critical unauthenticated privilege escalation vulnerability was identified in the Advanced Custom Fields: Extended plugin for WordPress. The flaw allows attackers to create administrator accounts under specific conditions, leading to full website compromise.

Key Details

• CVE: CVE-2025-14533
• Severity: Critical (CVSS v3.1: 9.8)
• Type: Unauthenticated Privilege Escalation (Admin Account Creation)
• Attack Requirement: No authentication required (role must be mapped to a custom field by admin)
• Affected Versions: All versions <= 0.9.2.1
• Fixed Version: 0.9.2.2 or later

Technical Summary

The vulnerability exists in the plugin’s insert_user form action due to improper role validation during user registration. If the role parameter is mapped to a custom field, an attacker can submit a crafted registration request and assign themselves the administrator role, resulting in unauthorized admin-level access.

Impact

• Full administrative access to WordPress site
• Ability to modify/delete content
• Install malicious plugins/themes
• Create persistent backdoors
• Full compromise of the WordPress installation

Recommendations

• Upgrade Advanced Custom Fields: Extended plugin to version 0.9.2.2 or later immediately
• Review user registration settings and remove any custom role mapping to public registration forms
• Audit WordPress admin users for unauthorized/newly created accounts
• Monitor for suspicious registration activity and new admin account creation events
• Ensure WAF rules and security plugins are enabled to block abnormal registration requests

Reference

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/acfextended/advanced-custom-fields-extended-0921-unauthenticated-privilege-escalation-viainsert-user-form-action \

5) RCE Vulnerability in Apache bRPC (CVE-2025-60021)

A remote command injection vulnerability was identified in Apache bRPC heap profiler built-in service (/pprof/heap). If the endpoint is exposed, an unauthenticated attacker can exploit improper input validation in the extra_options parameter to execute arbitrary commands on the host.

Key Details

• CVE: CVE-2025-60021
• Severity: Important
• Type: Remote Command Injection / RCE
• Attack Requirement: No authentication
• Attack Vector: /pprof/heap endpoint (extra_options parameter)
• Affected Versions: Apache bRPC 1.11.0 before 1.15.0
• Fixed Version: Apache bRPC 1.15.0 or later

Technical Summary

The /pprof/heap service accepts a user-controlled parameter (extra_options) and passes it directly as a command-line argument without sanitization. This allows attackers to inject malicious options and execute arbitrary OS commands remotely.

Impact

• Remote code execution on affected bRPC hosts
• Full system compromise depending on service privileges
• Potential data theft, service disruption, and persistence

Recommendations

• Upgrade Apache bRPC to version 1.15.0 or later immediately
• Restrict or disable access to profiling endpoints (/pprof/*) in production environments
• Block external exposure of the service using firewall/WAF controls and network segmentation
• Monitor for suspicious requests targeting /pprof/heap and unusual process execution

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-60021 

6) Critical Command Injection Vulnerability in Zoom Node Multimedia Routers (MMRs) (CVE-2026-22844)

Zoom disclosed a critical command injection vulnerability affecting Zoom Node Multimedia Routers (MMRs) used in hybrid and meeting connector deployments. A malicious meeting participant may execute arbitrary commands remotely over the network, which could lead to full system compromise.

Key Details

• CVE: CVE-2026-22844
• Severity: Critical (CVSS v3.1: 9.9)
• Type: Command Injection / RCE
• Affected Component: Zoom Node Multimedia Router (MMR)
• Attack Vector: Network
• Authentication Required: Low-privilege (meeting participant)
• User Interaction: None
• Affected Versions: MMR module versions earlier than 5.2.1716.0
• Fixed Version: 5.2.1716.0 or later

Affected Products

• Zoom Node Meetings Hybrid (ZMH) – MMR module < 5.2.1716.0
• Zoom Node Meeting Connector (MC) – MMR module < 5.2.1716.0

Impact

• Remote command execution on vulnerable MMR servers
• Full system compromise depending on service privileges
• Disruption of Zoom hybrid/connector meeting infrastructure
• Possible unauthorized access and persistence within the environment

