January 12th TJS Weekly Security Intelligence Briefing
Table of Contents
Week of January 12th, 2026
Classification: TLP: Public
Weekly Security Intelligence Briefing
1. Executive Summary
The week of January 6-12, 2026 presented an elevated risk posture driven by actively exploited vulnerabilities affecting MongoDB, Chrome, VMware, React/Next.js, Veeam, and Gogs. The most urgent priorities are:
- MongoDB MongoBleed (CVE-2025-14847): Unauthenticated memory disclosure actively exploited since December 26, 2025, with ~87,000 vulnerable instances globally. CISA KEV deadline: January 19, 2026.
- React2Shell (CVE-2025-55182): CVSS 10.0 critical RCE in React Server Components/Next.js with widespread exploitation by Chinese APT groups and botnets. Approximately 90,300 vulnerable instances identified.
- Veeam Backup & Replication (CVE-2025-59470): CVSS 9.0 RCE affecting all version 13 builds. Given Veeam’s history as a ransomware target (Akira, Fog), immediate patching is critical.
- Gogs Zero-Day (CVE-2025-8110): Symlink path traversal RCE added to CISA KEV January 12, 2026. Over 700 confirmed compromised instances. No patch available; mitigations required.
Additional threats include VMware ESXi zero-days exploited by Chinese actors since February 2024, browser extension malware stealing AI conversations from 900,000+ users, and sophisticated phishing campaigns bypassing MFA. Microsoft Patch Tuesday occurs January 14, 2026.
Overall Risk Posture: ELEVATED
2. Critical Action Items
- MongoDB MongoBleed (CVE-2025-14847): Patch immediately to versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30. CISA KEV deadline: January 19, 2026. If patching is delayed, disable zlib compression:
mongod --networkMessageCompressors snappy,zstd- Sources: CISA KEV | BleepingComputer | Cybersecurity News
- React2Shell (CVE-2025-55182): Update React to ≥19.0.1/19.1.2/19.2.1 and Next.js to ≥15.3.2. CVSS 10.0 – Critical. Monitor for exploitation indicators.
- Sources: Wiz Research | Google Cloud Blog | Microsoft Security
- Veeam Backup & Replication (CVE-2025-59470): Update to version 13.0.1.1071. All version 13 builds prior are vulnerable.
- Sources: The Hacker News | BleepingComputer | SecurityWeek
- Gogs (CVE-2025-8110): No patch available. Disable open registration, restrict internet exposure, place behind VPN. CISA KEV deadline: February 2, 2026.
- Sources: CISA Alert | Wiz Research | SecurityWeek
- Chrome/Edge Browser Update (CVE-2026-0628): Update to version 143.0.7499.192+. Remove malicious extensions (IDs:
fnmihdojmnkclgjpcoonokmkhjpjechg,inhcgfpbfdjbjogdfjbclgolkmhnooop).- Source: CyberPress
- HPE OneView (CVE-2025-37164): CVSS 10.0 RCE. Apply patches for all versions prior to 11.00. CISA KEV deadline: January 28, 2026.
- Source: The Hacker News
3. Key Security Stories
Story 1: React2Shell (CVE-2025-55182) – Critical RCE Under Widespread Exploitation
A maximum-severity vulnerability (CVSS 10.0) in React Server Components dubbed “React2Shell” is under widespread active exploitation by multiple threat actors including Chinese APT groups and botnets.
Affected Components:
- React Server Components (react-server package)
- Next.js framework (tracked separately as CVE-2025-66478, now merged into CVE-2025-55182)
- Affected versions: React 19.0, 19.1.0, 19.1.1, 19.2.0
Exploitation Timeline:
- November 29, 2025: Responsible disclosure by Lachlan Davidson
- December 3, 2025: Public disclosure and patches released
- December 4, 2025: Public PoC exploit published
- December 5, 2025: Mass exploitation begins
- December 5-8, 2025: Surge in exploitation attempts (Trend Micro telemetry)
Threat Actors Observed (Google Threat Intelligence):
- UNC6600 (China-nexus): Deploying MINOCAT tunneler
- Earth Lamia / UNC5454 (China-nexus): AWS-reported activity
- Jackpot Panda (China-nexus): AWS-reported activity
- RondoDox botnet: Deploying cryptominers, Mirai variants
Attack Mechanism: The vulnerability exploits insecure deserialization in the RSC “Flight” protocol. A single malicious HTTP request can achieve unauthenticated RCE on vulnerable servers. Default Next.js applications created with create-next-app are vulnerable.
