TJS Weekly Security Intelligence Briefing – Week of January 19th 2026

Classification: Public
Reporting Period: January 12-19, 2026
Distribution: Security Operations, IT Leadership, Executive Team
Prepared By: Tech Jacks Solutions Security Intelligence

---

TJS Weekly Security Intelligence Briefing – Week of Jan 19th 2026

Executive Summary

The week of January 12-19, 2026 presents an elevated risk posture driven by Microsoft’s January Patch Tuesday release addressing 114 vulnerabilities (including one actively exploited zero-day), critical vulnerabilities in Palo Alto Networks GlobalProtect, ongoing exploitation of legacy Fortinet authentication bypasses, and an expansive Magecart web-skimming campaign targeting major payment networks. Federal agencies face immediate remediation deadlines with CISA adding vulnerabilities in Gogs, HPE OneView, and Microsoft Windows to the Known Exploited Vulnerabilities (KEV) catalog.

Organizations running Palo Alto Networks firewalls with GlobalProtect enabled face denial-of-service risk from CVE-2026-0227, with proof-of-concept code publicly available. Microsoft’s CVE-2026-20805 (Desktop Window Manager information disclosure) is confirmed actively exploited and undermines ASLR protections. Phishing campaigns exploiting misconfigured Microsoft 365 email routing continue to surge, with over 13 million malicious emails blocked in October 2025 alone using the Tycoon2FA phishing-as-a-service platform.

Key Statistics:

• 114 Microsoft vulnerabilities patched (8 Critical, 1 actively exploited)
• 10,000+ Fortinet firewalls remain exposed to CVE-2020-12812 2FA bypass
• 6,000+ Palo Alto firewalls exposed online per Shadowserver
• Major Magecart campaign active since January 2022 targeting 6 payment networks

---

Critical Action Items

Priority	Item	Affected Product	Deadline	Action
1	CVE-2026-20805 – Actively Exploited Windows Zero-Day	Windows 10/11, Server	Feb 3, 2026 (CISA KEV)	Apply January 2026 cumulative updates immediately
2	CVE-2026-0227 – GlobalProtect DoS (PoC Available)	PAN-OS 10.1+ with GlobalProtect	Immediate	Upgrade to PAN-OS 12.1.4, 11.2.10-h2, or applicable hotfix
3	CVE-2025-37164 – HPE OneView RCE (CVSS 10.0)	HPE OneView < 11.0	Jan 28, 2026 (CISA KEV)	Apply vendor hotfixes; all versions prior to 11.0 affected
4	CVE-2025-8110 – Gogs Path Traversal (Active Exploitation)	Gogs self-hosted Git	Feb 2, 2026 (CISA KEV)	Patch or discontinue use if fixes unavailable
5	CVE-2025-64155 – FortiSIEM Command Injection (CVSS 9.8)	FortiSIEM 7.x	Immediate	Migrate to fixed release; exploit code publicly available
6	CVE-2020-12812 – Fortinet 2FA Bypass (Renewed Attacks)	FortiOS SSL VPN	Immediate	Upgrade to FortiOS 6.4.1+; disable LDAP case-sensitive matching

---

Key Security Stories

Story 1: Microsoft January 2026 Patch Tuesday – 114 Vulnerabilities Including Actively Exploited Zero-Day

Microsoft released security updates on January 13, 2026 addressing 114 vulnerabilities across Windows, Office, Azure, SharePoint, SQL Server, and other products. Eight vulnerabilities received Critical severity ratings, with CVE-2026-20805 confirmed as actively exploited in the wild.

CVE-2026-20805 is an information disclosure vulnerability in the Desktop Window Manager (DWM) component (CVSS 5.5) that allows local attackers with basic user privileges to leak sensitive process and memory-related data through Windows internal ALPC communication channels. Despite its moderate CVSS score, security researchers emphasize this flaw undermines Address Space Layout Randomization (ASLR) protections, enabling attackers to chain additional exploits more effectively.

Additional Critical Vulnerabilities:

• CVE-2026-20854 (CVSS Critical): Remote code execution in Windows LSASS via use-after-free, exploitable over the network
• CVE-2026-20952/20953 (CVSS 8.4): Microsoft Office RCE via Preview Pane (no user interaction required)
• CVE-2026-20876 (CVSS 6.7): VBS Enclave elevation of privilege enabling escape to Virtual Trust Level 2

Microsoft also removed vulnerable legacy Agere Soft Modem drivers (agrsm64.sys, agrsm.sys) addressing CVE-2023-31096, which had been exploited to gain SYSTEM privileges.

Affected Versions: All supported Windows 10, Windows 11, and Windows Server versions
Exploitation Status: CVE-2026-20805 actively exploited; CVE-2026-21265 and CVE-2023-31096 publicly disclosed
Remediation: Apply KB5074109 (Windows 11), KB5073455, or KB5073724 (Windows 10 ESU) immediately

Source: Microsoft Security Update Guide, BleepingComputer, Krebs on Security, CrowdStrike Analysis

---

Story 2: Palo Alto Networks GlobalProtect DoS Vulnerability with Public PoC

Palo Alto Networks disclosed CVE-2026-0227 on January 14, 2026, a high-severity denial-of-service vulnerability (CVSS 7.7) affecting GlobalProtect Gateway and Portal services. The vulnerability allows unauthenticated remote attackers to disrupt firewall operations, with repeated exploitation forcing devices into maintenance mode.

The flaw stems from improper validation of unusual or exceptional conditions (CWE-754) and affects all PAN-OS versions 10.1 and later with GlobalProtect enabled. Cloud NGFW deployments are not affected. Proof-of-concept exploit code is publicly available, significantly elevating exploitation risk despite no confirmed malicious activity at disclosure.

Shadowserver currently tracks approximately 6,000 Palo Alto Networks firewalls exposed on the internet, though vulnerability status varies by configuration.

Affected Versions:

• PAN-OS 12.1.0 to 12.1.3 (fix: 12.1.4)
• PAN-OS 11.2.4 to 11.2.10 (fix: 11.2.10-h2)
• PAN-OS 11.1.x (fix: 11.1.13)
• PAN-OS 10.2.x (multiple hotfixes available)
• Prisma Access (most instances patched; remaining scheduled)

Exploitation Status: PoC available; no active exploitation confirmed
Remediation: Upgrade to fixed PAN-OS version; temporarily disable GlobalProtect if patching delayed

Source: Palo Alto Networks Security Advisory, BleepingComputer, Network World

---

Story 3: Fortinet Products Under Renewed Attack – Critical FortiSIEM and Legacy 2FA Bypass

Multiple Fortinet vulnerabilities demand immediate attention this week. CVE-2025-64155 (CVSS 9.8) is a critical OS command injection vulnerability in FortiSIEM allowing unauthenticated remote code execution via specially crafted TCP requests. Exploit code is publicly available.

