![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVi5U23T5vEL_B7kuk04RaGFSI7zFo33wLIli8_c9AxYxC3vY7UHsazm7yFaXzX8nYGa5Ffgrv4zChIoNUV2zSRusLa2cCZHs95p_JFTJGUr11v3BWAdckcv-BzKEBi6rnO2KrdvyQnW-IiAetHbJ73B2SXsVlQH-LyVo_fWw1J-avBbsUteP6FjWf1C5x/s790-rw-e365/reacap.jpg\")
This week illustrated how small oversights can quickly escalate. Tools designed to streamline processes and minimize friction turned into vulnerable entry points when basic security measures were overlooked. Attackers didn’t need sophisticated techniques; they capitalized on exposed vulnerabilities and infiltrated systems effortlessly.
The impact of these vulnerabilities was magnified by scale. A single misconfiguration had far-reaching consequences, affecting millions of users. Exploitable flaws were repeatedly leveraged. Phishing attacks became prevalent in everyday apps, while malware disguised itself within routine system activities. Despite targeting different victims, attackers followed the same playbook: blend in, act swiftly, and spread before detection.
Defenders are under increasing pressure as vulnerabilities are exploited almost immediately after discovery. Misinformation and swift counterclaims surface before facts are confirmed. Criminal organizations adapt rapidly with each cycle. The incidents that follow highlight where defenses faltered and underscore the significance of addressing these failures proactively.
⚡ Threat of the Week
Maximum Severity Security Flaw Disclosed in n8n — A critical vulnerability in the n8n workflow automation platform exposes systems to unauthenticated remote code execution, potentially leading to complete system compromise. Known as Ni8mare and tracked as CVE‑2026‑21858, the flaw impacts locally deployed instances running versions prior to 1.121.0. The issue arises from how n8n handles incoming data, providing a direct pathway for external, unauthenticated requests to compromise the automation environment. The disclosure of CVE‑2026‑21858 follows several other high-impact vulnerabilities disclosed in recent weeks, including CVE‑2026‑21877, CVE‑2025‑68613, and CVE‑2025‑68668. The vulnerability manifests in Form-based workflows where file-handling functions are executed without validating that the request was processed as \”multipart/form-data.\” This loophole allows an attacker to craft a specially designed request using a non-file content type and mimic the internal structure expected for uploaded files. Due to the lack of verification in the parsing logic, an attacker can access arbitrary file paths on the n8n host and potentially escalate to code execution. Field Effect warned that the impact extends to any organization using n8n to automate workflows that interact with sensitive systems. They stated, \”The worst-case scenario involves full system compromise and unauthorized access to connected services.\” However, Horizon3.ai noted that successful exploitation requires specific pre-requisites that are unlikely to be found in most real-world deployments: a publicly accessible n8n form component workflow without authentication and a method to retrieve local files from the n8n server. As of January 11, 2026, approximately 59,500 internet-exposed hosts remain vulnerable to CVE-2026-21858. Of these, over 27,000 IP addresses are located in the U.S., with more than 21,200 in Europe.
🔔 Top News
- Kimwolf Botnet Infects 2M Android Devices — The Kimwolf botnet, an Android variant of the Aisuru malware, has grown to more than two million hosts, most of them infected by exploiting vulnerabilities in residential proxy networks to target devices on internal networks. Kimwolf\’s rapid growth is largely fueled by its abuse of residential proxy networks to reach vulnerable Android devices. Specifically, the malware takes advantage of proxy providers that permit access to local network addresses and ports, allowing direct interaction with devices running on the same internal network as the proxy client. Starting on November 12, 2025, Synthient observed elevated activity scanning for unauthenticated ADB services exposed through proxy endpoints, targeting ports 5555, 5858, 12108, and 3222. The Android Debug Bridge (ADB) is a development and debugging interface that allows installing and removing apps, running shell commands, transferring files, and debugging Android devices. When exposed over a network, ADB can allow unauthorized remote connections to modify or take control of Android devices. When reachable, botnet payloads were delivered via netcat or telnet, piping shell scripts directly into the exposed device for local execution.
- China-Linked Hackers Likely Developed Exploit for Trio of VMware Flaws in 2024 — Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed more than a year before a set of three flaws it relied on were made public. The attack is believed to have exploited three VMware vulnerabilities that were disclosed as zero-days by Broadcom in March 2025: CVE-2025-22224 (CVSS score: 9.3), CVE-2025-22225 (CVSS score: 8.2), and CVE-2025-22226 (CVSS score: 7.1). Successful exploitation of the issue could permit a malicious actor with admin privileges to leak memory from the Virtual Machine Executable (VMX) process or execute code as the VMX process. The attackers disabled VMware\’s own drivers, loaded unsigned kernel modules, and phoned home in ways designed to go unnoticed. The toolkit supported a wide range of ESXi versions, spanning over 150 builds, which would have allowed the attackers to hit a broad range of environments. Huntress, which observed the activity in December 2025, said there is no evidence to suggest that the toolkit was advertised or sold on dark web forums, adding that it was deployed in a targeted manner.
