Cisco Patches Catalyst SD WAN Zero Day Exploited by Highly Sophisticated Hackers
Cisco released emergency patches for a critical Catalyst SD WAN zero day vulnerability tracked as CVE-2026-20127 with a CVSS score of 10. The flaw can be remotely exploited to bypass authentication and gain administrative privileges on vulnerable devices. It affects the peering authentication mechanism of Catalyst SD WAN Controller and Catalyst SD WAN Manager, allowing unauthenticated remote attackers to send crafted requests.
Source: SecurityWeek

Microsoft Warns Developers of Fake Next.js Job Repositories Delivering In Memory Malware
A coordinated developer targeting campaign is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establishing persistent access. The activity aligns with broader job themed lures designed to blend into routine developer workflows and increase the likelihood of code execution.
Source: The Hacker News

New Dohdoor Malware Campaign Targets Education and Health Care
Cisco Talos identified an ongoing campaign delivering a previously undisclosed backdoor named Dohdoor. The malware uses DNS over HTTPS for command and control communications and can reflectively download and execute additional payloads. The campaign targeted organizations in the education and health care sectors in the United States through a multi stage attack chain.
Source: Cisco Talos

UnsolicitedBooker Targets Central Asian Telecoms with LuciDoor and MarsSnake Backdoors
The threat cluster known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan. The campaign involves deployment of two backdoors named LuciDoor and MarsSnake. Researchers report the use of several unique tools of Chinese origin.
Source: The Hacker News

Malicious NuGet Package Targets Stripe
Researchers discovered a malicious NuGet package mimicking Stripe.net, a widely used package with more than 70 million downloads. The campaign follows earlier activity targeting cryptocurrency related developer ecosystems and highlights continued supply chain risks within package repositories.
Source: ReversingLabs

Telegram Channels Expose Rapid Weaponization of SmarterMail Flaws
Security researchers observed threat actors rapidly sharing proof-of-concept exploits and stolen administrator credentials related to CVE-2026-24423 and CVE-2026-23760 within underground Telegram channels and forums. The critical flaws enable remote code execution and authentication bypass on exposed SmarterMail servers, and weaponization occurred within days of public disclosure.
Source: BleepingComputer

AI in the Middle: Web-Based AI Services Used as C2 Proxies
Threat actors are increasingly leveraging legitimate AI service domains as command and control proxies, blending malicious traffic into normal enterprise activity. AI tools are also being used to generate phishing content, write scripts, analyze stolen data, and even develop full C2 frameworks, significantly reducing operational cost and time-to-scale for attackers.
Source: Check Point Research

Firebase Misconfiguration Exposed 300 Million AI App Messages
An exposed Firebase database leaked approximately 300 million messages belonging to more than 25 million users of the Chat & Ask AI application. As the app acts as a gateway to multiple major AI models, the configuration error had a broad privacy impact across its global user base.
Source: Hackread

CISA Warns of Critical Honeywell CCTV Authentication Bypass
CISA issued an alert regarding CVE-2026-1670, a critical vulnerability affecting multiple Honeywell CCTV products. The flaw allows unauthenticated attackers to change password recovery email addresses, enabling account takeover and unauthorized access to camera feeds. The vulnerability carries a CVSS score of 9.8.
Source: BleepingComputer

GrayCharlie Hijacks Law Firm Websites in Suspected Supply Chain Attack
The threat actor GrayCharlie compromised WordPress websites and injected malicious JavaScript that redirected visitors to NetSupport RAT payloads delivered through fake browser update pages. A cluster of compromised U.S. law firm websites suggests a potential supply chain compromise involving a shared IT provider.
Source: Recorded Future

UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day
Mandiant and Google Threat Intelligence Group identified active zero-day exploitation of a critical vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769 with a CVSS score of 10.0. The threat cluster UNC6201, assessed as PRC-linked, has exploited the flaw since at least mid-2024 to move laterally, maintain persistence, and deploy malware including SLAYSTYLE, BRICKSTORM, and a newly identified backdoor named GRIMBOLT.
Source: Google Cloud Blog

Spam Campaign Abuses Atlassian Jira Cloud to Target Government and Corporate Entities
Threat actors abused Atlassian Jira Cloud and its connected email system to conduct automated spam campaigns, bypassing traditional email security controls by leveraging the trusted domain reputation of Atlassian products. The campaign, active from late December 2025 through late January 2026, primarily targeted government and corporate entities and redirected victims to investment scams and online casino pages.
Source: Trend Micro