Recommendations

• Upgrade Zoom Node MMR modules to version 5.2.1716.0 or later immediately
• Restrict access to Zoom Node infrastructure using network segmentation and allowlisting
• Monitor for abnormal activity originating from meeting participant traffic
• Validate MMR versions across all hybrid and connector deployments to ensure compliance

Reference

https://www.zoom.com/en/trust/security-bulletin/zsb-26001/ 

7) Security Updates – Google Chrome (CVE-2026-1220)

Google released a security update to fix a high-severity vulnerability in the Chrome browser affecting the V8 JavaScript engine. The issue is a race condition that could lead to unexpected behavior and potential security compromise when users visit malicious web content.

Key Details

• CVE: CVE-2026-1220
• Severity: High
• Component: V8 JavaScript Engine
• Type: Race Condition
• User Interaction: Required (user visits a malicious webpage)

Fixed Versions

• Windows/Mac: 144.0.7559.96 / 144.0.7559.97
• Linux: 144.0.7559.96
• Android: 144.0.7559.90
• iOS: 144.0.7559.95

Impact

• Possible browser compromise through crafted web content
• Potential unauthorized actions in the browser context
• Increased risk for high-privilege users (admins, SOC, finance)

Recommendations

• Update Google Chrome to the latest stable version on all endpoints immediately
• Prioritize patching for enterprise devices and high-risk users
• Ensure automatic browser updates are enabled across managed systems

Reference

https://chromereleases.googleblog.com/2026/01/stable-channel-update-fordesktop_20.html 

8) Actively Exploited RCE Vulnerability in Cisco Unified Communications Products (CVE-2026-20045)

Cisco issued an urgent advisory for CVE-2026-20045, an actively exploited remote code execution vulnerability impacting core Cisco Unified Communications platforms. Although the calculated CVSS is High, Cisco rated it as Critical due to the risk of unauthenticated attackers gaining root-level access, leading to full system compromise.

Key Details

• CVE: CVE-2026-20045
• Severity: Critical (Cisco SIR: Critical)
• Type: Remote Code Execution (RCE)
• Exploitation: Confirmed active exploitation in the wild
• Attack Requirement: No authentication
• Affected Component: Web-based management interface
• Root Cause: Improper validation/sanitization of user input in HTTP requests

Affected Products

• Cisco Unified Communications Manager (Unified CM / CallManager)
• Cisco Unified CM Session Management Edition (SME)
• Cisco Unified CM IM & Presence Service
• Cisco Unity Connection
• Cisco Webex Calling – Dedicated Instance

Impact

• Unauthenticated access to the underlying OS
• Privilege escalation to root
• Full device compromise and persistence
• Potential outcomes:

  – Service disruption (voice/messaging)

  – Unauthorized access to call data and credentials

  – Lateral movement into internal networks

  – Malware/ransomware deployment

Fixed Versions

Unified CM / IM&P / SME / Webex Calling Dedicated Instance

• 12.5: Migrate to a fixed release
• 14: 14SU5 or apply patches
• 15: 15SU4 (Mar 2026) or apply patches

Cisco Unity Connection

• 12.5: Migrate to a fixed release
• 14: 14SU5 or apply patches
• 15: 15SU4 (Mar 2026) or apply patches

Recommendations

• Apply Cisco security updates immediately (high priority)
• Prioritize externally reachable or exposed management interfaces
• Monitor for exploitation attempts and unusual admin/web interface activity
• Review device logs for suspicious HTTP requests, new processes, or privilege escalation behavior
• Restrict management interface access using allowlisting/VPN and network segmentation

Reference

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-savoice-rce-mORhqY4b 

9) Active Exploitation of Fortinet FortiGate via Unauthorized SSO Admin Access

Security researchers observed an active campaign targeting FortiGate devices using unauthorized FortiCloud SSO administrator logins. Attackers gain super_admin access, exfiltrate firewall configurations, create persistent admin accounts, and modify VPN access. This activity resembles prior Fortinet auth bypass campaigns (CVE-2025-59718 / CVE-2025-59719) and may not be fully mitigated by existing patches.