- China-Linked UAT-7290 Targets Telecoms with Linux Malware — A long-running cyber-espionage campaign targeting high-value telecommunications infrastructure in South Asia has been attributed to a sophisticated threat actor tracked as UAT-7290. The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid. The campaign highlights the sustained focus on telecommunications networks in South Asia and underscores the strategic value of these environments to advanced threat actors.
- Two Malicious Chrome Extensions Caught Prompt Poaching — Two new malicious extensions on the Chrome Web Store, Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI, and AI Sidebar with DeepSeek, ChatGPT, Claude, and more, were found to exfiltrate OpenAI ChatGPT and DeepSeek conversations alongside browsing data to servers under the attackers\’ control. The technique of browser extensions to stealthily capture AI conversations has been codenamed Prompt Poaching. The extensions, which were collectively installed 900,000 times, have since been removed by Google.
- PHALT#BLYX Targets Hospitality Sector in Europe — A new multi-stage malware campaign targeting hospitality organizations in Europe using social engineering techniques such as fake CAPTCHA prompts and simulated Blue Screen of Death (BSoD) errors to trick users into manually executing malicious code under the guise of reservation-cancellation lures. Dubbed PHALT#BLYX, the campaign represents an evolution from earlier, less evasive techniques. Previous versions relied on HTML Application files and mshta.exe. The latest iteration, detected in late December 2025, instead abuses MSBuild.exe, a trusted Microsoft utility, to compile and execute a malicious project file. This living-off-the-land (LotL) approach enables the malware to bypass many endpoint security controls and deliver a heavily obfuscated variant of DCRat. The activity is assessed to be the work of Russian-speaking threat actors. The attacks leverage a social engineering tactic called ClickFix, where users are tricked into manually executing seemingly harmless commands that actually install malware. It operates by deceiving users into taking an action to \”fix\” a non-existent issue by either automatically or manually copying and pasting a malicious command into their terminal or Run dialog.
️🔥 Trending CVEs
Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week\’s most serious security flaws. Check them, fix what matters first, and stay protected.
This week\’s list includes — CVE-2026-21858, CVE-2026-21877, CVE-2025-68668 (n8n), CVE-2025-69258, CVE-2025-69259, CVE-2025-69260 (Trend Micro Apex Central), CVE-2026-20029 (Cisco Identity Services Engine), CVE-2025-66209, CVE-2025-66210, CVE-2025-66211, CVE-2025-66212, CVE-2025-66213, CVE-2025-64419, CVE-2025-64420, CVE-2025-64424, CVE-2025-59156, CVE-2025-59157, CVE-2025-59158 (Coolify), CVE-2025-59470 (Veeam Backup & Replication), CVE-2026-0625 (D-Link DSL gateway routers), CVE-2025-65606 (TOTOLINK EX200), CVE-2026-21440 (@adonisjs/bodyparser), CVE-2025-68428 (jsPDF), CVE-2025-69194 (GNU Wget2), CVE-2025-43530 (Apple macOS Tahoe), CVE-2025-54957 (Google Android), CVE-2025-14026 (Forcepoint One DLP Client), CVE-2025-66398 (Signal K Server), CVE-2026-21483 (listmonk), CVE-2025-34468 (libcoap), CVE-2026-0628 (Google Chrome), CVE-2025-67859 (Linux TLP), CVE-2025-9222, CVE-2025-13761, CVE-2025-13772 (GitLab CE/EE), CVE-2025-12543 (Undertow HTTP server core), CVE-2025-14598 (BeeS Examination Tool), CVE-2026-21876 (OWASP Core Rule Set), CVE-2026-22688 (Tencent WeKnora), CVE-2025-61686 (@react-router/node, @remix-run/node, and @remix-run/deno), and CVE-2025-54322 (Xspeeder SXZOS).
📰 Around the Cyber World
- India Denies it Plans to Demand Smartphone Source Code — India’s Press Information Bureau (PIB) has refuted a report from Reuters that said the Indian government has proposed rules requiring smartphone makers to share source code with the government and make several software changes as part of a raft of security measures to tackle online fraud and data breaches. Some of the key requirements mentioned in the report included preventing apps from accessing cameras, microphones or location services in the background when phones are inactive, periodically displaying warnings prompting users to review all app permissions, storing security audit logs, including app installations and login attempts, for 12 months, periodically scanning for malware and identify potentially harmful applications, making all pre-installed apps bundled with the phone operating system, except those essential for basic phone functions, deletable, notifying a government organization before releasing any major updates or security patches, detecting if a device has been rooted or jailbroken, and blocking