Vulnerabilities in Popular PDF Platforms Enabled Account Takeover and Data Exfiltration
Researchers uncovered more than a dozen vulnerabilities in PDF platforms developed by Foxit and Apryse that could have enabled account takeover, data exfiltration, and other attacks. The issues were responsibly disclosed, and both vendors have released patches addressing the reported flaws.
Source: SecurityWeek

Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware
Notepad++ released version 8.9.2 to address abuse of its software update mechanism by an advanced threat actor. The updated release introduces additional verification controls for signed installers downloaded from GitHub and signed XML responses from the update server, strengthening the integrity of the update process.
Source: The Hacker News

Flaws in Popular VSCode Extensions Expose Developers to Attacks
High and critical severity vulnerabilities affecting widely used Visual Studio Code extensions, collectively downloaded more than 128 million times, could be exploited to steal local files and execute remote code. Affected extensions include Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. Researchers report that prior disclosure attempts did not receive a response from maintainers.
Source: BleepingComputer

BeyondTrust Patches Critical RCE Vulnerability
BeyondTrust has released patches for a critical vulnerability in Remote Support (RS) and Privileged Remote Access (PRA) that could allow unauthenticated remote code execution. Tracked as CVE-2026-1731 (CVSS 9.9), the flaw can be exploited via specially crafted requests to execute OS commands as the site user. Successful exploitation requires no authentication or user interaction and may result in system compromise, unauthorized access, data exfiltration, and service disruption. The issue affects RS versions 25.3.1 and earlier and PRA versions 24.3.4 and earlier. Approximately 8,500 internet-exposed on-prem RS deployments are believed to be potentially affected.
Source: SecurityWeek

Fortinet Patches Critical SQL Injection Flaw Allowing Unauthenticated Code Execution
Fortinet has issued security updates addressing CVE-2026-21643 (CVSS 9.1), a critical SQL injection vulnerability in FortiClientEMS. The flaw allows unauthenticated attackers to execute arbitrary code or commands via specially crafted HTTP requests. Improper neutralization of special elements in SQL commands enables remote exploitation without authentication. Organizations using vulnerable FortiClientEMS versions are advised to apply patches immediately to prevent system compromise.
Source: The Hacker News

Warlock Ransomware Breaches SmarterTools via Unpatched SmarterMail Server
SmarterTools confirmed that the Warlock (Storm-2603) ransomware group breached its network by exploiting an unpatched SmarterMail instance. The compromised server had not been updated to the latest version and was reportedly set up outside standard patch management oversight. Although approximately 30 SmarterMail servers were deployed across the network, one unmaintained VM enabled initial access. SmarterTools stated that core business applications and customer account data were not affected.
Source: The Hacker News

Largest Multi-Agency Cyber Operation Targets APT UNC3886 in Singapore
Singapore authorities disclosed that Advanced Persistent Threat actor UNC3886 conducted a deliberate and targeted campaign against the country’s telecommunications sector. All four major telecom operators – M1, SIMBA Telecom, Singtel, and StarHub – were targeted. The campaign was identified in July 2025, with operational details withheld to preserve security. The coordinated response involved multiple agencies to contain and counter the threat posed to critical infrastructure.
Source: Cyber Security Agency of Singapore

New SSHStalker Linux Botnet Uses Legacy Exploits and IRC-Based Control
A newly identified Linux botnet dubbed SSHStalker relies on exploitation techniques dating back to 2009. The botnet uses IRC-based command and control, multiple Linux kernel exploits, cron-based persistence mechanisms, and watchdog relaunch models. It deploys scanners and additional malware across infected systems. While artifacts resemble Romanian-linked botnet campaigns such as Outlaw and Dota, researchers have not confirmed a direct link, suggesting a derivative or copycat operator may be responsible.
Source: SecurityWeek

UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering
North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069, a financially motivated threat actor active since at least 2019. This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH. The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim.
Source: Google Cloud

TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure
Cybersecurity researchers have called attention to a massive campaign that has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation. The activity, observed around December 25, 2025, and described as worm-driven, leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, along with the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability. The campaign has been attributed to a threat cluster known as TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, and ShellForce). TeamPCP is known to be active since at least November 2025, with the first instance of Telegram activity dating back to July 30, 2025. The TeamPCP Telegram channel currently has over 700 members, where the group publishes stolen data from diverse victims across Canada, Serbia, South Korea, the U.A.E., and the U.S. Details of the threat actor were first documented by Beelzebub in December 2025 under the name Operation PCPcat.
Source: The Hacker News

Recent SolarWinds Flaws Potentially Exploited as Zero-Days
Attacks targeting internet-accessible SolarWinds Web Help Desk (WHD) instances for initial access may have exploited recently patched vulnerabilities as zero-days, Microsoft says. As part of a multi-stage intrusion in December 2025, hackers compromised the vulnerable WHD deployments to spawn PowerShell and download and execute additional payloads. However, Microsoft says it could not confirm whether the hackers exploited new or older SolarWinds vulnerabilities known to be exploited in the wild. The tech giant says the compromised product was vulnerable to CVE-2025-40551 and CVE-2025-40536, both patched in January 2026, but also to CVE-2025-26399, which was fixed in September 2025.
Source: SecurityWeek

Fortinet Admits FortiGate SSO Bug Still Exploitable despite December Patch
Fortinet has confirmed that attackers are actively bypassing a December patch for a critical FortiCloud single sign-on (SSO) authentication flaw after customers reported suspicious logins on devices supposedly fully up to date. In a new advisory, Fortinet said it had identified a fresh attack path being used to abuse SAML-based SSO in FortiOS, even on systems that had already applied the vendor’s earlier fix. The disclosure follows reports earlier this week that FortiGate firewalls were quietly reconfigured via compromised SSO accounts, with attackers altering firewall settings, creating backdoor admin users, and exfiltrating configuration files.
Source: The Register

Germany Warns of Signal Account Hijacking Targeting Senior Figures
Germany’s domestic intelligence agency is warning of suspected state-sponsored threat actors targeting high-ranking individuals in phishing attacks via messaging apps like Signal. The attacks combine social engineering with legitimate features to steal data from politicians, military officers, diplomats, and investigative journalists in Germany and across Europe. The security advisory is based on intelligence collected by the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI). A defining characteristic of this attack campaign is that no malware is used, nor are technical vulnerabilities in the messaging services exploited, the two agencies said.
Source: BleepingComputer

Hunting OpenClaw Exposures: CVE-2026-25253 in Internet-Facing AI Agent Gateways
In reaction to the recent CVE-2026-25253, the research team analyzed how this vulnerability appears in real-world deployments and what could be identified at internet scale using Hunt[.]io. The analysis focused on internet-exposed browser automation frameworks affected by CVE-2026-25253, including OpenClaw and its forks Clawdbot and Moltbot, which expose web-based control interfaces that store API credentials for multiple AI services. When deployed without proper access controls, these interfaces are directly reachable from the public internet.
Source: Hunt.io

New Clickfix Variant ‘CrashFix’ Deploying Python Remote Access Trojan
In January 2026, Microsoft Defender Experts identified a new evolution in the ongoing ClickFix campaign. This updated tactic deliberately crashes victims’ browsers and then attempts to lure users into executing malicious commands under the pretext of restoring normal functionality. This variant represents a notable escalation in ClickFix tradecraft, combining user disruption with social engineering to increase execution success while reducing reliance on traditional exploit techniques. The newly observed behavior has been designated CrashFix, reflecting a broader rise in browser-based social engineering combined with living-off-the-land binaries and Python-based payload delivery. Threat actors are increasingly abusing trusted user actions and native OS utilities to bypass traditional defences, making behaviour-based detection and user awareness critical.
Source: Microsoft Security Blog

Brew Hijack: Serving Malware Over Homebrew’s Core Tap
Most of the time, when software is installed, the download is assumed to be secure due to HTTPS and checksum verification. However, research revealed that within Homebrew’s core cask system, some packages are downloaded over plain HTTP without integrity verification. Twenty casks in the official tap were found vulnerable to trivial man-in-the-middle attacks, allowing attackers on the network path to replace legitimate payloads with malware.
Source: Koi.ai

React Server Components Exploitation Consolidates as Two IPs Generate Majority of Attack Traffic
Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly. GreyNoise telemetry shows that two IP addresses now account for 56% of observed exploitation attempts, down from more than a thousand unique sources. One source deploys cryptomining payloads, while the other opens reverse shells directly to the scanner IP, highlighting distinct post-exploitation behaviours.
Source: GreyNoise

