Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram

TJS Weekly Security Intelligence Briefing – Week of January 19th 2026

Security News Briefing Intelligence
TJS Weekly Security Intelligence Briefing, Weekly Security. TJS Weekly
_ _ Tech Jacks Solutions_ 0 Comments

Classification: Public
Reporting Period: January 12-19, 2026
Distribution: Security Operations, IT Leadership, Executive Team
Prepared By: Tech Jacks Solutions Security Intelligence

TJS Weekly Security Intelligence Briefing – Week of Jan 19th 2026

Executive Summary

The week of January 12-19, 2026 presents an elevated risk posture driven by Microsoft’s January Patch Tuesday release addressing 114 vulnerabilities (including one actively exploited zero-day), critical vulnerabilities in Palo Alto Networks GlobalProtect, ongoing exploitation of legacy Fortinet authentication bypasses, and an expansive Magecart web-skimming campaign targeting major payment networks. Federal agencies face immediate remediation deadlines with CISA adding vulnerabilities in Gogs, HPE OneView, and Microsoft Windows to the Known Exploited Vulnerabilities (KEV) catalog.

Organizations running Palo Alto Networks firewalls with GlobalProtect enabled face denial-of-service risk from CVE-2026-0227, with proof-of-concept code publicly available. Microsoft’s CVE-2026-20805 (Desktop Window Manager information disclosure) is confirmed actively exploited and undermines ASLR protections. Phishing campaigns exploiting misconfigured Microsoft 365 email routing continue to surge, with over 13 million malicious emails blocked in October 2025 alone using the Tycoon2FA phishing-as-a-service platform.

Key Statistics:

  • 114 Microsoft vulnerabilities patched (8 Critical, 1 actively exploited)
  • 10,000+ Fortinet firewalls remain exposed to CVE-2020-12812 2FA bypass
  • 6,000+ Palo Alto firewalls exposed online per Shadowserver
  • Major Magecart campaign active since January 2022 targeting 6 payment networks

Critical Action Items

PriorityItemAffected ProductDeadlineAction
1CVE-2026-20805 – Actively Exploited Windows Zero-DayWindows 10/11, ServerFeb 3, 2026 (CISA KEV)Apply January 2026 cumulative updates immediately
2CVE-2026-0227 – GlobalProtect DoS (PoC Available)PAN-OS 10.1+ with GlobalProtectImmediateUpgrade to PAN-OS 12.1.4, 11.2.10-h2, or applicable hotfix
3CVE-2025-37164 – HPE OneView RCE (CVSS 10.0)HPE OneView < 11.0Jan 28, 2026 (CISA KEV)Apply vendor hotfixes; all versions prior to 11.0 affected
4CVE-2025-8110 – Gogs Path Traversal (Active Exploitation)Gogs self-hosted GitFeb 2, 2026 (CISA KEV)Patch or discontinue use if fixes unavailable
5CVE-2025-64155 – FortiSIEM Command Injection (CVSS 9.8)FortiSIEM 7.xImmediateMigrate to fixed release; exploit code publicly available
6CVE-2020-12812 – Fortinet 2FA Bypass (Renewed Attacks)FortiOS SSL VPNImmediateUpgrade to FortiOS 6.4.1+; disable LDAP case-sensitive matching

Key Security Stories

Story 1: Microsoft January 2026 Patch Tuesday – 114 Vulnerabilities Including Actively Exploited Zero-Day

Microsoft released security updates on January 13, 2026 addressing 114 vulnerabilities across Windows, Office, Azure, SharePoint, SQL Server, and other products. Eight vulnerabilities received Critical severity ratings, with CVE-2026-20805 confirmed as actively exploited in the wild.

CVE-2026-20805 is an information disclosure vulnerability in the Desktop Window Manager (DWM) component (CVSS 5.5) that allows local attackers with basic user privileges to leak sensitive process and memory-related data through Windows internal ALPC communication channels. Despite its moderate CVSS score, security researchers emphasize this flaw undermines Address Space Layout Randomization (ASLR) protections, enabling attackers to chain additional exploits more effectively.

Additional Critical Vulnerabilities:

  • CVE-2026-20854 (CVSS Critical): Remote code execution in Windows LSASS via use-after-free, exploitable over the network
  • CVE-2026-20952/20953 (CVSS 8.4): Microsoft Office RCE via Preview Pane (no user interaction required)
  • CVE-2026-20876 (CVSS 6.7): VBS Enclave elevation of privilege enabling escape to Virtual Trust Level 2

Microsoft also removed vulnerable legacy Agere Soft Modem drivers (agrsm64.sys, agrsm.sys) addressing CVE-2023-31096, which had been exploited to gain SYSTEM privileges.

Affected Versions: All supported Windows 10, Windows 11, and Windows Server versions
Exploitation Status: CVE-2026-20805 actively exploited; CVE-2026-21265 and CVE-2023-31096 publicly disclosed
Remediation: Apply KB5074109 (Windows 11), KB5073455, or KB5073724 (Windows 10 ESU) immediately

Source: Microsoft Security Update Guide, BleepingComputer, Krebs on Security, CrowdStrike Analysis

Story 2: Palo Alto Networks GlobalProtect DoS Vulnerability with Public PoC

Palo Alto Networks disclosed CVE-2026-0227 on January 14, 2026, a high-severity denial-of-service vulnerability (CVSS 7.7) affecting GlobalProtect Gateway and Portal services. The vulnerability allows unauthenticated remote attackers to disrupt firewall operations, with repeated exploitation forcing devices into maintenance mode.

The flaw stems from improper validation of unusual or exceptional conditions (CWE-754) and affects all PAN-OS versions 10.1 and later with GlobalProtect enabled. Cloud NGFW deployments are not affected. Proof-of-concept exploit code is publicly available, significantly elevating exploitation risk despite no confirmed malicious activity at disclosure.

Shadowserver currently tracks approximately 6,000 Palo Alto Networks firewalls exposed on the internet, though vulnerability status varies by configuration.