Global Exposure: Shadowserver reports ~90,300 vulnerable instances (68,400 in US, 4,300 Germany, 2,800 France, 1,500 India).
Remediation:
# Update React packages
npm update react react-dom react-server
# Update Next.js
npm update next@15.3.2
Patched Versions: React 19.0.1, 19.1.2, 19.2.1; Next.js 15.3.2+
Sources:
- Wiz Research
- Google Cloud Blog
- Microsoft Security Blog
- Darktrace Blog
- Trend Micro Research
- Rapid7 Blog
- Datadog Security Labs
Story 2: MongoDB MongoBleed Under Active Exploitation
A critical memory disclosure vulnerability (CVE-2025-14847, CVSS 8.7) in MongoDB Server is being actively exploited. The flaw allows unauthenticated attackers to extract sensitive heap memory including credentials, API keys, and PII.
Affected Versions: MongoDB 3.6 through 8.2.2 with zlib compression enabled (default)
Exploitation Status: Active exploitation confirmed since December 26, 2025 (PoC release). Added to CISA KEV December 29, 2025. Deadline: January 19, 2026.
Global Exposure: ~87,000 vulnerable instances (US: 20,000, China: 17,000, Germany: 8,000 – per Censys)
Attack Mechanism: Attackers send specially crafted compressed packets with mismatched length fields. MongoDB allocates oversized buffers and returns uninitialized “dirty” memory containing remnants of previous operations.
Patched Versions: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30
Mitigation if unable to patch:
# Disable zlib compression
mongod --networkMessageCompressors snappy,zstd
# Or in mongod.conf
net:
compression:
compressors: snappy,zstd
Sources:
Story 3: Chinese-Linked Actors Exploited VMware ESXi Zero-Days for Nearly One Year
Security researchers at Huntress disclosed that Chinese-linked threat actors exploited VMware ESXi zero-day vulnerabilities since February 2024, nearly a full year before Broadcom’s March 2025 disclosure.
Vulnerabilities:
- CVE-2025-22224 (CVSS 9.3): TOCTOU race condition enabling VM escape
- CVE-2025-22225 (CVSS 8.2): Arbitrary write enabling VM escape
- CVE-2025-22226 (CVSS 7.1): Information disclosure
Attack Chain:
- Initial access via compromised SonicWall VPN credentials
- Domain Admin compromise
- Deployment of ESXi exploit toolkit (MAESTRO orchestrator)
- VM escape using zero-day chain
- VSOCKpuppet backdoor installation (VSOCK port 10000)
Toolkit Components:
- MAESTRO: Orchestration framework
- MyDriver.sys: Unsigned kernel driver
- VSOCKpuppet: 64-bit ELF backdoor (VSOCK port 10000)
- GetShell: Guest VM command execution plugin
Attribution: Simplified Chinese strings including “全版本逃逸–交付” (“All version escape – delivery”) and PDB paths dated February 2024.
Global Exposure: ~30,000 internet-exposed ESXi instances as of January 8, 2026.
Sources:
Story 4: Veeam Backup & Replication Critical RCE (CVE-2025-59470)
Veeam released security updates on January 6, 2026 for four vulnerabilities, including a CVSS 9.0 RCE that allows privileged operators to execute code as the postgres user.