Simultaneously, Fortinet disclosed renewed exploitation of CVE-2020-12812, a five-year-old critical authentication bypass (CVSS 9.8) in FortiOS SSL VPN. The Shadowserver Foundation reports over 10,000 Fortinet firewalls remain unpatched, with 1,200+ in the United States alone. This vulnerability has been weaponized by ransomware groups including Play and Hive, and threat actors linked to Iran.

The authentication bypass occurs when two-factor authentication is enabled for local users with remote LDAP authentication, and the username case differs from the LDAP directory entry. FortiGate treats usernames as case-sensitive while LDAP directories typically do not, allowing attackers to bypass 2FA by simply changing username capitalization.

Affected Products:

• FortiSIEM 7.4.0, 7.3.0-7.3.4, 7.2.0-7.2.6, 7.1.x, 7.0.x, 6.7.x (CVE-2025-64155)
• FortiOS 6.4.0 and earlier with LDAP-backed 2FA (CVE-2020-12812)

Exploitation Status: Both vulnerabilities actively exploited; public PoC for FortiSIEM
Remediation:

• FortiSIEM: Upgrade to 7.4.1+ or migrate to fixed release
• FortiOS: Upgrade to 6.4.1+; disable username case-sensitivity

Source: Singapore CSA Advisory, The Hacker News, BleepingComputer

---

CISA KEV & Critical CVE Table

CVE	Product	CVSS	Status	CISA Deadline	Description
CVE-2026-20805	Windows DWM	5.5	Actively Exploited	Feb 3, 2026	Information disclosure enabling ASLR bypass
CVE-2025-37164	HPE OneView	10.0	Actively Exploited	Jan 28, 2026	Unauthenticated RCE; RondoDox botnet campaign
CVE-2025-8110	Gogs	8.7	Actively Exploited	Feb 2, 2026	Path traversal enabling code execution
CVE-2025-14847	MongoDB Server	9.1	Actively Exploited	Jan 19, 2026	“Mongobleed” memory disclosure (pre-auth)
CVE-2026-0227	Palo Alto PAN-OS	7.7	PoC Available	N/A	GlobalProtect DoS; no workaround
CVE-2025-64155	FortiSIEM	9.8	PoC Available	N/A	Unauthenticated command injection
CVE-2020-12812	FortiOS SSL VPN	9.8	Actively Exploited	N/A (2022)	2FA bypass via case manipulation
CVE-2026-20854	Windows LSASS	Critical	Not Exploited	N/A	Remote code execution (use-after-free)
CVE-2026-20952	Microsoft Office	8.4	Not Exploited	N/A	RCE via Preview Pane (no interaction)
CVE-2026-20953	Microsoft Office	8.4	Not Exploited	N/A	RCE via Preview Pane (no interaction)
CVE-2026-0628	Chrome WebView	High	Not Exploited	N/A	Security restriction bypass
CVE-2026-20029	Cisco ISE	4.9	PoC Available	N/A	XXE information disclosure
CVE-2025-59718	Fortinet Multiple	9.1	Actively Exploited	Jan 23, 2026	FortiCloud SSO auth bypass

---

Phishing & Social Engineering Alert

Tycoon2FA and Domain Spoofing Campaign Surge

Microsoft Threat Intelligence reports a significant increase since May 2025 in phishing campaigns exploiting misconfigured email routing and weak spoof protections. In October 2025 alone, Microsoft Defender blocked over 13 million malicious emails linked to the Tycoon2FA phishing-as-a-service platform.

Attack Characteristics:

• Emails appear to originate from the target organization’s own domain
• Themes include HR communications, password resets, voicemail notifications, and document signing requests
• Adversary-in-the-middle (AiTM) techniques bypass MFA protections
• Targets organizations with MX records not pointed directly to Office 365

Google Cloud Application Integration Abuse: Check Point Research identified a 14-day campaign in December 2025 sending 9,394 phishing emails from legitimate Google addresses (noreply-application-integration@google[.]com). The campaign targeted approximately 3,200 organizations across manufacturing, technology, financial services, and retail sectors.

Detection & Prevention:

• Verify MX records point directly to Office 365 for native spoof detection
• Configure strict DMARC reject and SPF hard fail policies
• Enable phishing-resistant MFA (hardware keys, passkeys)
• Train users to verify unexpected document signing and password reset requests

Source: Microsoft Security Blog, The Hacker News, The Hacker News – Google Cloud

---

Supply Chain & Web Threats

Magecart Web Skimming Campaign Targets Major Payment Networks

Silent Push researchers exposed an extensive Magecart web-skimming campaign active since January 2022, targeting online shoppers using American Express, Diners Club, Discover, Mastercard, JCB, and UnionPay cards. The campaign uses bulletproof hosting infrastructure linked to European-sanctioned entity PQ.Hosting/Stark Industries.

Technical Details:

• Malicious JavaScript injected into WooCommerce checkout pages with Stripe integration
• Skimmer hides legitimate payment form, replaces with identical fake form
• Includes card brand detection logic displaying appropriate logos
• Self-destruct routine activates when WordPress admin session detected
• Data exfiltrated via HTTP POST to lasorie[.]com and cdn-cookie[.]com domains
• XOR encryption (key: “777”) with Base64 encoding applied before exfiltration

Indicators of Compromise (IOCs):

• cdn-cookie[.]com/recorder.js
• lasorie[.]com (exfiltration server)
• ASN 209847 (PQ.Hosting/Stark Industries infrastructure)
• colunexshop[.]com (confirmed compromised site)

Mitigation:

• Implement Content Security Policy (CSP) restricting external script loading
• Deploy Subresource Integrity (SRI) for payment scripts
• Monitor for unauthorized checkout page modifications
• Use payment processor-hosted payment pages where possible

Source: Silent Push Research, The Hacker News, Infosecurity Magazine

---

Browser Security Updates

Google Chrome 143.0.7499.192/.193 – WebView Security Bypass

Google released Chrome versions 143.0.7499.192/.193 on January 6, 2026 addressing CVE-2026-0628, a high-severity vulnerability in the WebView component affecting approximately 3 billion users.

The vulnerability stems from insufficient policy enforcement in WebView tag, potentially allowing malicious extensions or payloads to bypass security controls and inject content into privileged pages.

Affected Products:

• Google Chrome prior to 143.0.7499.192 (Linux)
• Google Chrome prior to 143.0.7499.192/.193 (Windows/Mac)
• Chrome for Android prior to 143.0.7499.193
• Applications using WebView for content rendering

Impact: WebView vulnerabilities extend beyond browsers to countless Android applications and in-app browsers using the component.