Affected Versions:

  • PAN-OS 12.1.0 to 12.1.3 (fix: 12.1.4)
  • PAN-OS 11.2.4 to 11.2.10 (fix: 11.2.10-h2)
  • PAN-OS 11.1.x (fix: 11.1.13)
  • PAN-OS 10.2.x (multiple hotfixes available)
  • Prisma Access (most instances patched; remaining scheduled)

Exploitation Status: PoC available; no active exploitation confirmed
Remediation: Upgrade to fixed PAN-OS version; temporarily disable GlobalProtect if patching delayed

Source: Palo Alto Networks Security Advisory, BleepingComputer, Network World

Story 3: Fortinet Products Under Renewed Attack – Critical FortiSIEM and Legacy 2FA Bypass

Multiple Fortinet vulnerabilities demand immediate attention this week. CVE-2025-64155 (CVSS 9.8) is a critical OS command injection vulnerability in FortiSIEM allowing unauthenticated remote code execution via specially crafted TCP requests. Exploit code is publicly available.

Simultaneously, Fortinet disclosed renewed exploitation of CVE-2020-12812, a five-year-old critical authentication bypass (CVSS 9.8) in FortiOS SSL VPN. The Shadowserver Foundation reports over 10,000 Fortinet firewalls remain unpatched, with 1,200+ in the United States alone. This vulnerability has been weaponized by ransomware groups including Play and Hive, and threat actors linked to Iran.

The authentication bypass occurs when two-factor authentication is enabled for local users with remote LDAP authentication, and the username case differs from the LDAP directory entry. FortiGate treats usernames as case-sensitive while LDAP directories typically do not, allowing attackers to bypass 2FA by simply changing username capitalization.

Affected Products:

  • FortiSIEM 7.4.0, 7.3.0-7.3.4, 7.2.0-7.2.6, 7.1.x, 7.0.x, 6.7.x (CVE-2025-64155)
  • FortiOS 6.4.0 and earlier with LDAP-backed 2FA (CVE-2020-12812)

Exploitation Status: Both vulnerabilities actively exploited; public PoC for FortiSIEM
Remediation:

  • FortiSIEM: Upgrade to 7.4.1+ or migrate to fixed release
  • FortiOS: Upgrade to 6.4.1+; disable username case-sensitivity

Source: Singapore CSA Advisory, The Hacker News, BleepingComputer

CISA KEV & Critical CVE Table

CVEProductCVSSStatusCISA DeadlineDescription
CVE-2026-20805Windows DWM5.5Actively ExploitedFeb 3, 2026Information disclosure enabling ASLR bypass
CVE-2025-37164HPE OneView10.0Actively ExploitedJan 28, 2026Unauthenticated RCE; RondoDox botnet campaign
CVE-2025-8110Gogs8.7Actively ExploitedFeb 2, 2026Path traversal enabling code execution
CVE-2025-14847MongoDB Server9.1Actively ExploitedJan 19, 2026“Mongobleed” memory disclosure (pre-auth)
CVE-2026-0227Palo Alto PAN-OS7.7PoC AvailableN/AGlobalProtect DoS; no workaround
CVE-2025-64155FortiSIEM9.8PoC AvailableN/AUnauthenticated command injection
CVE-2020-12812FortiOS SSL VPN9.8Actively ExploitedN/A (2022)2FA bypass via case manipulation
CVE-2026-20854Windows LSASSCriticalNot ExploitedN/ARemote code execution (use-after-free)
CVE-2026-20952Microsoft Office8.4Not ExploitedN/ARCE via Preview Pane (no interaction)
CVE-2026-20953Microsoft Office8.4Not ExploitedN/ARCE via Preview Pane (no interaction)
CVE-2026-0628Chrome WebViewHighNot ExploitedN/ASecurity restriction bypass
CVE-2026-20029Cisco ISE4.9PoC AvailableN/AXXE information disclosure
CVE-2025-59718Fortinet Multiple9.1Actively ExploitedJan 23, 2026FortiCloud SSO auth bypass

Phishing & Social Engineering Alert

Tycoon2FA and Domain Spoofing Campaign Surge

Microsoft Threat Intelligence reports a significant increase since May 2025 in phishing campaigns exploiting misconfigured email routing and weak spoof protections. In October 2025 alone, Microsoft Defender blocked over 13 million malicious emails linked to the Tycoon2FA phishing-as-a-service platform.

Attack Characteristics:

  • Emails appear to originate from the target organization’s own domain
  • Themes include HR communications, password resets, voicemail notifications, and document signing requests
  • Adversary-in-the-middle (AiTM) techniques bypass MFA protections
  • Targets organizations with MX records not pointed directly to Office 365

Google Cloud Application Integration Abuse: Check Point Research identified a 14-day campaign in December 2025 sending 9,394 phishing emails from legitimate Google addresses (noreply-application-integration@google[.]com). The campaign targeted approximately 3,200 organizations across manufacturing, technology, financial services, and retail sectors.

Detection & Prevention:

  • Verify MX records point directly to Office 365 for native spoof detection
  • Configure strict DMARC reject and SPF hard fail policies
  • Enable phishing-resistant MFA (hardware keys, passkeys)
  • Train users to verify unexpected document signing and password reset requests

Source: Microsoft Security Blog, The Hacker News, The Hacker News – Google Cloud

Supply Chain & Web Threats

Magecart Web Skimming Campaign Targets Major Payment Networks

Silent Push researchers exposed an extensive Magecart web-skimming campaign active since January 2022, targeting online shoppers using American Express, Diners Club, Discover, Mastercard, JCB, and UnionPay cards. The campaign uses bulletproof hosting infrastructure linked to European-sanctioned entity PQ.Hosting/Stark Industries.

Technical Details:

  • Malicious JavaScript injected into WooCommerce checkout pages with Stripe integration
  • Skimmer hides legitimate payment form, replaces with identical fake form
  • Includes card brand detection logic displaying appropriate logos
  • Self-destruct routine activates when WordPress admin session detected
  • Data exfiltrated via HTTP POST to lasorie[.]com and cdn-cookie[.]com domains
  • XOR encryption (key: “777”) with Base64 encoding applied before exfiltration

Indicators of Compromise (IOCs):

  • cdn-cookie[.]com/recorder.js
  • lasorie[.]com (exfiltration server)
  • ASN 209847 (PQ.Hosting/Stark Industries infrastructure)
  • colunexshop[.]com (confirmed compromised site)

Mitigation:

  • Implement Content Security Policy (CSP) restricting external script loading
  • Deploy Subresource Integrity (SRI) for payment scripts
  • Monitor for unauthorized checkout page modifications
  • Use payment processor-hosted payment pages where possible

Source: Silent Push Research, The Hacker News, Infosecurity Magazine

Browser Security Updates

Google Chrome 143.0.7499.192/.193 – WebView Security Bypass

Google released Chrome versions 143.0.7499.192/.193 on January 6, 2026 addressing CVE-2026-0628, a high-severity vulnerability in the WebView component affecting approximately 3 billion users.