Vulnerabilities Patched:
- CVE-2025-59470 (CVSS 9.0): RCE via malicious interval/order parameter
- CVE-2025-55125 (CVSS 7.2): RCE as root via malicious backup config
- CVE-2025-59469 (CVSS 7.2): Arbitrary file write as root
- CVE-2025-59468 (CVSS 6.7): RCE via malicious password parameter
Affected Versions: All Veeam Backup & Replication 13.0.1.180 and earlier version 13 builds.
Impact: The postgres user has full administrative control over all databases, tables, and metadata. Compromise enables manipulation of backup metadata, job configurations, and credential theft.
Why This Matters: Veeam vulnerabilities are frequent ransomware targets. Previous VBR flaws (CVE-2024-40711) were exploited by Frag, Akira, and Fog ransomware.
Remediation: Update to version 13.0.1.1071.
Sources:
Story 5: Gogs Zero-Day (CVE-2025-8110) Added to CISA KEV
On January 12, 2026, CISA added CVE-2025-8110 to the KEV catalog. This unpatched zero-day in Gogs self-hosted Git service has compromised over 700 instances.
Vulnerability: Symlink bypass of CVE-2024-55947 (path traversal in PutContents API). Allows authenticated users to overwrite arbitrary files and achieve RCE.
CVSS: 8.7 (High)
Affected Versions: Gogs ≤ 0.13.3
Exploitation Status: Active exploitation since July 2025. Over 1,400 exposed instances identified; 700+ showing signs of compromise (8-character random repository names created around July 10, 2025).
Attack Mechanism:
- Attacker creates a git repository
- Commits a symbolic link pointing to sensitive target (e.g.,
.git/config) - Uses PutContents API to write through the symlink
- System follows link and overwrites target file outside repository
Remediation (No Patch Available):
- Disable open registration immediately
- Place Gogs instances behind VPN
- Restrict internet exposure using allowlists
- Monitor for repositories with random 8-character names
- Audit PutContents API usage
CISA KEV Deadline: February 2, 2026
Sources:
4. Additional Critical Vulnerabilities
n8n Workflow Automation (Multiple Critical CVEs)
Multiple critical vulnerabilities in n8n, a popular workflow automation platform with 100+ million Docker pulls:
| CVE | CVSS | Description |
|---|---|---|
| CVE-2026-21858 | 10.0 | “Ni8mare” – Unauthenticated RCE via Content-Type confusion |
| CVE-2026-21877 | 10.0 | Authenticated RCE affecting self-hosted and cloud |
| CVE-2025-68668 | 9.9 | “N8scape” – Python Code Node sandbox bypass |
| CVE-2025-68613 | 9.9 | Arbitrary code execution |
Remediation: Update to n8n version 1.121.3+ (for CVE-2026-21877) or 2.0.0+ (for CVE-2025-68668).
Sources:
D-Link DSL Router RCE (CVE-2026-0625)
Active exploitation of legacy D-Link DSL gateway routers via command injection in dnscfg.cgi endpoint.
CVSS: 9.3 Status: Actively exploited since November 27, 2025 (Shadowserver) Affected Models: DSL-2740R, DSL-2640B, DSL-2780B, DSL-526B (all EoL) Remediation: Replace with actively supported devices. No patches available.
Source: The Hacker News
AdonisJS Bodyparser Path Traversal (CVE-2026-21440)
Critical path traversal in @adonisjs/bodyparser npm package allowing arbitrary file writes.
CVSS: 9.2 Remediation: Update to latest @adonisjs/bodyparser version.
