End-of-Day report
Timeframe: Mittwoch 14-01-2026 18:00 - Donnerstag 15-01-2026 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
News
Exploit code public for critical FortiSIEM command injection flaw
Technical details and a public exploit have been published for a critical vulnerability affecting Fortinets Security Information and Event Management (SIEM) solution that could be leveraged by a remote, unauthenticated attacker to execute commands or code.
https://www.bleepingcomputer.com/news/security/exploit-code-public-for-critical-fortisiem-command-injection-flaw/
Critical flaw lets hackers track, eavesdrop via Bluetooth audio devices
A critical vulnerability in Googles Fast Pair protocol can allow attackers to hijack Bluetooth audio accessories like wireless headphones and earbuds, track users, and eavesdrop on their conversations.
https://www.bleepingcomputer.com/news/security/critical-flaw-lets-hackers-track-eavesdrop-via-bluetooth-audio-devices/
Most Severe AI Vulnerability to Date Hits ServiceNow
The ITSM giant tacked agentic AI onto a largely unguarded legacy chatbot, exposing customers data and connected systems.
https://www.darkreading.com/remote-workforce/ai-vulnerability-servicenow
Januar-Patchday: Windows-Updates machen Remote-Anmeldung kaputt
Einige Anwender haben neuerdings Probleme, sich mit der Windows-App bei Azure Virtual Desktop oder Windows 365 anzumelden. Ein Fix ist in Arbeit.
https://www.golem.de/news/januar-patchday-windows-updates-machen-windows-app-kaputt-2601-204213.html
Ransomware-Boss gesucht: Dieser Mann soll der Anführer von Black Basta sein
Interpol, Europol und das BKA fahnden nach dem Boss der Ransomware-Gruppe Black Basta, die allein in Deutschland über 100 Organisationen geschädigt hat.
https://www.golem.de/news/ransomware-boss-gesucht-dieser-mann-soll-der-anfuehrer-von-black-basta-sein-2601-204218.html
A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby
Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave
With the advent of a potential Dolby Unified Decoder RCE exploit, it seemed prudent to see what kind of Linux kernel drivers might be accessible from the resulting userland context, the mediacodec context.
https://projectzero.google/2026/01/pixel-0-click-part-2.html
A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?
While our previous two blog posts provided technical recommendations for increasing the effort required by attackers to develop 0-click exploit chains, our experience finding, reporting and exploiting these vulnerabilities highlighted some broader issues in the Android ecosystem. This post describes the problems we encountered and recommendations for improvement.
https://projectzero.google/2026/01/pixel-0-click-part-3.html
Researchers Null-Route Over 550 Kimwolf and Aisuru Botnet Command Servers
The Black Lotus Labs team at Lumen Technologies said it null-routed traffic to more than 550 command-and-control (C2) nodes associated with the AISURU/Kimwolf botnet since early October 2025.
https://thehackernews.com/2026/01/kimwolf-botnet-infected-over-2-million.html
Verizon Outage Knocks Out US Mobile Service, Including Some 911 Calls
A major Verizon outage appeared to impact customers across the United States starting around noon ET on Wednesday. Calls to Verizon customers from other carriers may also be impacted.
https://www.wired.com/story/verizon-outage-knocks-out-us-mobile-service-including-some-911-calls/
Razzia in Deutschland: Behörden machen Cybercrime-Hoster RedVDS dicht
Internationalen Ermittlern und Microsoft ist ein Schlag gegen die Infrastruktur des Cybercrime-Hosters RedVDS gelungen. Die Server standen auch in Deutschland.
https://www.heise.de/news/Razzia-in-Deutschland-Behoerden-machen-Cybercrime-Hoster-RedVDS-dicht-11141431.html
Chrome: Google kappt Support für älteres macOS
Das vor weniger als fünf Jahren erschienene macOS 12 alias Monterey ist bei Googles Browser bald raus. Sicherheitslücken bleiben bestehen.
https://www.heise.de/news/Chrome-Google-kappt-Support-fuer-aelteres-macOS-11140713.html
curl: Projekt beendet Bug-Bounty-Programm
curl-Maintainer Daniel Stenberg hat das Ende des Bug-Bounty-Programms angekündigt. Unbrauchbare KI-Meldungen nahmen wohl überhand.
https://www.heise.de/news/curl-Projekt-beendet-Bug-Bounty-Programm-11142345.html
Kriminelle imitieren Banknummern: Vorsicht vor Spoofing
Kriminelle suchen ständig nach neuen Methoden, um an Kontodaten zu gelangen. Leider sind sie fündig geworden: Mit Spoofing täuschen sie die Nummer von Banken vor und erschleichen so das Vertrauen ihrer Opfer.