The vulnerability stems from insufficient policy enforcement in WebView tag, potentially allowing malicious extensions or payloads to bypass security controls and inject content into privileged pages.

Affected Products:

  • Google Chrome prior to 143.0.7499.192 (Linux)
  • Google Chrome prior to 143.0.7499.192/.193 (Windows/Mac)
  • Chrome for Android prior to 143.0.7499.193
  • Applications using WebView for content rendering

Impact: WebView vulnerabilities extend beyond browsers to countless Android applications and in-app browsers using the component.

Remediation: Update Chrome via Help > About Google Chrome; restart browser to activate patch

Source: Chrome Releases Blog, TechRepublic

Helpful 5: High-Value, Low-Effort Mitigations

1. Microsoft 365: Configure Strict DMARC and SPF Policies

Why: Tycoon2FA phishing campaigns exploited organizations with misconfigured spoof protections, sending 13+ million malicious emails appearing from internal domains.

How:

  1. Navigate to Microsoft 365 Admin Center → Settings → Domains
  2. Verify MX records point to Office 365
  3. Set DMARC policy to p=reject (not p=none)
  4. Configure SPF with -all (hard fail) not ~all (soft fail)
  5. Enable Enhanced Filtering for connectors if using third-party mail routing

Framework Alignment: CIS Control 9.5, NIST CSF PR.DS-5, ISO 27001 A.13.2.1

2. Palo Alto Networks: Verify GlobalProtect Patch Status

Why: CVE-2026-0227 enables unauthenticated DoS with public PoC; ~6,000 firewalls exposed per Shadowserver.

How:

  1. Verify current PAN-OS version: show system info | match sw-version
  2. Check GlobalProtect status: show global-protect-gateway statistics
  3. If vulnerable, upgrade to: 12.1.4, 11.2.10-h2, 11.1.13, or applicable hotfix
  4. Temporary workaround: Disable GlobalProtect interface until patched
  5. Monitor for unusual traffic patterns to GlobalProtect portal

Framework Alignment: CIS Control 7.1, NIST CSF ID.RA-1, MITRE ATT&CK T1498

3. Fortinet: Audit SSL VPN Authentication Configuration

Why: CVE-2020-12812 2FA bypass is under renewed exploitation; 10,000+ firewalls remain unpatched.

How:

  1. Check FortiOS version: get system status
  2. Review LDAP authentication configuration: config user ldap
  3. Verify 2FA enforcement: config user local
  4. Upgrade to FortiOS 6.4.1+ or disable case-sensitive username matching
  5. Enable verbose logging and forward to SIEM: config log setting

Framework Alignment: CIS Control 6.3, NIST CSF PR.AC-7, ISO 27001 A.9.4.2

4. Web Properties: Implement Content Security Policy for Payment Pages

Why: Magecart campaign active since 2022 targets Stripe-enabled WooCommerce sites via malicious JavaScript injection.

How:

  1. Implement CSP header restricting script sources: Content-Security-Policy: script-src ‘self’ https://js.stripe.com;
  2. Enable Subresource Integrity for payment scripts
  3. Configure File Integrity Monitoring on checkout page files
  4. Review third-party scripts loaded on payment pages
  5. Consider using Stripe Elements or hosted payment pages

Framework Alignment: CIS Control 2.7, OWASP ASVS V14.4, PCI DSS 6.4.3

5. Windows Endpoints: Prioritize January Patch Tuesday Deployment

Why: CVE-2026-20805 is actively exploited; undermines ASLR enabling exploit chaining.

How:

  1. Test KB5074109 (Windows 11) or KB5073724 (Windows 10) in staging
  2. Deploy to internet-facing and high-value systems first
  3. Verify legacy modem drivers removed: Check for agrsm64.sys, agrsm.sys
  4. Monitor for exploitation indicators via EDR/SIEM
  5. Expedite Office updates for CVE-2026-20952/20953 Preview Pane RCE

Framework Alignment: CIS Control 7.3, NIST CSF PR.IP-12, ISO 27001 A.12.6.1

Threat Landscape Summary

Ransomware Trends

The ransomware ecosystem continues evolving with declining payment rates driving tactical shifts. Recorded Future predicts 2026 will mark the first year new ransomware actors outside Russia outnumber those within. Two former US cybersecurity professionals (Ryan Goldberg of Sygnia, Kevin Martin of DigitalMint) pleaded guilty to BlackCat/ALPHV ransomware conspiracy, facing sentencing in March 2026 with up to 20 years imprisonment. The case highlights insider threat risks as trusted security professionals were revealed as ransomware affiliates who extorted approximately $1.27 million from victims in 2023.

Active groups this week include Qilin (targeting manufacturing, healthcare, real estate), SafePay (exploiting VPN weaknesses), and TridentLocker (claimed attack on Sedgwick Government Solutions, a federal contractor serving DHS, ICE, CBP, and CISA).

APT & Nation-State Activity

Chinese-speaking threat actors exploited compromised SonicWall VPN appliances to deliver VMware ESXi exploitation toolkit potentially developed over a year before vulnerability disclosure (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226). The sophisticated attack chain enables VM escape to hypervisor control. FBI warned of North Korean Kimsuky actors using malicious QR codes in spear-phishing targeting think tanks and academic institutions.

AI & Cloud Security

Check Point disclosed that attackers abused Google Cloud Application Integration’s email feature to send phishing emails from legitimate Google addresses, bypassing traditional filters. The campaign exploited the trust associated with Google infrastructure to target 3,200+ organizations globally. Organizations should monitor for abuse of legitimate cloud automation services.