Flickr Security Incident Tied to Third-Party Email System
Flickr has notified users of a security incident involving a third-party email service provider that exposed personal information. The company stated that a vulnerability in the provider’s system may have allowed unauthorized access to member data. Exposed information includes names, email addresses, usernames, account types, IP addresses, general location data, and Flickr activity details. Access to the affected system was shut down within hours of discovery.
Source: SecurityWeek

Critical Sandbox Escape Flaw Found In Popular vm2 NodeJS Library
A critical-severity vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, allows escaping the sandbox and executing arbitrary code on the underlying host system. The open-source vm2 library creates a secure context to allow users to execute untrusted JavaScript code that does not have access to the filesystem. vm2 has historically been seen in SaaS platforms that support user script execution, online code runners, chatbots, and open-source projects, being used in more than 200,000 projects on GitHub. The project was discontinued in 2023, though, due to repeated sandbox-escape vulnerabilities, and considered unsafe for running untrusted code.
Source: BleepingComputer

Fortinet Blocks Exploited FortiCloud SSO Zero Day Until Patch Is Ready
Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. The flaw allows attackers to abuse FortiCloud SSO to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability.
Source: BleepingComputer

CISA Adds Five Known Exploited Vulnerabilities To Catalog
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. The newly added flaws include vulnerabilities affecting the Linux kernel, Microsoft Office, GNU InetUtils, and SmarterTools SmarterMail, underscoring continued exploitation of long-known and recently disclosed weaknesses across widely deployed software.
Source: CISA

Investigation Into International “ATM Jackpotting” Scheme Results In Additional Indictments
A federal grand jury in the District of Nebraska returned an additional indictment charging 31 individuals for their roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs in the United States, a crime commonly referred to as ATM jackpotting. Fifty-six others had already been charged. The case involves Venezuelan and Colombian nationals, including members of the Tren de Aragua group, and includes charges related to bank fraud, bank burglary, computer fraud, and damage to protected computers.
Source: U.S. Department of Justice

SoundCloud Data Breach Exposes Email Addresses Of Millions Of Users
In December 2025, SoundCloud disclosed unauthorized activity that allowed attackers to map publicly available profile information to email addresses for approximately 20% of its users. The exposed data included tens of millions of email addresses, usernames, and related profile metadata. Attackers later attempted extortion before publicly releasing the dataset the following month.
Source: BleepingComputer

Critical CERT-In Advisories – January 2026: SAP, Microsoft, and Atlassian Vulnerabilities
January 2026 was a wake-up month for enterprise security teams. In a single week, CERT-In released three high-severity advisories exposing critical flaws across SAP, Microsoft, and Atlassian, the very platforms that run finance systems, identity layers, developer pipelines, and collaboration tools inside most enterprises. These weren’t theoretical bugs. One Windows vulnerability was already being exploited in the wild. While others enabled remote code execution, privilege escalation, data theft, and full system takeover. If your organization runs SAP S/4HANA, Windows, Azure, Jira, Confluence, or Bitbucket, this wasn’t a patch cycle you could afford to ignore. This article breaks down what was affected, how attackers could abuse these flaws, and exactly what security teams must do to stay ahead before these vulnerabilities turn into breaches.
Source: Security Boulevard

Hackers Targeting Cisco Unified CM Zero-Day
Cisco on Wednesday announced patches for yet another zero-day vulnerability targeted by threat actors. The flaw, tracked as CVE-2026-20045 and classified as critical, affects several of Cisco’s unified communications products, including Cisco Unified Communications Manager (CM) and its Session Management Edition (SME), Unified CM IM & Presence Service, Unity Connection, and Webex Calling Dedicated Instance. According to Cisco, a remote, unauthenticated attacker can exploit CVE-2026-20045 to execute malicious commands on the underlying OS of the device.
Source: SecurityWeek