Remediation: Update Chrome via Help > About Google Chrome; restart browser to activate patch

Source: Chrome Releases Blog, TechRepublic

---

Helpful 5: High-Value, Low-Effort Mitigations

1. Microsoft 365: Configure Strict DMARC and SPF Policies

Why: Tycoon2FA phishing campaigns exploited organizations with misconfigured spoof protections, sending 13+ million malicious emails appearing from internal domains.

How:

1. Navigate to Microsoft 365 Admin Center → Settings → Domains
2. Verify MX records point to Office 365
3. Set DMARC policy to p=reject (not p=none)
4. Configure SPF with -all (hard fail) not ~all (soft fail)
5. Enable Enhanced Filtering for connectors if using third-party mail routing

Framework Alignment: CIS Control 9.5, NIST CSF PR.DS-5, ISO 27001 A.13.2.1

---

2. Palo Alto Networks: Verify GlobalProtect Patch Status

Why: CVE-2026-0227 enables unauthenticated DoS with public PoC; ~6,000 firewalls exposed per Shadowserver.

How:

1. Verify current PAN-OS version: show system info | match sw-version
2. Check GlobalProtect status: show global-protect-gateway statistics
3. If vulnerable, upgrade to: 12.1.4, 11.2.10-h2, 11.1.13, or applicable hotfix
4. Temporary workaround: Disable GlobalProtect interface until patched
5. Monitor for unusual traffic patterns to GlobalProtect portal

Framework Alignment: CIS Control 7.1, NIST CSF ID.RA-1, MITRE ATT&CK T1498

---

3. Fortinet: Audit SSL VPN Authentication Configuration

Why: CVE-2020-12812 2FA bypass is under renewed exploitation; 10,000+ firewalls remain unpatched.

How:

1. Check FortiOS version: get system status
2. Review LDAP authentication configuration: config user ldap
3. Verify 2FA enforcement: config user local
4. Upgrade to FortiOS 6.4.1+ or disable case-sensitive username matching
5. Enable verbose logging and forward to SIEM: config log setting

Framework Alignment: CIS Control 6.3, NIST CSF PR.AC-7, ISO 27001 A.9.4.2

---

4. Web Properties: Implement Content Security Policy for Payment Pages

Why: Magecart campaign active since 2022 targets Stripe-enabled WooCommerce sites via malicious JavaScript injection.

How:

1. Implement CSP header restricting script sources: Content-Security-Policy: script-src ‘self’ https://js.stripe.com;
2. Enable Subresource Integrity for payment scripts
3. Configure File Integrity Monitoring on checkout page files
4. Review third-party scripts loaded on payment pages
5. Consider using Stripe Elements or hosted payment pages

Framework Alignment: CIS Control 2.7, OWASP ASVS V14.4, PCI DSS 6.4.3

---

5. Windows Endpoints: Prioritize January Patch Tuesday Deployment

Why: CVE-2026-20805 is actively exploited; undermines ASLR enabling exploit chaining.

How:

1. Test KB5074109 (Windows 11) or KB5073724 (Windows 10) in staging
2. Deploy to internet-facing and high-value systems first
3. Verify legacy modem drivers removed: Check for agrsm64.sys, agrsm.sys
4. Monitor for exploitation indicators via EDR/SIEM
5. Expedite Office updates for CVE-2026-20952/20953 Preview Pane RCE

Framework Alignment: CIS Control 7.3, NIST CSF PR.IP-12, ISO 27001 A.12.6.1

---

Threat Landscape Summary

Ransomware Trends

The ransomware ecosystem continues evolving with declining payment rates driving tactical shifts. Recorded Future predicts 2026 will mark the first year new ransomware actors outside Russia outnumber those within. Two former US cybersecurity professionals (Ryan Goldberg of Sygnia, Kevin Martin of DigitalMint) pleaded guilty to BlackCat/ALPHV ransomware conspiracy, facing sentencing in March 2026 with up to 20 years imprisonment. The case highlights insider threat risks as trusted security professionals were revealed as ransomware affiliates who extorted approximately $1.27 million from victims in 2023.

Active groups this week include Qilin (targeting manufacturing, healthcare, real estate), SafePay (exploiting VPN weaknesses), and TridentLocker (claimed attack on Sedgwick Government Solutions, a federal contractor serving DHS, ICE, CBP, and CISA).

APT & Nation-State Activity

Chinese-speaking threat actors exploited compromised SonicWall VPN appliances to deliver VMware ESXi exploitation toolkit potentially developed over a year before vulnerability disclosure (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226). The sophisticated attack chain enables VM escape to hypervisor control. FBI warned of North Korean Kimsuky actors using malicious QR codes in spear-phishing targeting think tanks and academic institutions.

AI & Cloud Security

Check Point disclosed that attackers abused Google Cloud Application Integration’s email feature to send phishing emails from legitimate Google addresses, bypassing traditional filters. The campaign exploited the trust associated with Google infrastructure to target 3,200+ organizations globally. Organizations should monitor for abuse of legitimate cloud automation services.

---

Upcoming Security Events

Date	Event	Action Required
Jan 19, 2026	CVE-2025-14847 (MongoDB) CISA KEV Deadline	Patch all affected MongoDB instances
Jan 23, 2026	CVE-2025-59718 (Fortinet SSO) CISA KEV Deadline	Apply FortiOS patches
Jan 28, 2026	CVE-2025-37164 (HPE OneView) CISA KEV Deadline	Apply vendor hotfixes
Feb 2, 2026	CVE-2025-8110 (Gogs) CISA KEV Deadline	Patch or discontinue use
Feb 3, 2026	CVE-2026-20805 (Windows DWM) CISA KEV Deadline	Apply January patches
Feb 11, 2026	February Patch Tuesday	Plan testing cycle
Jun 2026	Windows Secure Boot Certificate Expiration	Review CVE-2026-21265 guidance

---

Framework Alignment Matrix

Vulnerability/Threat	CIS Controls v8	NIST CSF 2.0	ISO 27001:2022	MITRE ATT&CK	CISA Recommendations
CVE-2026-20805 (Windows DWM)	7.1, 7.3	PR.IP-12, DE.CM-8	A.12.6.1	T1082, T1592	BOD 22-01 compliance
CVE-2026-0227 (PAN-OS DoS)	7.1, 12.1	PR.IP-12, PR.PT-4	A.12.6.1, A.13.1.1	T1498, T1499	Patch immediately
CVE-2020-12812 (Fortinet 2FA)	6.3, 6.5, 7.1	PR.AC-7, PR.IP-12	A.9.4.2	T1078, T1110	KEV – patch or mitigate
Tycoon2FA Phishing	9.5, 14.3, 14.6	PR.DS-5, PR.AT-1	A.7.2.2, A.13.2.1	T1566, T1557	DMARC/SPF enforcement
Magecart Skimming	2.7, 16.2, 16.6	PR.DS-1, DE.CM-4	A.14.2.5	T1059.007, T1185	CSP implementation
CVE-2025-64155 (FortiSIEM)	7.1, 4.1	PR.IP-12, DE.CM-8	A.12.6.1	T1059, T1190	Upgrade immediately