Upcoming Security Events

DateEventAction Required
Jan 19, 2026CVE-2025-14847 (MongoDB) CISA KEV DeadlinePatch all affected MongoDB instances
Jan 23, 2026CVE-2025-59718 (Fortinet SSO) CISA KEV DeadlineApply FortiOS patches
Jan 28, 2026CVE-2025-37164 (HPE OneView) CISA KEV DeadlineApply vendor hotfixes
Feb 2, 2026CVE-2025-8110 (Gogs) CISA KEV DeadlinePatch or discontinue use
Feb 3, 2026CVE-2026-20805 (Windows DWM) CISA KEV DeadlineApply January patches
Feb 11, 2026February Patch TuesdayPlan testing cycle
Jun 2026Windows Secure Boot Certificate ExpirationReview CVE-2026-21265 guidance

Framework Alignment Matrix

Vulnerability/ThreatCIS Controls v8NIST CSF 2.0ISO 27001:2022MITRE ATT&CKCISA Recommendations
CVE-2026-20805 (Windows DWM)7.1, 7.3PR.IP-12, DE.CM-8A.12.6.1T1082, T1592BOD 22-01 compliance
CVE-2026-0227 (PAN-OS DoS)7.1, 12.1PR.IP-12, PR.PT-4A.12.6.1, A.13.1.1T1498, T1499Patch immediately
CVE-2020-12812 (Fortinet 2FA)6.3, 6.5, 7.1PR.AC-7, PR.IP-12A.9.4.2T1078, T1110KEV – patch or mitigate
Tycoon2FA Phishing9.5, 14.3, 14.6PR.DS-5, PR.AT-1A.7.2.2, A.13.2.1T1566, T1557DMARC/SPF enforcement
Magecart Skimming2.7, 16.2, 16.6PR.DS-1, DE.CM-4A.14.2.5T1059.007, T1185CSP implementation
CVE-2025-64155 (FortiSIEM)7.1, 4.1PR.IP-12, DE.CM-8A.12.6.1T1059, T1190Upgrade immediately

Technical Appendix: Indicators of Compromise

Magecart Campaign IOCs

Exfiltration Domains:

lasorie[.]com

cdn-cookie[.]com

Malicious Script URLs:

cdn-cookie[.]com/recorder.js

Network Indicators:

ASN 209847 (PQ.Hosting/Stark Industries/THE.Hosting)

Compromised Sites (Sample):

colunexshop[.]com

VMware ESXi Exploitation (Chinese APT)

Associated Tools:

  • MAESTRO orchestrator
  • VSOCKpuppet backdoor

Targeted CVEs:

CVE-2025-22224 (VMCI TOCTOU)

CVE-2025-22225 (ESXi arbitrary write)

CVE-2025-22226 (HGFS memory leak)

Initial Access Vector: Compromised SonicWall VPN appliances

Detection Rules

YARA Rule – Magecart Skimmer Detection:

rule Magecart_WooCommerce_Skimmer {

    meta:

        description = “Detects Magecart skimmer targeting WooCommerce/Stripe”

        date = “2026-01-19”

    strings:

        $s1 = “wc-stripe-form” ascii

        $s2 = “wpadminbar” ascii

        $s3 = “wc_cart_hash” ascii

        $s4 = “lasorie.com” ascii

        $s5 = “cdn-cookie.com” ascii

    condition:

        3 of them

}

Sigma Rule – Windows DWM Exploitation Attempt:

title: Potential CVE-2026-20805 Exploitation

status: experimental

description: Detects potential exploitation of Windows Desktop Window Manager information disclosure

logsource:

    category: process_creation

    product: windows

detection:

    selection:

        TargetFilename|contains: ‘dwm.exe’

        CallTrace|contains: ‘ALPC’

    condition: selection

level: high

tags:

    – attack.defense_evasion

    – attack.t1082

    – cve.2026.20805

Supplemental Critical Action Items

PriorityItemAffected ProductDeadlineAction
CRITICALCVE-2026-0501 – SAP S/4HANA SQL Injection (CVSS 9.9)SAP S/4HANA S4CORE 102-109ImmediateApply SAP Security Note #3687749
CRITICALCVE-2026-0500 – SAP Wily Introscope RCE (CVSS 9.6)SAP Wily Introscope 10.8ImmediateApply SAP Security Note #3668679
HIGHCVE-2025-52691 – SmarterMail Pre-Auth RCE (CVSS 10.0)SmarterMail ≤ Build 9406ImmediateUpdate to Build 9483
HIGHCVE-2026-0891/0892 – Firefox Memory Safety (Suspected Exploited)Firefox < 147, ESR < 140.7ImmediateUpdate to Firefox 147 / ESR 140.7

SAP Security Patch Day – January 2026

Risk Level: CRITICAL
Disclosure Date: January 13, 2026
Relevance: Enterprise ERP systems widely deployed across organizations

SAP released 17 new security notes on January 13, 2026, addressing vulnerabilities across widely deployed enterprise systems. The patch cycle includes four HotNews (critical-severity) vulnerabilities that demand immediate attention.

Critical Vulnerabilities (HotNews)

CVEProductCVSSDescription
CVE-2026-0501SAP S/4HANA General Ledger9.9SQL injection allowing authenticated attackers to execute arbitrary SQL queries, compromising financial data integrity
CVE-2026-0500SAP Wily Introscope Enterprise Manager9.6Remote code execution requiring minimal user interaction; unauthenticated attackers can create malicious JNLP files
CVE-2026-0498SAP S/4HANA (Private Cloud/On-Premise)9.1Code injection allowing high-privileged attackers to modify source code without authentication checks
CVE-2026-0491SAP Landscape Transformation (DMIS add-on)9.1Code injection via same vulnerable function as CVE-2026-0498

High-Priority Vulnerabilities

CVEProductCVSSDescription
CVE-2026-0492SAP HANA Database8.8Privilege escalation enabling user impersonation to administrative context
CVE-2026-0507SAP Application Server ABAP / NetWeaver RFCSDK8.4OS command injection for high-privileged attackers on adjacent networks
CVE-2026-0506SAP NetWeaver Application Server8.1Missing authorization checks enabling privilege escalation

Affected Versions

  • S4CORE: Versions 102 through 109 (private cloud and on-premise)
  • SAP Wily Introscope: Version 10.8
  • SAP HANA: All current supported versions
  • SAP NetWeaver: Multiple components

Exploitation Status

No active exploitation confirmed at time of disclosure. However, RFC-based vulnerabilities are historically attractive targets for ransomware groups and APT actors targeting enterprise environments.

Threat Model

Attack Vector: CVE-2026-0501 requires authenticated access with low privileges. Attackers compromise technical RFC users (integration accounts, service users) and use RFC tooling to call vulnerable function paths with crafted parameters.