Fortinet Admits FortiGate SSO Bug Still Exploitable despite December Patch
Fortinet has confirmed that attackers are actively bypassing a December patch for a critical FortiCloud single sign-on (SSO) authentication flaw after customers reported suspicious logins on devices supposedly fully up to date. In a new advisory, Fortinet said it had identified a fresh attack path being used to abuse SAML-based SSO in FortiOS, even on systems that had already applied the vendor’s earlier fix. The disclosure follows reports earlier this week that FortiGate firewalls were quietly reconfigured via compromised SSO accounts, with attackers altering firewall settings, creating backdoor admin users, and exfiltrating configuration files.
Source: The Register

Nova Ransomware Claims Breach of KPMG Netherlands
KPMG Netherlands has allegedly become the latest target of the Nova ransomware group, following claims that sensitive data was accessed and exfiltrated. The incident was reported by ransomware monitoring services on 23 January 2026, with attackers claiming the breach occurred on the same day. Nova has reportedly issued a ten-day deadline for contact and ransom negotiations, a tactic commonly used by ransomware groups to pressure large organisations. The group has established a reputation for targeting professional services firms and financial sector entities that manage high-value and confidential client information.
Source: Dig.watch

Access System Flaws Enabled Hackers to Unlock Doors at Major European Firms
Vulnerabilities discovered by researchers in Dormakaba physical access control systems could have allowed hackers to remotely open doors at major organizations. The security holes were discovered by experts at SEC Consult, a cybersecurity consulting firm under Atos-owned Eviden, in Dormakaba’s Exos central management software, a hardware access manager, and registration units that enable entry via a keypad, fingerprint reader, or chip card. Several types of vulnerabilities were identified, including hardcoded credentials and encryption keys, weak passwords, lack of authentication, insecure password generation, local privilege escalation, data exposure, path traversal, and command injection issues.
Source: SecurityWeek

Microsoft zakrpa aktivno iskorištavanu zero-day ranjivost u Officeu
Microsoft je objavio hitne izvanredne sigurnosne zakrpe za ispravljanje zero-day ranjivosti visoke ozbiljnosti u Microsoft Officeu koja se aktivno iskorištava u napadima. Ranjivost zaobilaženja sigurnosne značajke, praćena pod oznakom CVE-2026-21509, pogađa više verzija Officea, uključujući Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024 i Microsoft 365 Apps for Enterprise (cloud pretplatničku uslugu). Kako je navedeno u današnjem sigurnosnom upozorenju, zakrpe za Microsoft Office 2016 i 2019 još nisu dostupne te će biti objavljene čim to bude moguće.
Izvor: BleepingComputer

Gotovo 800.000 Telnet poslužitelja izloženo udaljenim napadima
Internet sigurnosna organizacija Shadowserver prati gotovo 800.000 IP adresa s Telnet otiscima uslijed aktivnih napada koji iskorištavaju kritičnu ranjivost zaobilaženja autentikacije u GNU InetUtils telnetd poslužitelju. Sigurnosni propust (CVE-2026-24061) pogađa GNU InetUtils verzije od 1.9.3 do 2.7, a zakrpan je u verziji 2.8 objavljenoj 20. siječnja. Ranjivost omogućuje udaljenim napadačima zaobilaženje autentikacije zloupotrebom načina na koji telnetd prosljeđuje korisnički kontrolirane varijable okruženja procesu prijave.
Izvor: BleepingComputer

Posebno upozorenje: zlonamjerni “supergrupni” SLSH cilja više od 100 organizacija putem interaktivnog phishinga
Trenutačno je aktivna masovna kampanja krađe identiteta koja cilja Okta Single Sign-On (SSO) i druge SSO platforme u više od 100 visokovrijednih organizacija. Silent Push identificirao je infrastrukturu koja odgovara SLSH-u, savezu skupina Scattered Spider, LAPSUS$ i ShinyHunters. Kampanja se oslanja na ručno vođene vishing napade i interaktivne phishing panele kako bi se zaobišle čak i snažno utvrđene MFA zaštite.
Izvor: Silent Push

Supply chain kompromitacija eScan antivirusa isporučila digitalno potpisani malware
Kritična supply chain kompromitacija koja pogađa eScan antivirus tvrtke MicroWorld Technologies identificirana je 20. siječnja 2026., nakon što su zlonamjerne nadogradnje distribuirane putem legitimne infrastrukture za ažuriranje proizvođača. Zlonamjerni paketi navodno su bili digitalno potpisani kompromitiranim eScan certifikatom, čime su zaobiđeni standardni mehanizmi povjerenja. Nakon instalacije, malware je uspostavio perzistenciju, omogućio udaljeni pristup i spriječio daljnja ažuriranja sustava.
Izvor: Infosecurity Magazine