Source: The Hacker News
5. CISA KEV & Critical CVE Table
| CVE | Product | CVSS | Status | Deadline | Description |
|---|---|---|---|---|---|
| CVE-2025-55182 | React Server Components | 10.0 | Actively Exploited | N/A | React2Shell unauthenticated RCE |
| CVE-2025-37164 | HPE OneView | 10.0 | Actively Exploited | Jan 28, 2026 | Unauthenticated RCE |
| CVE-2026-21858 | n8n | 10.0 | Patched | N/A | Ni8mare unauthenticated RCE |
| CVE-2026-21877 | n8n | 10.0 | Patched | N/A | Authenticated RCE |
| CVE-2025-59470 | Veeam Backup | 9.0 | Patched | N/A | RCE as postgres user |
| CVE-2025-22224 | VMware ESXi | 9.3 | Actively Exploited | Patch Available | VM escape TOCTOU |
| CVE-2025-14847 | MongoDB Server | 8.7 | Actively Exploited | Jan 19, 2026 | MongoBleed memory disclosure |
| CVE-2009-0556 | MS PowerPoint | 8.8 | Actively Exploited | Jan 28, 2026 | Code injection |
| CVE-2025-8110 | Gogs | 8.7 | Actively Exploited | Feb 2, 2026 | Symlink path traversal RCE |
| CVE-2025-4619 | Palo Alto PAN-OS | 8.7 | Patched | N/A | DoS via dataplane packet |
| CVE-2026-0628 | Chrome WebView | High | Patched Jan 6 | N/A | Script injection |
| CVE-2025-22225 | VMware ESXi | 8.2 | Actively Exploited | Patch Available | VM escape arbitrary write |
| CVE-2026-0625 | D-Link DSL Routers | 9.3 | Actively Exploited | N/A (EoL) | RCE via dnscfg.cgi |
2025 KEV Statistics: CISA added 245 vulnerabilities in 2025 (30% increase). Catalog total: 1,486. Microsoft products led with 39 additions.
6. Phishing & Social Engineering Alerts
FBI FLASH: North Korean Kimsuky QR Code Phishing
Alert ID: AC-000001-MW (January 8, 2026)
The FBI warns of North Korean state-sponsored Kimsuky actors using QR code phishing (“quishing”) targeting NGOs, think tanks, academia, and foreign policy experts.
Attack Characteristics:
- Phishing emails contain QR codes in attachments/embedded images
- QR codes force pivot from corporate endpoint to personal mobile
- Bypasses enterprise email security that cannot inspect QR destinations
- Session token theft enables MFA bypass
- Leads to account takeover and secondary spearphishing
Mitigation:
- Train users to verify QR code sources
- Implement MDM/endpoint security for mobile devices
- Deploy phishing-resistant MFA (FIDO2/WebAuthn)
- Monitor for credential entry following QR code scans
Source: FBI IC3
MFA Bypass Techniques Dominating 2026
Active PhaaS Platforms: Tycoon 2FA, NakedPages, Sneaky2FA, Flowerstorm, Salty2FA, Evilginx
Over 90% of credential attacks expected to use sophisticated phishing kits by end of 2026.
Sources: Push Security
7. Supply Chain & Browser Threats
Malicious Browser Extensions Stealing AI Conversations
Extensions Identified:
- “Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI” (ID:
fnmihdojmnkclgjpcoonokmkhjpjechg, 600K users) - “AI Sidebar with Deepseek, ChatGPT, Claude, and more” (ID:
inhcgfpbfdjbjogdfjbclgolkmhnooop, 300K users)
C2 Domains:
chatsaigpt[.]comdeepaichats[.]comchataigpt[.]prochatgptsidebar[.]pro
Source: The Hacker News
RondoDox Botnet Exploiting React2Shell
The RondoDox botnet is actively exploiting CVE-2025-55182 to deploy cryptominers and malware across compromised Next.js servers.