Kill Chain:

  1. Initial access via compromised credentials or phishing
  2. Lateral movement to SAP environment
  3. Exploit RFC/SQL injection for data access or privilege escalation
  4. Financial data manipulation, backdoor creation, or ransomware deployment

Remediation

Immediate Actions:

  1. Apply SAP Security Notes #3687749 (CVE-2026-0501), #3668679 (CVE-2026-0500), #3694242 (CVE-2026-0498), #3697979 (CVE-2026-0491)
  2. Review S_RFC authorizations for overly permissive configurations
  3. Audit technical RFC user accounts and integration credentials
  4. Enable verbose logging on SAP systems and forward to SIEM

Framework Alignment:

  • CIS Controls v8: 7.1 (Application Vulnerability Management), 4.7 (Manage Default Accounts)
  • NIST CSF 2.0: PR.IP-12 (Vulnerability Management), ID.RA-1 (Risk Assessment)
  • ISO 27001:2022: A.12.6.1 (Management of Technical Vulnerabilities)

Sources

2. Mozilla Firefox Security Updates – Suspected Zero-Days

Risk Level: HIGH
Disclosure Date: January 13, 2026
Relevance: Browser stack component for enterprise environments

Mozilla released Firefox 147 and Firefox ESR 140.7 on January 13, 2026, addressing 34 vulnerabilities including two memory safety bugs suspected of active exploitation.

Suspected Exploited Vulnerabilities

CVESeverityDescriptionFixed In
CVE-2026-0891HighMemory safety bugs showing evidence of memory corruptionFirefox 147, ESR 140.7
CVE-2026-0892HighMemory safety bugs showing evidence of memory corruptionFirefox 147

Technical Details

According to Mozilla Foundation Security Advisory MFSA2026-01, both vulnerabilities involve memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146, and Thunderbird 146. The advisory states these bugs “showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.”

Affected Products

  • Firefox versions prior to 147
  • Firefox ESR versions prior to 140.7
  • Thunderbird versions prior to 147/ESR 140.7

Exploitation Status

Ivanti reports both CVEs are “suspected to be exploited” though active exploitation has not been publicly confirmed. Given the memory corruption evidence, defensive teams should treat these as high-priority patches.

Remediation

Immediate Actions:

  1. Update Firefox to version 147 via Help → About Firefox
  2. Update Firefox ESR to version 140.7
  3. Update Thunderbird to corresponding patched versions
  4. Enable automatic updates for browser deployments
  5. Monitor for unusual browser behavior or crashes

Framework Alignment:

  • CIS Controls v8: 7.1 (Application Vulnerability Management), 2.2 (Ensure Authorized Software)
  • NIST CSF 2.0: PR.IP-12 (Vulnerability Management)
  • ISO 27001:2022: A.12.6.1 (Management of Technical Vulnerabilities)

Sources

3. SmarterTools SmarterMail Pre-Auth RCE – CVE-2025-52691 (HIGH GAP)

Risk Level: CRITICAL (CVSS 10.0)
Disclosure Date: December 30, 2025 (CSA Singapore Alert: January 2026)
Relevance: Email server infrastructure; alternative to Microsoft Exchange

The Cyber Security Agency of Singapore (CSA) issued a critical alert regarding CVE-2025-52691, a maximum-severity vulnerability in SmarterTools’ SmarterMail email platform enabling unauthenticated remote code execution.

Vulnerability Details

FieldValue
CVECVE-2025-52691
CVSS10.0 (Critical)
CWECWE-434 (Unrestricted File Upload)
Attack VectorNetwork (Unauthenticated)
ExploitabilityPre-authentication, no user interaction required

Technical Analysis

The vulnerability stems from an arbitrary file upload weakness in the API controller SmarterMail.Web.Api.FileUploadController.Upload() registered to the /api/upload route. Successful exploitation allows unauthenticated attackers to upload files to any location on the mail server, including web shells or malicious executables that execute with the SmarterMail service privileges.

Attack Surface

Censys reports approximately 16,000 internet-exposed hosts potentially vulnerable to this flaw:

  • United States: 12,500+ instances
  • Malaysia: 784 instances
  • Iran: 348 instances
  • India: 321 instances
  • United Kingdom: 292 instances
  • Germany: 205 instances

Affected Versions

  • SmarterMail Build 9406 and earlier

Fixed Versions

  • SmarterMail Build 9413 (October 9, 2025) – Initial fix
  • SmarterMail Build 9483 (December 18, 2025) – Recommended version

Exploitation Status

No confirmed active exploitation at time of advisory. However, the “Holy Grail” nature of unauthenticated arbitrary file upload leading to RCE as SYSTEM makes this an extremely attractive target. Security researchers note automated botnets could compromise thousands of servers within hours of PoC release.

Threat Model

Attack Vector: Unauthenticated HTTP POST to /api/upload endpoint with crafted multipart/form-data payload.

Kill Chain:

  1. Scan for internet-exposed SmarterMail instances
  2. Submit malicious file upload request to /api/upload
  3. Upload web shell to webroot or executable to system path
  4. Execute payload to gain SYSTEM-level access
  5. Pivot to internal network, exfiltrate data, or deploy ransomware

Indicators of Compromise

Network Indicators:

  • Suspicious POST requests to /api/upload from external IPs
  • Unexpected file creation in web directories
  • New ASPX/PHP files in SmarterMail webroot

File System Indicators:

  • Unauthorized files in C:\SmarterMail\MRS\ directories
  • Web shells with common signatures (cmd execution, base64 encoding)
  • Modified file timestamps in web-accessible directories

Remediation

Immediate Actions:

  1. Identify all SmarterMail installations and verify current versions
  2. Update to Build 9483 (latest) or minimum Build 9413
  3. Test updates in non-production environment before deployment
  4. Monitor server logs for suspicious /api/upload activity
  5. Review file system for unauthorized files

If Patching is Delayed:

  • Implement WAF rules to block suspicious upload requests
  • Restrict network access to SmarterMail administrative interfaces
  • Enable enhanced file integrity monitoring

Framework Alignment:

  • CIS Controls v8: 7.1 (Application Vulnerability Management), 12.1 (Network Boundary Monitoring)
  • NIST CSF 2.0: PR.IP-12 (Vulnerability Management), DE.CM-4 (Network Monitoring)
  • ISO 27001:2022: A.12.6.1 (Management of Technical Vulnerabilities)

Sources

4. LockBit 5.0 Ransomware Analysis

Risk Level: HIGH
Analysis Date: January 2026
Relevance: Dominant RaaS operation with cross-platform capabilities

LockBit has resurfaced with version 5.0 following disruption by Operation Cronos in early 2024. Check Point Research, Trend Micro, and AhnLab have confirmed active campaigns with enhanced evasion capabilities targeting Windows, Linux, and VMware ESXi environments.