---

Technical Appendix: Indicators of Compromise

Magecart Campaign IOCs

Exfiltration Domains:

lasorie[.]com

cdn-cookie[.]com

Malicious Script URLs:

cdn-cookie[.]com/recorder.js

Network Indicators:

ASN 209847 (PQ.Hosting/Stark Industries/THE.Hosting)

Compromised Sites (Sample):

colunexshop[.]com

VMware ESXi Exploitation (Chinese APT)

Associated Tools:

• MAESTRO orchestrator
• VSOCKpuppet backdoor

Targeted CVEs:

CVE-2025-22224 (VMCI TOCTOU)

CVE-2025-22225 (ESXi arbitrary write)

CVE-2025-22226 (HGFS memory leak)

Initial Access Vector: Compromised SonicWall VPN appliances

Detection Rules

YARA Rule – Magecart Skimmer Detection:

rule Magecart_WooCommerce_Skimmer {

    meta:

        description = “Detects Magecart skimmer targeting WooCommerce/Stripe”

        date = “2026-01-19”

    strings:

        $s1 = “wc-stripe-form” ascii

        $s2 = “wpadminbar” ascii

        $s3 = “wc_cart_hash” ascii

        $s4 = “lasorie.com” ascii

        $s5 = “cdn-cookie.com” ascii

    condition:

        3 of them

}

Sigma Rule – Windows DWM Exploitation Attempt:

title: Potential CVE-2026-20805 Exploitation

status: experimental

description: Detects potential exploitation of Windows Desktop Window Manager information disclosure

logsource:

    category: process_creation

    product: windows

detection:

    selection:

        TargetFilename|contains: ‘dwm.exe’

        CallTrace|contains: ‘ALPC’

    condition: selection

level: high

tags:

    – attack.defense_evasion

    – attack.t1082

    – cve.2026.20805

---

Supplemental Critical Action Items

Priority	Item	Affected Product	Deadline	Action
CRITICAL	CVE-2026-0501 – SAP S/4HANA SQL Injection (CVSS 9.9)	SAP S/4HANA S4CORE 102-109	Immediate	Apply SAP Security Note #3687749
CRITICAL	CVE-2026-0500 – SAP Wily Introscope RCE (CVSS 9.6)	SAP Wily Introscope 10.8	Immediate	Apply SAP Security Note #3668679
HIGH	CVE-2025-52691 – SmarterMail Pre-Auth RCE (CVSS 10.0)	SmarterMail ≤ Build 9406	Immediate	Update to Build 9483
HIGH	CVE-2026-0891/0892 – Firefox Memory Safety (Suspected Exploited)	Firefox < 147, ESR < 140.7	Immediate	Update to Firefox 147 / ESR 140.7

---

SAP Security Patch Day – January 2026

Risk Level: CRITICAL
Disclosure Date: January 13, 2026
Relevance: Enterprise ERP systems widely deployed across organizations

SAP released 17 new security notes on January 13, 2026, addressing vulnerabilities across widely deployed enterprise systems. The patch cycle includes four HotNews (critical-severity) vulnerabilities that demand immediate attention.

Critical Vulnerabilities (HotNews)

CVE	Product	CVSS	Description
CVE-2026-0501	SAP S/4HANA General Ledger	9.9	SQL injection allowing authenticated attackers to execute arbitrary SQL queries, compromising financial data integrity
CVE-2026-0500	SAP Wily Introscope Enterprise Manager	9.6	Remote code execution requiring minimal user interaction; unauthenticated attackers can create malicious JNLP files
CVE-2026-0498	SAP S/4HANA (Private Cloud/On-Premise)	9.1	Code injection allowing high-privileged attackers to modify source code without authentication checks
CVE-2026-0491	SAP Landscape Transformation (DMIS add-on)	9.1	Code injection via same vulnerable function as CVE-2026-0498

High-Priority Vulnerabilities

CVE	Product	CVSS	Description
CVE-2026-0492	SAP HANA Database	8.8	Privilege escalation enabling user impersonation to administrative context
CVE-2026-0507	SAP Application Server ABAP / NetWeaver RFCSDK	8.4	OS command injection for high-privileged attackers on adjacent networks
CVE-2026-0506	SAP NetWeaver Application Server	8.1	Missing authorization checks enabling privilege escalation

Affected Versions

• S4CORE: Versions 102 through 109 (private cloud and on-premise)
• SAP Wily Introscope: Version 10.8
• SAP HANA: All current supported versions
• SAP NetWeaver: Multiple components

Exploitation Status

No active exploitation confirmed at time of disclosure. However, RFC-based vulnerabilities are historically attractive targets for ransomware groups and APT actors targeting enterprise environments.

Threat Model

Attack Vector: CVE-2026-0501 requires authenticated access with low privileges. Attackers compromise technical RFC users (integration accounts, service users) and use RFC tooling to call vulnerable function paths with crafted parameters.

Kill Chain:

1. Initial access via compromised credentials or phishing
2. Lateral movement to SAP environment
3. Exploit RFC/SQL injection for data access or privilege escalation
4. Financial data manipulation, backdoor creation, or ransomware deployment

Remediation

Immediate Actions:

1. Apply SAP Security Notes #3687749 (CVE-2026-0501), #3668679 (CVE-2026-0500), #3694242 (CVE-2026-0498), #3697979 (CVE-2026-0491)
2. Review S_RFC authorizations for overly permissive configurations
3. Audit technical RFC user accounts and integration credentials
4. Enable verbose logging on SAP systems and forward to SIEM

Framework Alignment:

• CIS Controls v8: 7.1 (Application Vulnerability Management), 4.7 (Manage Default Accounts)
• NIST CSF 2.0: PR.IP-12 (Vulnerability Management), ID.RA-1 (Risk Assessment)
• ISO 27001:2022: A.12.6.1 (Management of Technical Vulnerabilities)

Sources

• SAP Security Patch Day – January 2026
• SecurityWeek: SAP’s January 2026 Security Updates
• Onapsis: SAP Security Patch Day for January 2026
• Pathlock: SAP Security Patch Tuesday January 2026

---

2. Mozilla Firefox Security Updates – Suspected Zero-Days

Risk Level: HIGH
Disclosure Date: January 13, 2026
Relevance: Browser stack component for enterprise environments

Mozilla released Firefox 147 and Firefox ESR 140.7 on January 13, 2026, addressing 34 vulnerabilities including two memory safety bugs suspected of active exploitation.