Key Details

• Target: Fortinet FortiGate Firewalls
• Technique: FortiCloud SSO admin login abuse (possible SAML/auth bypass)
• Exploitation: Active campaign observed since 15 Jan 2026
• Main Actions: Config exfiltration, persistence via new admins, VPN access changes
• Risk: Full perimeter compromise and long-term unauthorized access

Attack Flow (Observed)

1) SSO admin login (FortiCloud SSO, super_admin)

2) Download/exfiltrate full FortiGate configuration via GUI

3) Create new super_admin accounts for persistence

4) Grant VPN access to attacker-controlled accounts (follow-on access)

Indicators of Compromise (IOCs)

• Malicious accounts:

  – [email protected]

  – [email protected]

• Suspicious IPs:

  – 104.28.244.115

  – 104.28.212.114

  – 217.119.139.50

  – 37.1.209.19

• New admin accounts seen:

  – secadmin, itadmin, support, backup, remoteadmin, audit

Impact

• Firewall config theft (includes network mapping and credential material)
• Persistent administrative access through backdoor accounts
• VPN abuse and extended internal access
• Increased risk of lateral movement and full network compromise

Recommendations

• Monitor Fortinet advisories and apply patches/firmware updates immediately
• Hunt for IOC logins, config downloads, and admin account creation activity
• Reset all local + SSO-linked admin credentials if any IOC is found
• Audit and remove unauthorized admin/VPN-mapped accounts (system.admin)
• Restrict FortiGate management access to trusted internal IPs only
• Consider temporarily disabling FortiCloud SSO until full mitigation is confirmed

Reference

https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configurationchanges-fortinet-fortigate-devices-via-sso-accounts/ 

10) High-Severity Privilege Escalation Vulnerability in HPE Alletra and Nimble Storage OS (CVE-2026-23594)

A high-severity remote privilege elevation vulnerability was identified in HPE Alletra and HPE Nimble Storage Array OS. An authenticated low-privilege attacker could exploit the issue to gain elevated privileges and potentially achieve full administrative control of affected storage systems.

Key Details

• CVE: CVE-2026-23594
• Severity: High (CVSS v3.1: 8.8)
• Type: Remote Privilege Escalation
• Attack Requirement: Authenticated access (low-privilege user)
• Affected Products: HPE Alletra 6000/5000 and HPE Nimble Storage Arrays

Affected Versions

• HPE Alletra 6000: prior to 6.1.2.800, and 6.1.3 prior to 6.1.3.300
• HPE Alletra 5000: prior to 6.1.2.800, and 6.1.3 prior to 6.1.3.300
• HPE Nimble Hybrid Flash Arrays: prior to 6.1.2.800, and 6.1.3 prior to 6.1.3.300
• HPE Nimble All Flash Arrays: prior to 6.1.2.800, and 6.1.3 prior to 6.1.3.300

Fixed Versions

• Alletra OS 6.1.2.800
• Alletra OS 6.1.3.300

Impact

• Privilege escalation to administrative level
• Potential compromise of storage confidentiality, integrity, and availability
• Risk of unauthorized configuration changes and service disruption

Recommendations

• Upgrade to Alletra OS 6.1.2.800 or 6.1.3.300 immediately
• Restrict storage management access to trusted admin networks only
• Review user roles and remove unnecessary low-privilege access accounts
• Monitor storage admin activity for unusual privilege changes or configuration modifications

Reference

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04995en_us&docLocale=en_US 

11) Security Updates – ConnectWise PSA (CVE-2026-0695, CVE-2026-0696)

ConnectWise released PSA version 2026.1 to fix two vulnerabilities affecting earlier versions. The issues include a stored XSS flaw in Time Entry note handling and insecure session cookie settings that could expose sensitive session data. Successful exploitation may enable malicious script execution or increase the risk of session hijacking.