Operational Context

LockBit returned to the Top 10 Ransomware Groups in December 2025, claiming 112 victims after a period of inactivity from June to November 2025. The group historically accounted for 30.25% of ransomware attacks (August 2021 – August 2022) and approximately 21% in 2023.

Technical Capabilities – LockBit 5.0

CapabilityDescription
Cross-PlatformWindows, Linux, and ESXi variants for simultaneous enterprise targeting
EncryptionChaCha20-Poly1305 symmetric encryption with X25519 key exchange and BLAKE2b hashing
Anti-AnalysisETW patching (EtwEventWrite overwritten with RET instruction), DLL reflection loading
PersistenceStartup .url shortcuts, service installation
EvasionRandomized 16-character file extensions, locale/geo checks avoiding Russian systems
SpeedOptimized encryption with file-size-based segmentation

Attack Chain

  1. Initial Access: VPN exploitation, phishing, compromised credentials, brute-force attacks
  2. Privilege Escalation: Credential harvesting, lateral movement tools (SmokeLoader observed)
  3. Defense Evasion: Terminate security services, delete Volume Shadow Copies, clear event logs
  4. Encryption: Deploy LockBit 5.0 with architecture-specific payloads
  5. Extortion: Data exfiltration via Stealbit, double-extortion via leak site

ESXi-Specific Concerns

The ESXi variant specifically targets VMFS datastores and VM disk files. Because one ESXi host often hosts dozens of business services, encrypting at the hypervisor level collapses application tiers simultaneously. Organizations virtualizing critical workloads must treat hypervisors as Tier-0 assets.

MITRE ATT&CK Mapping

Technique IDTechnique NameLockBit 5.0 Implementation
T1486Data Encrypted for ImpactChaCha20-Poly1305 file encryption
T1490Inhibit System RecoveryVolume Shadow Copy deletion
T1562.001Disable Security ToolsService termination, Defender exclusions
T1055.012Process HollowingPayload injection into legitimate processes
T1070.001Clear Windows Event LogsPost-encryption log wiping
T1027.002Software PackingHeavy obfuscation, DLL reflection
T1562.006Indicator BlockingETW patching to blind EDR
T1497.001System ChecksRussian language/geolocation avoidance

Indicators of Compromise

Behavioral Indicators:

  • Randomized 16-character file extensions on encrypted files
  • Ransom note files (ReadMeForDecrypt.txt or similar)
  • Volume Shadow Copy deletion commands
  • Mass file rename/modification operations
  • Unusual MSBuild.exe or PowerShell activity

Network Indicators:

  • Tor connections to LockBit negotiation portal
  • Data exfiltration to unknown external endpoints
  • IRC-based C2 communications (affiliate infrastructure)

Detection – YARA Rule:

rule LockBit_5_Ransom_Note {

    meta:

        description = “Detects LockBit 5.0 ransom note patterns”

        date = “2026-01-19”

    strings:

        $s1 = “LockBit” ascii wide

        $s2 = “decryption” ascii wide

        $s3 = “.onion” ascii wide

        $s4 = “Bitcoin” ascii wide

    condition:

        3 of them

}

Mitigation

Immediate Actions:

  1. Implement network segmentation isolating backup infrastructure
  2. Deploy immutable, off-fabric backups tested for recovery
  3. Enable aggressive threat hunting for lateral movement and data exfiltration
  4. Update hypervisor and management platforms
  5. Configure endpoint detection for ETW tampering and service termination

Framework Alignment:

  • CIS Controls v8: 11.1 (Data Recovery), 13.1 (Network Monitoring), 8.1 (Audit Log Management)
  • NIST CSF 2.0: PR.IP-4 (Backups), DE.CM-1 (Network Monitoring), RS.RP-1 (Response Planning)
  • ISO 27001:2022: A.12.3.1 (Backup), A.16.1.5 (Response to Incidents)

Sources

5. PHALT#BLYX ClickFix Campaign (MEDIUM GAP)

Risk Level: MEDIUM
Campaign Discovery: Late December 2025
Relevance: Active phishing campaign with advanced evasion techniques

Securonix identified an ongoing campaign dubbed PHALT#BLYX targeting European hospitality organizations using sophisticated ClickFix-style social engineering to deploy DCRat (Dark Crystal RAT).

Campaign Overview

The campaign leverages fake Booking.com reservation cancellation emails during peak holiday travel periods. Victims are redirected to convincing clones displaying fake CAPTCHA prompts and Blue Screen of Death (BSOD) animations that trick users into manually executing malicious PowerShell commands.

Attack Chain

  1. Initial Access (T1566.002): Phishing email impersonating Booking.com with cancellation notice (charges >€1,000)
  2. User Execution (T1204.001/T1204.004): Victim clicks link to fake site showing BSOD-style error with “fix” instructions
  3. Command Execution (T1059.001): User pastes PowerShell command from clipboard into Run dialog
  4. MSBuild Abuse (T1127.001): PowerShell downloads v.proj file executed by msbuild.exe
  5. Defense Evasion (T1562/T1564.012): v.proj adds Windows Defender exclusions for ProgramData and common extensions
  6. Persistence (T1547.009): Creates .url shortcut in Startup folder
  7. Payload Deployment: Downloads staxs.exe (DCRat variant)
  8. Process Hollowing (T1055.012): Injects payload into aspnet_compiler.exe
  9. C2 Communication (T1571): Connects to C2 infrastructure over TCP port 3535

Technical Indicators

Malicious Domains:

  • low-house[.]com (fake Booking.com site)
  • oncameraworkout[.]com/ksbo (redirector)
  • 2fa-bns[.]com (payload hosting)
  • asj77[.]com (C2 domain)

File Indicators:

  • v.proj (malicious MSBuild project file)
  • staxs.exe (DCRat loader)
  • Startup folder .url files pointing to dropped executables

Network Indicators:

  • Outbound connections on TCP port 3535
  • PowerShell download activity from suspicious domains
  • MSBuild.exe network connections

Hash Indicators (SHA256): Contact Securonix or SOC Prime for current hash IOCs.

Attribution

Russian-language artifacts including Cyrillic debug strings embedded in the malware and the use of DCRat (commonly sold on Russian-language underground forums) link this activity to Russian-speaking threat actors.