Suspected Exploited Vulnerabilities

CVE	Severity	Description	Fixed In
CVE-2026-0891	High	Memory safety bugs showing evidence of memory corruption	Firefox 147, ESR 140.7
CVE-2026-0892	High	Memory safety bugs showing evidence of memory corruption	Firefox 147

Technical Details

According to Mozilla Foundation Security Advisory MFSA2026-01, both vulnerabilities involve memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146, and Thunderbird 146. The advisory states these bugs “showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.”

Affected Products

• Firefox versions prior to 147
• Firefox ESR versions prior to 140.7
• Thunderbird versions prior to 147/ESR 140.7

Exploitation Status

Ivanti reports both CVEs are “suspected to be exploited” though active exploitation has not been publicly confirmed. Given the memory corruption evidence, defensive teams should treat these as high-priority patches.

Remediation

Immediate Actions:

1. Update Firefox to version 147 via Help → About Firefox
2. Update Firefox ESR to version 140.7
3. Update Thunderbird to corresponding patched versions
4. Enable automatic updates for browser deployments
5. Monitor for unusual browser behavior or crashes

Framework Alignment:

• CIS Controls v8: 7.1 (Application Vulnerability Management), 2.2 (Ensure Authorized Software)
• NIST CSF 2.0: PR.IP-12 (Vulnerability Management)
• ISO 27001:2022: A.12.6.1 (Management of Technical Vulnerabilities)

Sources

• Mozilla Security Advisory MFSA2026-01
• Krebs on Security: Patch Tuesday January 2026
• Ivanti: January 2026 Patch Tuesday
• Cyber Security News: Firefox 147 Released

---

3. SmarterTools SmarterMail Pre-Auth RCE – CVE-2025-52691 (HIGH GAP)

Risk Level: CRITICAL (CVSS 10.0)
Disclosure Date: December 30, 2025 (CSA Singapore Alert: January 2026)
Relevance: Email server infrastructure; alternative to Microsoft Exchange

The Cyber Security Agency of Singapore (CSA) issued a critical alert regarding CVE-2025-52691, a maximum-severity vulnerability in SmarterTools’ SmarterMail email platform enabling unauthenticated remote code execution.

Vulnerability Details

Field	Value
CVE	CVE-2025-52691
CVSS	10.0 (Critical)
CWE	CWE-434 (Unrestricted File Upload)
Attack Vector	Network (Unauthenticated)
Exploitability	Pre-authentication, no user interaction required

Technical Analysis

The vulnerability stems from an arbitrary file upload weakness in the API controller SmarterMail.Web.Api.FileUploadController.Upload() registered to the /api/upload route. Successful exploitation allows unauthenticated attackers to upload files to any location on the mail server, including web shells or malicious executables that execute with the SmarterMail service privileges.

Attack Surface

Censys reports approximately 16,000 internet-exposed hosts potentially vulnerable to this flaw:

• United States: 12,500+ instances
• Malaysia: 784 instances
• Iran: 348 instances
• India: 321 instances
• United Kingdom: 292 instances
• Germany: 205 instances

Affected Versions

• SmarterMail Build 9406 and earlier

Fixed Versions

• SmarterMail Build 9413 (October 9, 2025) – Initial fix
• SmarterMail Build 9483 (December 18, 2025) – Recommended version

Exploitation Status

No confirmed active exploitation at time of advisory. However, the “Holy Grail” nature of unauthenticated arbitrary file upload leading to RCE as SYSTEM makes this an extremely attractive target. Security researchers note automated botnets could compromise thousands of servers within hours of PoC release.

Threat Model

Attack Vector: Unauthenticated HTTP POST to /api/upload endpoint with crafted multipart/form-data payload.

Kill Chain:

1. Scan for internet-exposed SmarterMail instances
2. Submit malicious file upload request to /api/upload
3. Upload web shell to webroot or executable to system path
4. Execute payload to gain SYSTEM-level access
5. Pivot to internal network, exfiltrate data, or deploy ransomware

Indicators of Compromise

Network Indicators:

• Suspicious POST requests to /api/upload from external IPs
• Unexpected file creation in web directories
• New ASPX/PHP files in SmarterMail webroot

File System Indicators:

• Unauthorized files in C:\SmarterMail\MRS\ directories
• Web shells with common signatures (cmd execution, base64 encoding)
• Modified file timestamps in web-accessible directories

Remediation

Immediate Actions:

1. Identify all SmarterMail installations and verify current versions
2. Update to Build 9483 (latest) or minimum Build 9413
3. Test updates in non-production environment before deployment
4. Monitor server logs for suspicious /api/upload activity
5. Review file system for unauthorized files

If Patching is Delayed:

• Implement WAF rules to block suspicious upload requests
• Restrict network access to SmarterMail administrative interfaces
• Enable enhanced file integrity monitoring

Framework Alignment:

• CIS Controls v8: 7.1 (Application Vulnerability Management), 12.1 (Network Boundary Monitoring)
• NIST CSF 2.0: PR.IP-12 (Vulnerability Management), DE.CM-4 (Network Monitoring)
• ISO 27001:2022: A.12.6.1 (Management of Technical Vulnerabilities)

Sources

• CSA Singapore Advisory AL-2025-124
• The Hacker News: CSA Issues Alert on Critical SmarterMail Bug
• Censys Advisory: CVE-2025-52691
• Security Online: CVE-2025-52691 Critical SmarterMail Flaw

---

4. LockBit 5.0 Ransomware Analysis

Risk Level: HIGH
Analysis Date: January 2026
Relevance: Dominant RaaS operation with cross-platform capabilities

LockBit has resurfaced with version 5.0 following disruption by Operation Cronos in early 2024. Check Point Research, Trend Micro, and AhnLab have confirmed active campaigns with enhanced evasion capabilities targeting Windows, Linux, and VMware ESXi environments.

Operational Context

LockBit returned to the Top 10 Ransomware Groups in December 2025, claiming 112 victims after a period of inactivity from June to November 2025. The group historically accounted for 30.25% of ransomware attacks (August 2021 – August 2022) and approximately 21% in 2023.