Key Details

• Product: ConnectWise PSA
• Fixed Version: 2026.1 or later (On-Premise)
• Affected Versions: All versions prior to 2026.1
• Main Risks: Stored XSS, Session Cookie Exposure

Vulnerabilities

• CVE-2026-0695 (CVSS 8.7 High)

  – Type: Stored Cross-Site Scripting (XSS)

  – Area: Time Entry note handling

  – Risk: Authenticated attacker injects script, executes when viewed by other users (web + desktop client)

• CVE-2026-0696 (CVSS 6.5 Medium)

  – Type: Sensitive Cookie Without HttpOnly

  – Risk: Session cookies accessible to client-side scripts, increasing session hijacking risk (especially with XSS)

Impact

• Malicious script execution in PSA web/desktop clients
• Unauthorized actions or data compromise via injected scripts
• Increased exposure of session data and hijacking risk

Recommendations

• Upgrade ConnectWise PSA to version 2026.1 or later immediately
• Review user activity for suspicious Time Entry notes and unusual account behavior
• Ensure secure cookie flags are enforced (HttpOnly, Secure) where applicable
• Apply least privilege and monitor admin/user actions in PSA

Reference

https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psasecurity-fix 

12) ChromeOS Security Update (LTS-138) (CVE-2026-0628)

Google released a Long-Term Support Channel (LTS-138) update for ChromeOS to fix multiple security vulnerabilities, including a high-severity issue in WebView tag policy enforcement (CVE-2026-0628). The flaw could allow a malicious or compromised web application to bypass administrative restrictions in managed ChromeOS environments.

Key Details

• High-Severity CVE: CVE-2026-0628
• Severity: High
• Type: Insufficient Policy Enforcement
• Component: ChromeOS WebView Tag
• Additional Fixes: 11 other vulnerabilities from 2025 CVEs
• Patched Version: LTS-138 (138.0.7204.301) Platform Version: 16295.86.0

Technical Summary

CVE-2026-0628 is caused by insufficient policy enforcement within the ChromeOS WebView tag. This may allow a malicious or compromised web app to bypass administrative controls and execute unauthorized content, impacting enterprise-managed ChromeOS devices.

Other CVEs Included

• CVE-2025-37797, CVE-2025-37890, CVE-2025-38177, CVE-2025-38000, CVE-2025-38001
• CVE-2025-38083, CVE-2025-38350, CVE-2025-38477, CVE-2025-38618, CVE-2025-38617, CVE-2025-38616

Impact

• Potential bypass of administrative restrictions in managed ChromeOS
• Unauthorized execution of content via WebView
• Increased security risk in enterprise ChromeOS deployments

Recommendations

• Upgrade all ChromeOS devices on the LTS channel to version 138.0.7204.301 immediately
• Ensure managed device policies are enforced and validated after patching
• Prioritize patching for enterprise and high-risk user endpoints

Reference

https://chromereleases.googleblog.com/2026/01/long-term-support-channel-updatefor_16.html?m=1 

13) Elevation of Privilege in Windows Admin Center Azure Extension (CVE-2026-20965)

Security researchers identified a high-severity vulnerability in the Azure AD Single Sign-On (SSO) implementation of Microsoft Windows Admin Center (Azure Extension). Due to improper verification of cryptographic signatures during token validation, a local administrator on a machine may bypass authentication/authorization controls and gain elevated access.

Key Details

• CVE: CVE-2026-20965
• Severity: High (CVSS v3.1: 7.5)
• Type: Elevation of Privilege
• CWE: CWE-347 (Improper Verification of Cryptographic Signature)
• Affected Component: Azure AD SSO authentication flow (Windows Admin Center Azure Extension)
• Attack Requirement: Local administrator access required
• Fixed Version: Windows Admin Center Azure Extension 0.70.00 or later

Impact

• Authentication/authorization bypass in Azure AD SSO flow
• Privilege escalation on impacted Windows Admin Center environments
• Increased risk of unauthorized administrative actions

Recommendations

• Upgrade Windows Admin Center Azure Extension to version 0.70.00 or later
• Enable automatic updates for Azure VM extensions where possible
• Restrict and monitor local administrator access on servers running Windows Admin Center
• Review WAC/Azure extension logs for suspicious authentication activity

Reference

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20965 

14) Multiple Vulnerabilities in Deno Runtime (CVE-2026-22863, CVE-2026-22864)

Two major vulnerabilities were identified in Deno runtime impacting its Node.js compatibility layer and Windows command execution controls. The issues may lead to cryptographic secret exposure and arbitrary code execution, affecting Deno’s secure-by-default design.