Detection Rules

Sigma Rule – MSBuild Execution from User Context:

title: Suspicious MSBuild Execution with Project File Download

status: experimental

description: Detects potential PHALT#BLYX activity

logsource:

    category: process_creation

    product: windows

detection:

    selection:

        Image|endswith: ‘\msbuild.exe’

        CommandLine|contains: ‘.proj’

    filter:

        User|contains: ‘SYSTEM’

    condition: selection and not filter

level: high

tags:

    – attack.defense_evasion

    – attack.t1127.001

Sigma Rule – Windows Defender Exclusion Modification:

title: Suspicious Windows Defender Exclusion Addition

status: experimental

description: Detects modifications to Windows Defender exclusions

logsource:

    category: process_creation

    product: windows

detection:

    selection:

        CommandLine|contains:

            – ‘Add-MpPreference’

            – ‘ExclusionPath’

            – ‘ExclusionExtension’

    condition: selection

level: medium

tags:

    – attack.defense_evasion

    – attack.t1562.001

Mitigation

Immediate Actions:

  1. Train users to recognize ClickFix-style prompts and “run this command to fix” social engineering
  2. Monitor and restrict MSBuild.exe execution from unusual paths or user-driven workflows
  3. Enable PowerShell script block logging for visibility
  4. Add detections for Startup-folder .url shortcut creation
  5. Monitor for Windows Defender exclusion modifications
  6. Block outbound traffic to identified malicious domains
  7. Alert on suspicious egress to TCP/3535

Email Security:

  • Treat urgent booking-related emails with caution
  • Verify requests through official channels
  • Implement strict email filtering for Booking.com impersonation

Framework Alignment:

  • CIS Controls v8: 14.3 (Security Awareness Training), 8.5 (Audit Logs), 9.1 (Email Security)
  • NIST CSF 2.0: PR.AT-1 (Security Awareness), DE.CM-3 (Personnel Activity Monitoring)
  • ISO 27001:2022: A.7.2.2 (Information Security Awareness)
  • MITRE ATT&CK: T1566.002, T1204.001, T1059.001, T1127.001, T1562, T1547.009, T1055.012, T1571

Sources

6. Dartmouth College Oracle E-Business Suite Breach

Risk Level: MEDIUM (Stack-Relevant Disclosure)
Breach Dates: August 9-12, 2025
Disclosure Date: November 24, 2025
Relevance: Your technology stack includes Oracle E-Business Suite

Dartmouth College confirmed a data breach affecting over 40,000 individuals after the Clop ransomware gang exploited a zero-day vulnerability in Oracle E-Business Suite (EBS). This breach is directly relevant to organizations using Oracle EBS.

Breach Details

FieldValue
Affected Individuals40,000+ (31,742 NH, 1,956 TX, 1,494 ME)
Data CompromisedNames, Social Security numbers, financial account information
Attack WindowAugust 9-12, 2025
Threat ActorClop ransomware gang
Attack VectorOracle E-Business Suite zero-day (CVE-2025-61882)

Campaign Context

The Dartmouth breach is part of a broader Clop campaign targeting Oracle EBS customers. Other confirmed victims include:

  • Harvard University
  • The Washington Post
  • Logitech
  • GlobalLogic
  • Canon (subsidiary)
  • Envoy Air (American Airlines subsidiary)
  • Southern Illinois University
  • Tulane University
  • Cox Enterprises

Clop claims over 100 organizations were impacted.

Oracle Stack Implications

Organizations running Oracle E-Business Suite should:

  1. Verify all Oracle security patches are applied, particularly those released following the August 2025 incidents
  2. Review Oracle EBS access logs for the August 2025 timeframe
  3. Implement enhanced monitoring for Oracle EBS administrative functions
  4. Audit third-party integrations and vendor access to Oracle systems

Related CISA Advisory

CISA added CVE-2025-61757 (Oracle Fusion Middleware Identity Manager, CVSS 9.8) to the Known Exploited Vulnerabilities catalog, indicating ongoing Oracle exploitation activity.

Mitigation for Oracle EBS Environments

Immediate Actions:

  1. Apply all publicly available Oracle EBS patches
  2. Review and restrict privileged access to EBS administrative functions
  3. Implement file integrity monitoring on EBS servers
  4. Enable enhanced logging and forward to SIEM
  5. Conduct vulnerability assessment of Oracle EBS environment
  6. Review vendor data security practices

Framework Alignment:

  • CIS Controls v8: 7.1 (Application Vulnerability Management), 16.1 (Incident Response Process)
  • NIST CSF 2.0: PR.IP-12 (Vulnerability Management), RS.RP-1 (Response Planning)
  • ISO 27001:2022: A.12.6.1 (Technical Vulnerability Management)

Sources

7. GoBruteforcer Botnet – Linux Server Targeting

Risk Level: MEDIUM
Analysis Date: January 7-8, 2026
Relevance: Linux server infrastructure, MySQL, PostgreSQL, FTP services

Check Point Research documented an evolved GoBruteforcer botnet variant actively targeting Linux servers worldwide through brute-force attacks against common services.

Botnet Overview

GoBruteforcer (also known as GoBrut) is a modular Go-based botnet that brute-forces passwords for FTP, MySQL, PostgreSQL, and phpMyAdmin services on Linux servers. Compromised servers are converted into scanning and credential harvesting nodes, expanding the botnet’s reach.

Attack Surface

Check Point estimates over 50,000 internet-facing servers are vulnerable based on exposed service counts:

  • FTP servers: ~5.7 million exposed
  • MySQL servers: ~2.23 million exposed
  • PostgreSQL servers: ~560,000 exposed

Technical Capabilities

CapabilityDescription
Target ServicesFTP, MySQL, PostgreSQL, phpMyAdmin
Initial AccessXAMPP FTP servers with default/weak credentials
PersistenceIRC bot for remote control, web shell deployment
PropagationBrute-force module scans random IP ranges
Financial MotivationTRON balance scanner, token sweep utilities
Architecturex86, x64, ARM Linux variants

Credential Exploitation

GoBruteforcer uses common operational usernames frequently found in AI-generated deployment examples:

  • appuser
  • myuser
  • Common passwords: 123321, testing, admin123456, Abcd@123

Check Point notes that large language models trained on public documentation often reproduce these same default configurations, potentially increasing the botnet’s success rate as AI-assisted server deployments become more common.