Technical Capabilities – LockBit 5.0

Capability	Description
Cross-Platform	Windows, Linux, and ESXi variants for simultaneous enterprise targeting
Encryption	ChaCha20-Poly1305 symmetric encryption with X25519 key exchange and BLAKE2b hashing
Anti-Analysis	ETW patching (EtwEventWrite overwritten with RET instruction), DLL reflection loading
Persistence	Startup .url shortcuts, service installation
Evasion	Randomized 16-character file extensions, locale/geo checks avoiding Russian systems
Speed	Optimized encryption with file-size-based segmentation

Attack Chain

1. Initial Access: VPN exploitation, phishing, compromised credentials, brute-force attacks
2. Privilege Escalation: Credential harvesting, lateral movement tools (SmokeLoader observed)
3. Defense Evasion: Terminate security services, delete Volume Shadow Copies, clear event logs
4. Encryption: Deploy LockBit 5.0 with architecture-specific payloads
5. Extortion: Data exfiltration via Stealbit, double-extortion via leak site

ESXi-Specific Concerns

The ESXi variant specifically targets VMFS datastores and VM disk files. Because one ESXi host often hosts dozens of business services, encrypting at the hypervisor level collapses application tiers simultaneously. Organizations virtualizing critical workloads must treat hypervisors as Tier-0 assets.

MITRE ATT&CK Mapping

Technique ID	Technique Name	LockBit 5.0 Implementation
T1486	Data Encrypted for Impact	ChaCha20-Poly1305 file encryption
T1490	Inhibit System Recovery	Volume Shadow Copy deletion
T1562.001	Disable Security Tools	Service termination, Defender exclusions
T1055.012	Process Hollowing	Payload injection into legitimate processes
T1070.001	Clear Windows Event Logs	Post-encryption log wiping
T1027.002	Software Packing	Heavy obfuscation, DLL reflection
T1562.006	Indicator Blocking	ETW patching to blind EDR
T1497.001	System Checks	Russian language/geolocation avoidance

Indicators of Compromise

Behavioral Indicators:

• Randomized 16-character file extensions on encrypted files
• Ransom note files (ReadMeForDecrypt.txt or similar)
• Volume Shadow Copy deletion commands
• Mass file rename/modification operations
• Unusual MSBuild.exe or PowerShell activity

Network Indicators:

• Tor connections to LockBit negotiation portal
• Data exfiltration to unknown external endpoints
• IRC-based C2 communications (affiliate infrastructure)

Detection – YARA Rule:

rule LockBit_5_Ransom_Note {

    meta:

        description = “Detects LockBit 5.0 ransom note patterns”

        date = “2026-01-19”

    strings:

        $s1 = “LockBit” ascii wide

        $s2 = “decryption” ascii wide

        $s3 = “.onion” ascii wide

        $s4 = “Bitcoin” ascii wide

    condition:

        3 of them

}

Mitigation

Immediate Actions:

1. Implement network segmentation isolating backup infrastructure
2. Deploy immutable, off-fabric backups tested for recovery
3. Enable aggressive threat hunting for lateral movement and data exfiltration
4. Update hypervisor and management platforms
5. Configure endpoint detection for ETW tampering and service termination

Framework Alignment:

• CIS Controls v8: 11.1 (Data Recovery), 13.1 (Network Monitoring), 8.1 (Audit Log Management)
• NIST CSF 2.0: PR.IP-4 (Backups), DE.CM-1 (Network Monitoring), RS.RP-1 (Response Planning)
• ISO 27001:2022: A.12.3.1 (Backup), A.16.1.5 (Response to Incidents)

Sources

• Check Point Research: LockBit Returns
• Trend Micro: New LockBit 5.0
• Bitdefender Threat Debrief January 2026
• GBHackers: LockBit 5.0 Encryption
• Infosecurity Magazine: New LockBit Ransomware Variant

---

5. PHALT#BLYX ClickFix Campaign (MEDIUM GAP)

Risk Level: MEDIUM
Campaign Discovery: Late December 2025
Relevance: Active phishing campaign with advanced evasion techniques

Securonix identified an ongoing campaign dubbed PHALT#BLYX targeting European hospitality organizations using sophisticated ClickFix-style social engineering to deploy DCRat (Dark Crystal RAT).

Campaign Overview

The campaign leverages fake Booking.com reservation cancellation emails during peak holiday travel periods. Victims are redirected to convincing clones displaying fake CAPTCHA prompts and Blue Screen of Death (BSOD) animations that trick users into manually executing malicious PowerShell commands.

Attack Chain

1. Initial Access (T1566.002): Phishing email impersonating Booking.com with cancellation notice (charges >€1,000)
2. User Execution (T1204.001/T1204.004): Victim clicks link to fake site showing BSOD-style error with “fix” instructions
3. Command Execution (T1059.001): User pastes PowerShell command from clipboard into Run dialog
4. MSBuild Abuse (T1127.001): PowerShell downloads v.proj file executed by msbuild.exe
5. Defense Evasion (T1562/T1564.012): v.proj adds Windows Defender exclusions for ProgramData and common extensions
6. Persistence (T1547.009): Creates .url shortcut in Startup folder
7. Payload Deployment: Downloads staxs.exe (DCRat variant)
8. Process Hollowing (T1055.012): Injects payload into aspnet_compiler.exe
9. C2 Communication (T1571): Connects to C2 infrastructure over TCP port 3535

Technical Indicators

Malicious Domains:

• low-house[.]com (fake Booking.com site)
• oncameraworkout[.]com/ksbo (redirector)
• 2fa-bns[.]com (payload hosting)
• asj77[.]com (C2 domain)

File Indicators:

• v.proj (malicious MSBuild project file)
• staxs.exe (DCRat loader)
• Startup folder .url files pointing to dropped executables

Network Indicators:

• Outbound connections on TCP port 3535
• PowerShell download activity from suspicious domains
• MSBuild.exe network connections

Hash Indicators (SHA256): Contact Securonix or SOC Prime for current hash IOCs.

Attribution

Russian-language artifacts including Cyrillic debug strings embedded in the malware and the use of DCRat (commonly sold on Russian-language underground forums) link this activity to Russian-speaking threat actors.