Key Details

• Product: Deno Runtime (JavaScript / TypeScript)
• Affected Versions: All versions prior to 2.6.0
• Fixed Version: Deno 2.6.0 or later

Vulnerabilities

• CVE-2026-22863 (CVSS 9.2 Critical)

  – Component: node:crypto compatibility layer

  – Issue: Improper cipher finalization

  – Impact: Cryptographic state leakage and possible exposure of server secrets

• CVE-2026-22864 (High)

  – Component: Deno.Command API (Windows)

  – Issue: Windows command execution safeguard bypass

  – Impact: Arbitrary code execution

Impact

• Exposure of sensitive cryptographic secrets in affected applications
• Arbitrary code execution on Windows systems running vulnerable Deno versions
• Increased risk for services using Deno Node.js compatibility features

Recommendations

• Upgrade Deno to version 2.6.0 or later immediately
• Prioritize patching for production servers and Windows environments
• Review applications using node:crypto compatibility layer and Deno.Command usage
• Monitor for abnormal command execution and suspicious process behavior

Reference

https://nvd.nist.gov/vuln/detail/CVE-2026-22863 

https://nvd.nist.gov/vuln/detail/CVE-2026-22864 

15) Reprompt Attack Enables Single-Click Data Theft from Microsoft Copilot

Security researchers disclosed a new AI security flaw called Reprompt that enables attackers to steal data from Microsoft Copilot using a single click on a trusted Microsoft Copilot link. The attack abuses Copilot’s prompt handling and does not require malware, credential theft, or browser exploitation, making it highly effective for phishing and social engineering scenarios.

Key Details

• Threat: Reprompt (Indirect Prompt Injection)
• Target: Microsoft Copilot
• Attack Method: Malicious Copilot URL using query parameters
• User Interaction: Single click only
• Main Risk: Silent data theft / unauthorized data access from Copilot context

Technical Summary

Attackers embed hidden instructions inside the q parameter of a legitimate Microsoft Copilot URL. When a user clicks the link, Copilot interprets the parameter as a real user prompt. The injected prompt is designed to bypass AI guardrails and trigger sensitive data requests. After the first click, Copilot may communicate with an attacker-controlled server, allowing additional commands and data extraction without further user interaction.

Impact

• Unauthorized access to sensitive Copilot session data
• Silent data exfiltration through AI-driven actions
• Increased phishing risk using trusted Microsoft URLs
• Potential compliance impact if sensitive records are exposed (e.g., ePHI/regulated data)

Recommendations

• Restrict Copilot access to sensitive enterprise data where not required
• Enforce strict access controls and least privilege for Copilot-connected resources
• Educate users on AI link-based phishing and indirect prompt injection risks
• Monitor AI-related activity, unusual data access patterns, and outbound connections
• Review Microsoft security updates and follow vendor guidance for Copilot hardening

Reference

https://www.paubox.com/blog/reprompt-attack-enables-single-click-data-theft-from-microsoft-copilot 

16) Gootloader Uses Malformed ZIP Archives to Evade Detection (Initial Access for Rhysida Ransomware)

A new analysis highlights how Gootloader delivers malware using deliberately malformed ZIP archives that bypass automated security scanning and sandbox tools. The archive often fails to open in many unarchiving tools, but still works on the default Windows unarchiver, allowing victims to extract and execute a malicious JScript file. This technique improves delivery success while reducing detection rates and supports initial access activity linked to ransomware campaigns such as Rhysida.