Crypto-Focused Campaign

On compromised hosts, researchers recovered:

  • Go-based TRON balance scanner
  • TRON and Binance Smart Chain token-sweep utilities
  • File containing approximately 23,000 TRON addresses
  • On-chain analysis confirmed some financially motivated attacks were successful

Indicators of Compromise

Behavioral Indicators:

  • Unusual outbound connections on ports 21 (FTP), 3306 (MySQL), 5432 (PostgreSQL)
  • New IRC connections from server infrastructure
  • Web shell files in web-accessible directories
  • Unexpected PHP files in XAMPP htdocs

Process Indicators:

  • Unknown Go binaries executing on Linux servers
  • IRC client processes on non-desktop systems
  • Mass scanning activity from server IPs

Mitigation

Immediate Actions:

  1. Audit internet-facing FTP, MySQL, PostgreSQL, and phpMyAdmin services
  2. Replace default usernames with unique, non-standard names
  3. Implement strong, unique passwords for all database accounts
  4. Disable unnecessary internet-facing services
  5. Replace outdated software stacks like XAMPP with hardened alternatives
  6. Implement multi-factor authentication where supported
  7. Monitor for suspicious login attempts and brute-force patterns

Configuration Review:

  • Avoid AI-generated deployment examples without security review
  • Verify no default credentials remain in production
  • Implement IP allowlisting for administrative access

Framework Alignment:

  • CIS Controls v8: 6.3 (Require MFA), 6.5 (Account Lockout), 12.1 (Network Boundary Monitoring)
  • NIST CSF 2.0: PR.AC-1 (Identity Management), DE.CM-1 (Network Monitoring)
  • ISO 27001:2022: A.9.2.3 (Management of Privileged Access), A.9.4.3 (Password Management)

Sources

8. Cisco ISE CVE-2026-20029 XXE Vulnerability

Risk Level: LOW-MEDIUM (CVSS 4.9)
Disclosure Date: January 2026
Relevance: Identity management infrastructure

Cisco addressed CVE-2026-20029, a medium-severity XML External Entity (XXE) vulnerability in Identity Services Engine (ISE) and ISE-PIC.

Vulnerability Details

FieldValue
CVECVE-2026-20029
CVSS4.9 (Medium)
Attack VectorNetwork
AuthenticationRequired (Admin credentials)
ImpactInformation disclosure via improper XML parsing

Technical Description

The vulnerability allows authenticated administrators to access sensitive files through improper XML parsing. While requiring valid administrative credentials limits the attack surface, exploitation could enable access to configuration files, certificates, or other sensitive data on ISE appliances.

Exploitation Status

Proof-of-concept is reportedly available. No confirmed active exploitation.

Mitigation

Immediate Actions:

  1. Apply Cisco security patches for ISE and ISE-PIC
  2. Audit ISE administrative account access
  3. Implement least-privilege for ISE administration
  4. Monitor for unusual administrative activity

Framework Alignment:

  • CIS Controls v8: 7.1 (Application Vulnerability Management)
  • NIST CSF 2.0: PR.IP-12 (Vulnerability Management)

Sources

Supplemental Technical Appendix: Consolidated IOCs

Network IOCs

PHALT#BLYX Campaign:

low-house[.]com

oncameraworkout[.]com

2fa-bns[.]com

asj77[.]com

TCP port 3535 (C2)

GoBruteforcer Botnet:

Monitor for IRC C2 traffic

Unusual scanning activity on ports 21, 3306, 5432

File IOCs

PHALT#BLYX:

v.proj (MSBuild project file)

staxs.exe (DCRat loader)

*.url files in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

Process IOCs

PHALT#BLYX:

msbuild.exe executing .proj files from user context

aspnet_compiler.exe with unusual network connections

PowerShell downloading from suspicious domains

LockBit 5.0:

Volume Shadow Copy deletion (vssadmin.exe, wmic.exe)

Service termination commands

Event log clearing

Detection Prioritization

PriorityThreatDetection Focus
1SAP Critical CVEsPatch verification, RFC access monitoring
2SmarterMail CVE-2025-52691Patch verification, file upload monitoring
3Firefox CVEsBrowser version auditing
4PHALT#BLYXMSBuild execution, PowerShell activity
5LockBit 5.0Ransomware behavior patterns
6Oracle EBSPatch status, access logging
7GoBruteforcerBrute-force detection, credential hygiene
8Cisco ISEPatch verification

Supplemental Framework Alignment Matrix

Vulnerability/ThreatCIS Controls v8NIST CSF 2.0ISO 27001:2022MITRE ATT&CK
SAP January Patches7.1, 4.7PR.IP-12, ID.RA-1A.12.6.1T1190, T1078
Firefox CVE-2026-0891/08927.1, 2.2PR.IP-12A.12.6.1T1203
SmarterMail CVE-2025-526917.1, 12.1PR.IP-12, DE.CM-4A.12.6.1T1190, T1505.003
LockBit 5.011.1, 13.1, 8.1PR.IP-4, DE.CM-1A.12.3.1, A.16.1.5T1486, T1490, T1562
PHALT#BLYX14.3, 8.5, 9.1PR.AT-1, DE.CM-3A.7.2.2T1566.002, T1127.001
Oracle EBS Breach7.1, 16.1PR.IP-12, RS.RP-1A.12.6.1T1190
GoBruteforcer6.3, 6.5, 12.1PR.AC-1, DE.CM-1A.9.2.3, A.9.4.3T1110, T1078
Cisco ISE CVE-2026-200297.1PR.IP-12A.12.6.1T1059, T1552

Prepared: January 19, 2026

13. Sources

Authoritative Sources Used:

  • CISA Known Exploited Vulnerabilities Catalog (cisa.gov)
  • Microsoft Security Response Center (msrc.microsoft.com)
  • Palo Alto Networks Security Advisories (security.paloaltonetworks.com)
  • Fortinet FortiGuard (fortiguard.fortinet.com)
  • Cisco Security Advisories (sec.cloudapps.cisco.com)
  • Google Chrome Releases (chromereleases.googleblog.com)
  • Singapore CSA Alerts (csa.gov.sg)
  • CIS Security (cisecurity.org)

Threat Intelligence:

  • CrowdStrike (crowdstrike.com)
  • Check Point Research (research.checkpoint.com)
  • Silent Push (silentpush.com)
  • Shadowserver Foundation (shadowserver.org)
  • Huntress (huntress.com)
  • Trend Micro Zero Day Initiative

Security News:

  • BleepingComputer, The Hacker News, Krebs on Security, SecurityWeek, The Record, Infosecurity Magazine, SC Media, Cyber Security News


Last Updated: January 19, 2026, 08:00 EST
Next Briefing: January 26, 2026

5

Author

Tech Jacks Solutions

Leave a comment

Your email address will not be published. Required fields are marked *