Source: The Hacker News
8. Indicators of Compromise
React2Shell (CVE-2025-55182)
Network IOCs (Google/Darktrace):
172.245.5[.]61:38085
5.255.121[.]141
193.34.213[.]15
193.34.213[.]150 (Mirai-associated)
File/Directory Indicators:
- Hidden directories:
$HOME/.systemd-utils - Terminated processes:
ntpclient - Modified files:
$HOME/.bashrc(malicious execution logic) - Shell scripts:
sex.sh(downloads XMRIG) - Systemd services:
system-update-service
Behavioral Indicators:
- wget/cURL commands from web server processes
- HTTP beaconing to rare external IPs
- Cobalt Strike beacon traffic
- MeshAgent RMM tool deployment
- Modified
authorized_keysfiles
Detection (Elastic Security Rule):
network where http.request.method == "POST" and (
http.response.status_code in (500, 303) and
http.response.body.content like~ "*E{\"digest\"*" and
http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a.*"""
)
MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1059 (Command Execution), T1496 (Cryptomining)
Sources:
MongoDB MongoBleed (CVE-2025-14847)
Network Indicators:
- 50,000-100,000 connections/min to port 27017
- Connections from untrusted source IPs
- High connection volume without application traffic
Log Indicators:
# Missing client metadata
Event ID 51800
# Connection/disconnection without metadata
Event IDs 22943, 22944
# BSON errors (>1,000 spikes)
"Slow query" with "incorrect BSON length in element"
InvalidBSON errors
Detection Strategy: Aggregate by source IP. Flag IPs with high connection rates lacking client metadata.
VMware ESXi Exploitation
Network Indicators:
- VSOCK port 10000 traffic (invisible to traditional monitoring)
- Unusual traffic following SonicWall VPN compromise
Host Indicators:
- Unsigned driver:
MyDriver.sys - Modified VMware VMCI drivers
- VSOCKpuppet backdoor (64-bit ELF)
- GetShell plugin in guest VMs
Attribution Indicators:
- Simplified Chinese: “全版本逃逸–交付”
- PDB paths dated February 2024
Gogs Zero-Day (CVE-2025-8110)
Indicators of Compromise:
- Repositories with 8-character random names (e.g., “IV79VAew / Km4zoh4s”)
- Repository creation timestamps around July 10, 2025
- Unexpected PutContents API usage
- Symlinks pointing outside repository boundaries
Detection Query (runZero):
_asset.protocol:=http AND protocol:=http AND favicon.ico.image.md5:=5f5b7539f014b9996959f5dcd063d
Malicious Browser Extensions
Extension IDs to Block:
fnmihdojmnkclgjpcoonokmkhjpjechg
inhcgfpbfdjbjogdfjbclgolkmhnooop
Network Indicators:
- Periodic exfiltration (30-minute intervals)
- Base64-encoded transmissions
- C2 domains:
chatsaigpt[.]com,deepaichats[.]com,phantomshuttle[.]space
9. Helpful 5: High-Value, Low-Effort Mitigations
1. MongoDB: Disable zlib Compression or Patch
Why: CVE-2025-14847 actively exploited against 87,000+ instances. Unauthenticated credential/PII leak.
How:
# Option 1: Disable zlib
mongod --networkMessageCompressors snappy,zstd
# Option 2: Upgrade
# 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30
CIS 18: 7.1, 7.3 | NIST CSF: DE.CM-8, PR.IP-12 | ISO 27001: A.12.6.1, A.18.2.3
2. React/Next.js: Patch React2Shell Immediately
Why: CVSS 10.0, Chinese APT exploitation, 90,300 vulnerable instances.
How:
# Update React
npm update react@19.1.2 react-dom@19.1.2
# Update Next.js
npm update next@15.3.2
# Verify
npm ls react next
CIS 18: 7.1, 16.1 | NIST CSF: PR.IP-12, DE.CM-8 | ISO 27001: A.12.6.1, A.14.2.2
3. Veeam: Update Backup & Replication to 13.0.1.1071
Why: CVSS 9.0 RCE. Veeam is frequent ransomware target (Akira, Fog, Frag).
How: Download and install version 13.0.1.1071 from Veeam portal. Restrict Backup/Tape Operator role access.
CIS 18: 7.1, 11.4 | NIST CSF: PR.IP-12, PR.IP-4 | ISO 27001: A.12.3.1, A.12.6.1
4. Gogs: Disable Open Registration and Restrict Access
Why: Zero-day (CVE-2025-8110) with no patch. 700+ confirmed compromises.
How:
# app.ini[service]
DISABLE_REGISTRATION = true REQUIRE_SIGNIN_VIEW = true
Place behind VPN. Monitor for 8-character random repository names.