Key Details

• Malware: Gootloader
• Technique: Malformed ZIP delivery to evade detection and automated analysis
• Payload Type: Malicious JScript
• Threat Links: Ransomware ecosystem / Rhysida (via Vanilla Tempest collaboration)
• Notable Behavior: ZIP fails in many tools but opens normally in Windows Explorer

Technical Summary

The ZIP file is intentionally malformed and constructed using 500–1,000 concatenated ZIP archives with randomized values in non-critical fields. The End of Central Directory structure is truncated, which causes many parsers and tools to error out, preventing automated extraction and analysis. Windows’ built-in extraction still allows access, enabling execution of the embedded JScript. The JScript content is also designed to appear benign while hiding malicious logic, reducing detection in sandboxes and manual review.

Impact

• Malware execution through trusted Windows extraction behavior
• Increased success rate for initial access compromise
• Evasion of scanning tools and sandbox-based detection
• Potential follow-on ransomware deployment (e.g., Rhysida)

Detection / Hunting Ideas

• Detect malformed ZIP structure patterns (concatenated ZIPs, truncated EOCD)
• Hunt for execution chain:

  – Archive extraction → JScript execution → abnormal child processes

• Monitor for wscript.exe / cscript.exe spawning PowerShell, cmd, mshta, rundll32, or network connections

Recommendations

• Reassociate .js / .jse / .wsf execution to Notepad (prevent script execution by default)
• Block or restrict wscript.exe and cscript.exe where not required
• Monitor email/web downloads delivering ZIP files that fail in standard extractors
• Enable EDR detections for script-based execution and suspicious process trees
• Apply application allowlisting for scripting engines in high-risk environments

Reference

https://expel.com/blog/gootloaders-malformed-zip/ 

17) CodeBreach – AWS CodeBuild Misconfiguration Enabling Supply Chain Repository Takeover

A critical misconfiguration in AWS CodeBuild CI/CD integrations with GitHub could have allowed attackers to trigger privileged builds, steal GitHub credentials, and take over repositories. This created a major software supply chain risk, potentially impacting widely used components such as the AWS JavaScript SDK. AWS has remediated the issue and applied additional hardening, with no confirmed exploitation observed.

Key Details

• Name: CodeBreach
• Platform: AWS CodeBuild + GitHub CI/CD pipelines
• Type: Misconfiguration / Supply Chain Risk
• Impact: Repository takeover and malicious code injection
• Exploitation: No evidence reported after remediation (per vendor)

Technical Summary

The issue was caused by overly permissive webhook filter patterns and CI configurations. Missing regex anchors (^ and $) in actor ID filtering could allow attacker-controlled GitHub IDs to bypass intended restrictions and trigger builds. If a privileged build runs, attackers may extract GitHub tokens from the build environment and use them to push unauthorized code to the repository.

Attack Flow (High Level)

1) Bypass webhook filter using crafted actor IDs

2) Trigger privileged CodeBuild pipeline

3) Extract GitHub credentials/tokens from build environment

4) Push malicious commits or merge unauthorized changes

5) Downstream supply chain compromise via affected packages

Impact

• Full repository compromise using stolen CI credentials
• Malicious code injection into trusted libraries and SDKs
• Large-scale downstream supply chain exposure

Recommendations

• Anchor and validate webhook filters strictly (^…$)
• Use least-privilege GitHub tokens (fine-grained scopes / GitHub App tokens)
• Rotate credentials regularly and avoid long-lived secrets in CI
• Add approvals/gates for high-privilege build actions
• Monitor build triggers and alert on unusual pipeline execution
• Enforce branch protection and mandatory code review

Reference

https://www.indusface.com/blog/codebreach-aws-codebuild-supply-chain-risk/ 

18) Social Media Phishing Campaign Uses Open-Source Python Script and DLL Sideloading (Likely RAT Deployment)

ReliaQuest investigated a phishing campaign spreading through social media private messages (LinkedIn), delivering a malicious WinRAR self-extracting archive (SFX). The attack uses DLL sideloading with a legitimate PDF reader and a portable Python interpreter to execute an open-source shellcode runner, likely deploying a remote access trojan (RAT) for long-term access, lateral movement, and data theft.