Detection Rules

Sigma Rule – MSBuild Execution from User Context:

title: Suspicious MSBuild Execution with Project File Download

status: experimental

description: Detects potential PHALT#BLYX activity

logsource:

    category: process_creation

    product: windows

detection:

    selection:

        Image|endswith: ‘\msbuild.exe’

        CommandLine|contains: ‘.proj’

    filter:

        User|contains: ‘SYSTEM’

    condition: selection and not filter

level: high

tags:

    – attack.defense_evasion

    – attack.t1127.001

Sigma Rule – Windows Defender Exclusion Modification:

title: Suspicious Windows Defender Exclusion Addition

status: experimental

description: Detects modifications to Windows Defender exclusions

logsource:

    category: process_creation

    product: windows

detection:

    selection:

        CommandLine|contains:

            – ‘Add-MpPreference’

            – ‘ExclusionPath’

            – ‘ExclusionExtension’

    condition: selection

level: medium

tags:

    – attack.defense_evasion

    – attack.t1562.001

Mitigation

Immediate Actions:

1. Train users to recognize ClickFix-style prompts and “run this command to fix” social engineering
2. Monitor and restrict MSBuild.exe execution from unusual paths or user-driven workflows
3. Enable PowerShell script block logging for visibility
4. Add detections for Startup-folder .url shortcut creation
5. Monitor for Windows Defender exclusion modifications
6. Block outbound traffic to identified malicious domains
7. Alert on suspicious egress to TCP/3535

Email Security:

• Treat urgent booking-related emails with caution
• Verify requests through official channels
• Implement strict email filtering for Booking.com impersonation

Framework Alignment:

• CIS Controls v8: 14.3 (Security Awareness Training), 8.5 (Audit Logs), 9.1 (Email Security)
• NIST CSF 2.0: PR.AT-1 (Security Awareness), DE.CM-3 (Personnel Activity Monitoring)
• ISO 27001:2022: A.7.2.2 (Information Security Awareness)
• MITRE ATT&CK: T1566.002, T1204.001, T1059.001, T1127.001, T1562, T1547.009, T1055.012, T1571

Sources

• Securonix: Analyzing PHALT#BLYX
• SecurityWeek: Sophisticated ClickFix Campaign
• The Hacker News: Fake Booking Emails
• Infosecurity Magazine: PHALT#BLYX ClickFix
• SOC Prime: PHALT#BLYX Analysis

---

6. Dartmouth College Oracle E-Business Suite Breach

Risk Level: MEDIUM (Stack-Relevant Disclosure)
Breach Dates: August 9-12, 2025
Disclosure Date: November 24, 2025
Relevance: Your technology stack includes Oracle E-Business Suite

Dartmouth College confirmed a data breach affecting over 40,000 individuals after the Clop ransomware gang exploited a zero-day vulnerability in Oracle E-Business Suite (EBS). This breach is directly relevant to organizations using Oracle EBS.

Breach Details

Field	Value
Affected Individuals	40,000+ (31,742 NH, 1,956 TX, 1,494 ME)
Data Compromised	Names, Social Security numbers, financial account information
Attack Window	August 9-12, 2025
Threat Actor	Clop ransomware gang
Attack Vector	Oracle E-Business Suite zero-day (CVE-2025-61882)

Campaign Context

The Dartmouth breach is part of a broader Clop campaign targeting Oracle EBS customers. Other confirmed victims include:

• Harvard University
• The Washington Post
• Logitech
• GlobalLogic
• Canon (subsidiary)
• Envoy Air (American Airlines subsidiary)
• Southern Illinois University
• Tulane University
• Cox Enterprises

Clop claims over 100 organizations were impacted.

Oracle Stack Implications

Organizations running Oracle E-Business Suite should:

1. Verify all Oracle security patches are applied, particularly those released following the August 2025 incidents
2. Review Oracle EBS access logs for the August 2025 timeframe
3. Implement enhanced monitoring for Oracle EBS administrative functions
4. Audit third-party integrations and vendor access to Oracle systems

Related CISA Advisory

CISA added CVE-2025-61757 (Oracle Fusion Middleware Identity Manager, CVSS 9.8) to the Known Exploited Vulnerabilities catalog, indicating ongoing Oracle exploitation activity.

Mitigation for Oracle EBS Environments

Immediate Actions:

1. Apply all publicly available Oracle EBS patches
2. Review and restrict privileged access to EBS administrative functions
3. Implement file integrity monitoring on EBS servers
4. Enable enhanced logging and forward to SIEM
5. Conduct vulnerability assessment of Oracle EBS environment
6. Review vendor data security practices

Framework Alignment:

• CIS Controls v8: 7.1 (Application Vulnerability Management), 16.1 (Incident Response Process)
• NIST CSF 2.0: PR.IP-12 (Vulnerability Management), RS.RP-1 (Response Planning)
• ISO 27001:2022: A.12.6.1 (Technical Vulnerability Management)

Sources

• The Dartmouth: More than 40,000 hit by Dartmouth data breach
• The Record: Dartmouth Data Breach
• SecurityWeek: Dartmouth College Confirms Data Theft
• BleepingComputer: Dartmouth College Confirms Data Breach
• CPO Magazine: Dartmouth Oracle E-Business Suite Breach

---

7. GoBruteforcer Botnet – Linux Server Targeting

Risk Level: MEDIUM
Analysis Date: January 7-8, 2026
Relevance: Linux server infrastructure, MySQL, PostgreSQL, FTP services

Check Point Research documented an evolved GoBruteforcer botnet variant actively targeting Linux servers worldwide through brute-force attacks against common services.

Botnet Overview

GoBruteforcer (also known as GoBrut) is a modular Go-based botnet that brute-forces passwords for FTP, MySQL, PostgreSQL, and phpMyAdmin services on Linux servers. Compromised servers are converted into scanning and credential harvesting nodes, expanding the botnet’s reach.

Attack Surface

Check Point estimates over 50,000 internet-facing servers are vulnerable based on exposed service counts:

• FTP servers: ~5.7 million exposed
• MySQL servers: ~2.23 million exposed
• PostgreSQL servers: ~560,000 exposed

Technical Capabilities

Capability	Description
Target Services	FTP, MySQL, PostgreSQL, phpMyAdmin
Initial Access	XAMPP FTP servers with default/weak credentials
Persistence	IRC bot for remote control, web shell deployment
Propagation	Brute-force module scans random IP ranges
Financial Motivation	TRON balance scanner, token sweep utilities
Architecture	x86, x64, ARM Linux variants

Credential Exploitation

GoBruteforcer uses common operational usernames frequently found in AI-generated deployment examples:

• appuser
• myuser
• Common passwords: 123321, testing, admin123456, Abcd@123

Check Point notes that large language models trained on public documentation often reproduce these same default configurations, potentially increasing the botnet’s success rate as AI-assisted server deployments become more common.