CIS 18: 4.1, 13.4, 16.8 | NIST CSF: PR.AC-5, PR.IP-1 | ISO 27001: A.9.4.1, A.13.1.3
5. Implement Phishing-Resistant MFA (FIDO2/WebAuthn)
Why: FBI Kimsuky quishing campaigns. PhaaS kits bypass traditional MFA via session token theft.
How:
# Azure AD/Entra ID - Require FIDO2
Set-MgPolicyAuthenticationMethodPolicy -RegistrationEnforcement @{
AuthenticationMethodsRegistrationCampaign = @{
SnoozeDurationInDays = 0
State = "enabled"
IncludeTargets = @(@{Id = "all_users"; TargetType = "group"})
}
}
CIS 18: 6.3, 6.4, 6.5 | NIST CSF: PR.AC-7, PR.AC-1 | ISO 27001: A.9.4.2, A.9.2.4
10. Threat Landscape Summary
Ransomware Trends
- BlackCat/Alphv Insiders: Two US security professionals (Ryan Goldberg, Kevin Martin) pleaded guilty January 2026. Sentencing March 12, 2026.
- Qilin & SafePay: Active campaigns targeting US, Canada, South Korea, France, UK in manufacturing, healthcare, professional services.
- Exfiltration-Only Attacks: Surging attacks without encryption using Azure Copy. Victims pay due to regulatory exposure.
- 2026 Predictions: Ransomware attacks rose 47% in 2025 (7,200 vs 4,900 in 2024). First year new actors outside Russia expected to exceed those within it.
Sources: CYFIRMA | Check Point Research | Recorded Future | Cyble
Notable Incidents
- Sedgwick Government Solutions: TridentLocker attack Dec 31, 2025 (DHS/ICE/CBP/CISA contractor)
- Korean Air: 30,000 employees affected via vendor KC&D Service; Cl0p via Oracle E-Business Suite
- Artisans’ Bank & VeraBank: 1.35M affected via Marquis Software vendor breach (SonicWall CVE)
11. Upcoming Security Events
| Date | Event |
|---|---|
| January 14, 2026 (10:00 AM PT) | Microsoft Patch Tuesday |
| January 19, 2026 | CISA KEV deadline: MongoDB CVE-2025-14847 |
| January 28, 2026 | CISA KEV deadline: HPE OneView CVE-2025-37164, MS PowerPoint CVE-2009-0556 |
| February 2, 2026 | CISA KEV deadline: Gogs CVE-2025-8110 |
| March 12, 2026 | BlackCat insiders sentencing |
| June 2026 | Windows Secure Boot certificates begin expiring |
12. Sources
Government & Regulatory:
- CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CISA Alerts: https://www.cisa.gov/news-events/alerts
- FBI IC3 FLASH AC-000001-MW: https://www.ic3.gov/CSA/2026/260108.pdf
- CISA Vulnerability Bulletin: https://www.cisa.gov/news-events/bulletins/sb26-012
Threat Intelligence:
- Wiz Research: https://www.wiz.io/blog
- Google Cloud Threat Intelligence: https://cloud.google.com/blog/topics/threat-intelligence
- Microsoft Security Blog: https://www.microsoft.com/en-us/security/blog
- Darktrace: https://www.darktrace.com/blog
- Trend Micro Research: https://www.trendmicro.com/en_us/research
- Rapid7 Blog: https://www.rapid7.com/blog
- Datadog Security Labs: https://securitylabs.datadoghq.com
Security News:
- The Hacker News: https://thehackernews.com
- BleepingComputer: https://www.bleepingcomputer.com
- SecurityWeek: https://www.securityweek.com
- Security Affairs: https://securityaffairs.com
- CyberScoop: https://cyberscoop.com
- Dark Reading: https://www.darkreading.com
Vendor Advisories:
- Veeam Security Advisories: https://www.veeam.com/kb4693
- Chrome Releases: https://chromereleases.googleblog.com
Document Version: 1.0 Prepared: January 12, 2026 Next Briefing: January 19, 2026