Nova Fake CAPTCHA kampanja isporučuje Amatera Stealer
Blackpoint SOC identificirao je novu Fake CAPTCHA kampanju koja zloupotrebljava potpisanu Microsoft Application Virtualization (App-V) skriptu kao living-off-the-land binary (LOLBIN) za posredno izvršavanje koda putem legitimne Windows komponente. Napad pažljivo provjerava ponašanje korisnika i redoslijed izvršavanja, a u slučaju neispunjenih uvjeta proces se neprimjetno zaustavlja. Ovaj lanac isporuke pokazuje kako je sam tijek izvršavanja postao ključni dio suvremenog malware pristupa.
Izvor: Blackpoint Cyber

VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun
Check Point Research (CPR) believes a new era of AI-generated malware has begun. VoidLink stands as the first evidently documented case of this era, as a truly advanced malware framework authored almost entirely by artificial intelligence, likely under the direction of a single individual. Until now, solid evidence of AI-generated malware has primarily been linked to inexperienced threat actors, as in the case of FunkSec, or to malware that largely mirrored the functionality of existing open-source malware tools. VoidLink is the first evidence based case that shows how dangerous AI can become in the hands of more capable malware developers. Operational security (OPSEC) failures by the VoidLink developer exposed development artifacts. These materials provide clear evidence that the malware was produced predominantly through AI-driven development, reaching a first functional implant in under a week.
Source: Check Point Research

Dissecting and Exploiting CVE-2025-62507: Remote Code Execution in Redis
A recent stack buffer overflow vulnerability in Redis, assigned CVE-2025-62507, was fixed in version 8.3.2. The issue was published with a high severity rating and assigned a CVSS v3 score of 8.8. According to the official advisory, “a user can run the XACKDEL command with multiple IDs and trigger a stack buffer overflow, which may potentially lead to remote code execution”. Memory corruption vulnerabilities have become significantly harder to exploit due to the many security mitigations introduced over the years, but historically they easily led directly to remote code execution. Given that the vulnerability was rated as high severity but not classified as critical, the JFrog Security Research team decided to investigate the issue further and evaluate whether remote code execution is still easily achievable in 2026.
Source: JFrog

DNS OverDoS: Are Private Endpoints Too Private?
We discovered an aspect of Azure’s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. In this article, we explore how both intentional and inadvertent acts could result in limited access to Azure resources through the Azure Private Link mechanism. We uncovered this issue while investigating irregular behavior in Azure test environments. Our research indicates that over 5% of Azure storage accounts currently operate with configurations that are subject to this DoS issue. This issue has the potential to affect organizations in multiple ways. For example, denying service to storage accounts could cause Azure Functions within FunctionApps and subsequent updates to these apps to fail. In another scenario, the risk could lead to DoS to Key Vaults, resulting in a ripple effect on processes that depend on secrets within the vault.
Source: Palo Alto Networks Unit 42

Everest Ransomware Claims McDonalds India Breach Involving Customer Data
The notorious Everest ransomware group is claiming to have breached McDonald’s India, the Indian subsidiary of the American fast-food giant. The claim was published on the group’s official dark web leak site earlier today, January 20, 2026, stating that they exfiltrated a massive 861 GB of customer data and internal company documents. As reviewed by Hackread.com, the group also published internal screenshots to support the authenticity of its claims. A closer look at these screenshots reveals financial reports from 2023 to 2026, audit trails, cost tracking sheets, ERP migration files, pricing data, and other sensitive internal communications.
Source: Hackread

ChainLeak: Critical AI Framework Vulnerabilities Expose Data, Enable Cloud Takeover
Zafran Labs identified two critical vulnerabilities in Chainlit, a widely used open source AI framework. These vulnerabilities affect internet-facing AI systems that are actively deployed across multiple industries, including large enterprises. The flaws allow attackers to leak cloud environment API keys and steal sensitive files (CVE-2026-22218), as well as perform Server-Side Request Forgery (SSRF) against servers hosting AI applications (CVE-2026-22219). These vulnerabilities can be triggered with no user interaction. Zafran confirmed the vulnerabilities in real world, internet-facing applications operated by major enterprises.
Source: Zafran Labs