Key Details

• Initial Access: Social media private messages (LinkedIn phishing)
• Delivery Method: WinRAR SFX archive
• Technique: DLL sideloading + portable Python execution
• Likely Outcome: RAT deployment with persistence and C2 activity
• Targeting: High-value corporate users (execs, IT/admin roles)

Attack Flow (Simplified)

1) Phishing link sent via social media DM

2) Victim runs WinRAR SFX → extracts legit PDF reader + malicious DLL + Python interpreter

3) PDF reader loads malicious DLL (DLL sideloading)

4) Persistence via registry Run key (Python code)

5) Python runs Base64 shellcode runner in-memory (exec()) → connects to C2 → likely RAT

Impact

• Stealthy compromise using trusted applications and open-source tools
• Persistent remote access and potential lateral movement
• Data exfiltration, privilege escalation, and long-term attacker control

Recommendations

• Provide social media phishing awareness training (treat DMs like email phishing)
• Restrict execution of downloaded files from social platforms on corporate devices
• Monitor for wscript/cscript, suspicious DLL loads, and unusual PDF reader child processes
• Limit/monitor portable Python interpreters and Base64 execution behavior
• Hunt for registry Run key persistence and suspicious outbound C2 traffic

Reference

https://reliaquest.com/blog/threat-spotlight-open-source-python-script-drives-social-media-phishing-campaign/ 

19) Threat Actors Abuse Visual Studio Code Repositories to Execute Malware (Contagious Interview Campaign)

Jamf Threat Labs reported an evolution of the “Contagious Interview” campaign (attributed to DPRK-linked actors), where attackers weaponize malicious GitHub/GitLab repositories to execute payloads through Visual Studio Code task configuration files (tasks.json). If a user opens and trusts the repository in VS Code, embedded commands can run automatically, leading to remote payload execution and backdoor deployment.

Key Details

• Campaign: Contagious Interview (DPRK-linked)
• Initial Vector: Malicious Git repositories shared as “technical assignment / interview”
• Technique: VS Code tasks.json abuse (execution on trust)
• Payload: Remote JavaScript executed via Node.js (macOS observed)
• Outcome: Backdoor implant with remote code execution + C2 beaconing

Attack Flow (Simplified)

1) Victim clones & opens malicious repo in VS Code

2) Victim clicks “Trust” repository author

3) VS Code processes tasks.json and executes embedded commands

4) Payload fetched remotely (curl) and piped into node (nohup bash -c …)

5) Backdoor beacons to C2 every ~5 seconds and executes attacker-supplied JavaScript

Notable IOCs

• Malicious repos:

  – https://github.com/CannonOps/backend/blob/dev/.vscode/tasks.json

  – https://github.com/CannonOps/frontend-website/blob/dev/.vscode/tasks.json

• Malicious hosting:

  – https://edgeauth.vercel.app/api/getMoralisData?token=Z4T9QH

  – https://moralmetrics.vercel.app/api/getMoralisData?token=Z4T9QH

• C2:

  – 87.236.177.9:3000

  – srv37746.hosted-by-eurohoster.org

• JavaScript payload SHA256:

  – 932a67816b10a34d05a2621836cdf7fbf0628bbfdf66ae605c5f23455de1e0bc

Impact

• Remote code execution via developer workflow abuse
• Persistent backdoor and frequent C2 communication
• Data theft, further payload delivery, and lateral movement potential
• High risk for developers and admin workstations

Recommendations

• Do not trust or open unknown repositories in VS Code without review
• Review .vscode/tasks.json, package.json scripts, and suspicious curl/node commands before execution
• Block or alert on “curl | node” and nohup background execution patterns
• Monitor outbound traffic to unusual Vercel URLs and suspicious IPs
• Enable EDR protections for developer endpoints and enforce least privilege

Reference

https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/