Tageszusammenfassung - 30.01.2026

End-of-Day report

Timeframe: Donnerstag 29-01-2026 18:00 - Freitag 30-01-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer

News

Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)

When Ivanti removed the embargoes from CVE-2026-1281 and CVE-2026-1340 - pre-auth Remote Command Execution vulnerabilities in Ivanti-s Endpoint Manager Mobile (EPMM) solution - we sighed with relief. Clearly, the universe had decided to continue mocking Secure-By-Design signers right on schedule - every January. [..] As we are always keen to remind everyone, today-s blog post didn-t ruin your weekend. Firstly, the APT currently exploiting these vulnerabilities, and secondly, your lack of response to the warnings from Ivanti and CISA did.

https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/

Hugging Face abused to spread thousands of Android malware variants

A new Android malware campaign is using the Hugging Face platform as a repository for thousands of variations of an APK payload that collects credentials for popular financial and payment services.

https://www.bleepingcomputer.com/news/security/hugging-face-abused-to-spread-thousands-of-android-malware-variants/

Microsoft fixes Outlook bug blocking access to encrypted emails

Microsoft has fixed a known issue that prevented Microsoft 365 customers from opening encrypted emails in classic Outlook after a recent update.

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-bug-blocking-access-to-encrypted-emails/

Undocumented "TelnetEnable" functionality of End of Service NETGEAR products

Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box. [..] Stop using the end of service products, including NETGEAR PR2000.

https://jvn.jp/en/jp/JVN46722282/

Researchers Find 175,000 Publicly Exposed Ollama AI Servers Across 130 Countries

Ollama is an open-source framework that allows users to easily download, run, and manage large language models (LLMs) locally on Windows, macOS, and Linux. While the service binds to the localhost address at 127.0.0[.]1:11434 by default, it's possible to expose it to the public internet by means of a trivial change: configuring it to bind to 0.0.0[.]0 or a public interface. The fact that Ollama, like the recently popular Moltbot (formerly Clawdbot), is hosted locally and operates outside of the enterprise security perimeter, poses new security concerns.

https://thehackernews.com/2026/01/researchers-find-175000-publicly.html

ShadowHS: A Fileless Linux Post-Exploitation Framework Built on a Weaponized hackshell

Cyble Research & Intelligence Labs (CRIL) has identified a Linux intrusion chain leveraging a highly obfuscated, fileless loader that deploys a weaponized variant of hackshell entirely from memory. Cyble tracks this activity under the name ShadowHS, reflecting its fileless execution model and lineage from the original hackshell utility.

https://cyble.com/blog/shadowhs-fileless-linux-post-exploitation-framework/

Cybersicherheitschef der USA lädt vertrauliche Dokumente bei ChatGPT hoch

Offenbar hatte sich ausgerechnet der Boss eine Ausnahmegenehmigung für die Nutzung des Tools geholt und agierte damit umgehend fahrlässig.

https://www.derstandard.at/story/3000000306469/cybersicherheitschef-der-usa-laedt-vertrauliche-dokumente-bei-chatgpt-hoch

Arsink Spyware Posing as WhatsApp, YouTube, Instagram, TikTok Hits 143 Countries

The interesting thing about this campaign is that hackers are not using the official Google Play Store to spread this, but posting links on Telegram and Discord or using the file-sharing site MediaFire. [..] They basically offer -Pro- or -Mod- versions of these apps, promising special features that the real apps don-t have. But, as soon as you download one, the app immediately asks for a long list of permissions.

https://hackread.com/arsink-spyware-whatsapp-youtube-instagram-tiktok/

Vulnerabilities

Security updates for Friday

Security updates have been issued by AlmaLinux (curl, gimp:2.8, glibc, grafana, grafana-pcp, kernel, osbuild-composer, php:8.3, python-urllib3, python3.11, and python3.12), Debian (chromium), Mageia (ceph, gpsd, libxml2, openjdk, openssl, and xen), SUSE (abseil-cpp, assertj-core, coredns, freerdp, java-11-openjdk, java-25-openjdk, libxml2, openssl-1_0_0, openssl-1_1, python, python-filelock, and python311-sse-starlette), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-fips, linux-fips, linux-fips, and texlive-bin).

https://lwn.net/Articles/1056692/

Kritische Schwachstellen in Ivanti Endpoint Manager Mobile - Updates empfohlen

Ivanti hat ein Security Advisory bezüglich kritischer Schwachstellen im Endpoint Manager Mobile veröffentlicht. Diese Sicherheitslücken werden bereits aktiv ausgenutzt. Die Schwachstellen ermöglichen einem*einer entfernten, nicht authentifizierten Angreifer:in, beliebigen Code auf dem betroffenen System auszuführen (Remote Code Execution), was die vollständige Kompromittierung des Servers erlaubt. CVE-2026-1281, CVE-2026-1340

https://www.cert.at/de/warnungen/2026/1/kritische-schwachstellen-in-ivanti-endpoint-manager-mobile-updates-empfohlen