Crypto-Focused Campaign

On compromised hosts, researchers recovered:

• Go-based TRON balance scanner
• TRON and Binance Smart Chain token-sweep utilities
• File containing approximately 23,000 TRON addresses
• On-chain analysis confirmed some financially motivated attacks were successful

Indicators of Compromise

Behavioral Indicators:

• Unusual outbound connections on ports 21 (FTP), 3306 (MySQL), 5432 (PostgreSQL)
• New IRC connections from server infrastructure
• Web shell files in web-accessible directories
• Unexpected PHP files in XAMPP htdocs

Process Indicators:

• Unknown Go binaries executing on Linux servers
• IRC client processes on non-desktop systems
• Mass scanning activity from server IPs

Mitigation

Immediate Actions:

1. Audit internet-facing FTP, MySQL, PostgreSQL, and phpMyAdmin services
2. Replace default usernames with unique, non-standard names
3. Implement strong, unique passwords for all database accounts
4. Disable unnecessary internet-facing services
5. Replace outdated software stacks like XAMPP with hardened alternatives
6. Implement multi-factor authentication where supported
7. Monitor for suspicious login attempts and brute-force patterns

Configuration Review:

• Avoid AI-generated deployment examples without security review
• Verify no default credentials remain in production
• Implement IP allowlisting for administrative access

Framework Alignment:

• CIS Controls v8: 6.3 (Require MFA), 6.5 (Account Lockout), 12.1 (Network Boundary Monitoring)
• NIST CSF 2.0: PR.AC-1 (Identity Management), DE.CM-1 (Network Monitoring)
• ISO 27001:2022: A.9.2.3 (Management of Privileged Access), A.9.4.3 (Password Management)

Sources

• Check Point Research: Inside GoBruteforcer
• The Hacker News: GoBruteforcer Botnet Targets Crypto
• Infosecurity Magazine: GoBruteforcer Botnet Linux Servers
• Dark Reading: GoBruteforcer Botnet 50K+ Linux Servers
• BleepingComputer: GoBruteforcer Attack Wave

---

8. Cisco ISE CVE-2026-20029 XXE Vulnerability

Risk Level: LOW-MEDIUM (CVSS 4.9)
Disclosure Date: January 2026
Relevance: Identity management infrastructure

Cisco addressed CVE-2026-20029, a medium-severity XML External Entity (XXE) vulnerability in Identity Services Engine (ISE) and ISE-PIC.

Vulnerability Details

Field	Value
CVE	CVE-2026-20029
CVSS	4.9 (Medium)
Attack Vector	Network
Authentication	Required (Admin credentials)
Impact	Information disclosure via improper XML parsing

Technical Description

The vulnerability allows authenticated administrators to access sensitive files through improper XML parsing. While requiring valid administrative credentials limits the attack surface, exploitation could enable access to configuration files, certificates, or other sensitive data on ISE appliances.

Exploitation Status

Proof-of-concept is reportedly available. No confirmed active exploitation.

Mitigation

Immediate Actions:

1. Apply Cisco security patches for ISE and ISE-PIC
2. Audit ISE administrative account access
3. Implement least-privilege for ISE administration
4. Monitor for unusual administrative activity

Framework Alignment:

• CIS Controls v8: 7.1 (Application Vulnerability Management)
• NIST CSF 2.0: PR.IP-12 (Vulnerability Management)

Sources

• Check Point Research: 12th January Threat Intelligence Report
• Cisco Security Advisories

---

Supplemental Technical Appendix: Consolidated IOCs

Network IOCs

PHALT#BLYX Campaign:

low-house[.]com

oncameraworkout[.]com

2fa-bns[.]com

asj77[.]com

TCP port 3535 (C2)

GoBruteforcer Botnet:

Monitor for IRC C2 traffic

Unusual scanning activity on ports 21, 3306, 5432

File IOCs

PHALT#BLYX:

v.proj (MSBuild project file)

staxs.exe (DCRat loader)

*.url files in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

Process IOCs

PHALT#BLYX:

msbuild.exe executing .proj files from user context

aspnet_compiler.exe with unusual network connections

PowerShell downloading from suspicious domains

LockBit 5.0:

Volume Shadow Copy deletion (vssadmin.exe, wmic.exe)

Service termination commands

Event log clearing

Detection Prioritization

Priority	Threat	Detection Focus
1	SAP Critical CVEs	Patch verification, RFC access monitoring
2	SmarterMail CVE-2025-52691	Patch verification, file upload monitoring
3	Firefox CVEs	Browser version auditing
4	PHALT#BLYX	MSBuild execution, PowerShell activity
5	LockBit 5.0	Ransomware behavior patterns
6	Oracle EBS	Patch status, access logging
7	GoBruteforcer	Brute-force detection, credential hygiene
8	Cisco ISE	Patch verification

---

Supplemental Framework Alignment Matrix

Vulnerability/Threat	CIS Controls v8	NIST CSF 2.0	ISO 27001:2022	MITRE ATT&CK
SAP January Patches	7.1, 4.7	PR.IP-12, ID.RA-1	A.12.6.1	T1190, T1078
Firefox CVE-2026-0891/0892	7.1, 2.2	PR.IP-12	A.12.6.1	T1203
SmarterMail CVE-2025-52691	7.1, 12.1	PR.IP-12, DE.CM-4	A.12.6.1	T1190, T1505.003
LockBit 5.0	11.1, 13.1, 8.1	PR.IP-4, DE.CM-1	A.12.3.1, A.16.1.5	T1486, T1490, T1562
PHALT#BLYX	14.3, 8.5, 9.1	PR.AT-1, DE.CM-3	A.7.2.2	T1566.002, T1127.001
Oracle EBS Breach	7.1, 16.1	PR.IP-12, RS.RP-1	A.12.6.1	T1190
GoBruteforcer	6.3, 6.5, 12.1	PR.AC-1, DE.CM-1	A.9.2.3, A.9.4.3	T1110, T1078
Cisco ISE CVE-2026-20029	7.1	PR.IP-12	A.12.6.1	T1059, T1552

---

Prepared: January 19, 2026

13. Sources

Authoritative Sources Used:

• CISA Known Exploited Vulnerabilities Catalog (cisa.gov)
• Microsoft Security Response Center (msrc.microsoft.com)
• Palo Alto Networks Security Advisories (security.paloaltonetworks.com)
• Fortinet FortiGuard (fortiguard.fortinet.com)
• Cisco Security Advisories (sec.cloudapps.cisco.com)
• Google Chrome Releases (chromereleases.googleblog.com)
• Singapore CSA Alerts (csa.gov.sg)
• CIS Security (cisecurity.org)

Threat Intelligence:

• CrowdStrike (crowdstrike.com)
• Check Point Research (research.checkpoint.com)
• Silent Push (silentpush.com)
• Shadowserver Foundation (shadowserver.org)
• Huntress (huntress.com)
• Trend Micro Zero Day Initiative

Security News:

• BleepingComputer, The Hacker News, Krebs on Security, SecurityWeek, The Record, Infosecurity Magazine, SC Media, Cyber Security News

---

Last Updated: January 19, 2026, 08:00 EST
Next Briefing: January 26, 2026

---