https://www.watchlist-internet.at/news/kriminelle-imitieren-banknummern-spoofing/
Microsoft disrupts RedVDS cybercrime platform behind $40 million in scam losses
Microsoft and law enforcement partners took down a popular cybercriminal subscription service called RedVDS that was used to enable more than $40 million in fraud losses in the United States alone.
https://therecord.media/microsoft-redvds-cybercrime-scam
UAT-8837 targets critical infrastructure sectors in North America
Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor.
https://blog.talosintelligence.com/uat-8837/
GhostPoster Browser Malware Hid for 5 Years With 840,000 Installs
Researchers uncover a 5-year malware campaign using browser extensions on Chrome, Firefox and Edge, relying on hidden payloads and shared infrastructure.
https://hackread.com/ghostposter-browser-malware-840000-installs/
Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation
Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades-with cryptanalysis dating back to 1999-Mandiant consultants continue to identify its use in active environments.
https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables/
New Remcos Campaign Distributed Through Fake Shipping Document
FortiGuard Labs discovered a new phishing campaign in the wild. The campaign delivers a new variant of Remcos, a commercial lightweight remote access tool (RAT) with a wide range of capabilities, including system resource management, remote surveillance, network management, and Remcos agent management.
https://feeds.fortinet.com/~/940295429/0/fortinet/blogs~New-Remcos-Campaign-Distributed-Through-Fake-Shipping-Document
I-m The Captain Now: Hijacking a global ocean supply chain network
There-s a good chance you have never heard of BLUVOYIX or Bluspark Global, and that-s ok! Not every company that powers global commerce is a household name. Despite their low profile, companies like these have an important role to play in keeping the global supply chain running in the background. Breaches at companies you haven-t heard of can often have the worst impacts.
https://eaton-works.com/2026/01/14/bluspark-bluvoyix-hack/
Malicious Chrome Extension Steals MEXC API Keys for Account Takeover
A malicious Chrome extension steals newly created MEXC API keys, exfiltrates them to Telegram, and enables full account takeover with trading and withdrawal rights.
https://socket.dev/blog/malicious-chrome-extension-steals-mexc-api-keys
Vulnerabilities
Critical WordPress Modular DS Plugin Flaw Actively Exploited to Gain Admin Access
A maximum-severity security flaw in a WordPress plugin called Modular DS has come under active exploitation in the wild, according to Patchstack. The vulnerability, tracked as CVE-2026-23550 (CVSS score: 10.0), has been described as a case of unauthenticated privilege escalation impacting all versions of the plugin prior to and including 2.5.1. It has been patched in version 2.5.2.
https://thehackernews.com/2026/01/critical-wordpress-modular-ds-plugin.html
Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002
This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user with the ability to delegate a role is also able to assign the administrator role, including to their own user.
https://www.drupal.org/sa-contrib-2026-002
Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001
This module enables allows group managers to invite people into their group. The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content.
https://www.drupal.org/sa-contrib-2026-001
Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005
This module enables Drupal sites to authenticate users via Microsoft Entra ID (formerly Azure AD) using OAuth 2.0. The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials or access to the target's email account.
https://www.drupal.org/sa-contrib-2026-005
Fortinet: Heap-based buffer overflow in cw_acd daemon (FortiOS, FortiSASE, FortiSwitchManager)
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiSwitchManager cw_acd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. CVE-2025-25249 / CVSSv3 Score 7.4
https://fortiguard.fortinet.com/psirt/FG-IR-25-084
Angreifer können Palo-Alto-Firewalls in Wartungsmodus zwingen
Unter bestimmten Bedingungen können Angreifer an einer Sicherheitslücke in PAN-OS ansetzen und so Firewalls von Palo Alto Networks attackieren. Bislang gibt es dem IT-Sicherheitsunternehmen zufolge keine Hinweise auf Attacken.
https://www.heise.de/news/Angreifer-koennen-Palo-Alto-Firewalls-in-Wartungsmodus-zwingen-11142149.html
CVE-2026-0227 PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway and Portal (Severity: HIGH)
A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode.
https://security.paloaltonetworks.com/CVE-2026-0227
Security Vulnerabilities fixed in Thunderbird 140.7
https://www.mozilla.org/en-US/security/advisories/mfsa2026-05/
Security Vulnerabilities fixed in Thunderbird 147
https://www.mozilla.org/en-US/security/advisories/mfsa2026-04/