Daily Digest

Critical RCE Flaws in n8n and D-Link Routers Under Active Exploitation; CISA Issues Urgent Warnings

Critical RCE Flaws in n8n and D-Link Routers Under Active Exploitation; CISA Issues Urgent Warnings

January 8, 2026
5 articles (4 new, 1 updated)
15 min read

Summary

This cybersecurity brief for January 8, 2026, covers a series of critical vulnerabilities and active threats. Headlining the news are two maximum-severity (CVSS 10.0) remote code execution flaws in the n8n workflow automation platform, one unauthenticated and one authenticated, prompting urgent patching. Concurrently, a zero-day RCE is being actively exploited in end-of-life D-Link routers, with no patch forthcoming. CISA has added exploited flaws in HPE OneView and legacy PowerPoint to its KEV catalog. Major incidents include a data breach claim against broadband provider Brightspeed by the Crimson Collective, a ransomware attack on claims giant Sedgwick by TridentLocker, and a large-scale SEO poisoning campaign by the Black Cat group. Additionally, reports highlight novel phishing tactics abusing Microsoft 365 and Google Cloud services, and malicious Chrome extensions stealing AI chat data from nearly a million users.

Filter by Category

New Articles (4)

Zero-Day in End-of-Life D-Link Routers Actively Exploited; No Patch Will Be Released

CRITICAL

Unpatched Zero-Day Vulnerability (CVE-2026-0625) in Discontinued D-Link Routers Under Active Attack

A critical zero-day command injection vulnerability, CVE-2026-0625, is being actively exploited in the wild, affecting multiple end-of-life (EOL) D-Link DSL router models. The flaw, rated 9.3 on the CVSS scale, allows unauthenticated remote attackers to execute arbitrary code by sending a malicious request to the 'dnscfg.cgi' endpoint. Exploitation has been observed since at least November 2025, with attackers using it for 'DNSChanger' style attacks. D-Link has confirmed the vulnerability but stated that since the affected products are discontinued, no security patches will be issued. Owners are strongly advised to immediately retire and replace the vulnerable devices to prevent compromise.

January 8, 2026
4 min read
Zero-DayRCED-LinkCVE-2026-0625EOL +3 more
Zero-Day in End-of-Life D-Link Routers Actively Exploited; No Patch Will Be Released
Vulnerability
Cyberattack
IoT Security

Black Cat Group Targets Notepad++ Users in Massive SEO Poisoning Campaign

HIGH

Black Cat Cybercrime Group Linked to SEO Poisoning Campaign Distributing Malware via Fake Notepad++ Sites

The notorious Black Cat (ALPHV) cybercrime group is behind a large-scale SEO poisoning campaign that uses malicious advertisements and manipulated search results to distribute an information-stealing backdoor. The campaign targets users searching for popular software like Notepad++. Victims are lured to convincing fake download sites, which redirect them to a GitHub clone to download a trojanized installer. The malware uses DLL side-loading to execute its payload, which is capable of stealing browser credentials, cookies, and keystrokes. A report from CNCERT/CC and ThreatBook revealed the campaign was highly effective, compromising nearly 278,000 hosts in China in just two weeks.

January 8, 2026
5 min read
Black CatALPHVSEO PoisoningMalwareNotepad++ +2 more
Black Cat Group Targets Notepad++ Users in Massive SEO Poisoning Campaign
Threat Actor
Malware
Phishing

Brightspeed Investigates Breach Claim by Crimson Collective Affecting 1M+ Customers

HIGH

US Broadband Provider Brightspeed Investigating Data Breach Allegations from 'Crimson Collective' Extortion Group

US fiber broadband provider Brightspeed is actively investigating a data breach claim made by the 'Crimson Collective' extortion group. The threat actors allege they have stolen a massive dataset containing the personally identifiable information (PII) of over one million customers, including names, addresses, phone numbers, and some payment data. The group, known for targeting AWS cloud environments, has threatened to leak the data if their demands are not met and has reportedly offered the dataset for sale. Brightspeed serves 20 states and has acknowledged the claim, stating it is working to determine its validity. The incident follows a pattern for Crimson Collective, which previously breached Red Hat.

January 8, 2026
5 min read
Data BreachExtortionCrimson CollectiveBrightspeedCloud Security +1 more
Brightspeed Investigates Breach Claim by Crimson Collective Affecting 1M+ Customers
Data Breach
Threat Actor
Cloud Security

CISA Warns of RCE Flaw in Hitachi Energy ICS Product

MEDIUM

CISA Publishes Advisory for Remote Code Execution Vulnerability in Hitachi Energy Asset Suite

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Industrial Control Systems (ICS) advisory, ICSA-26-008-01, for a vulnerability in Hitachi Energy's Asset Suite. The flaw, CVE-2025-10492, could allow a remote attacker to achieve remote code execution (RCE). The vulnerability stems from an insecure third-party component, Jasper Report, used within the Asset Suite product, which is deployed in the energy sector. While there are no reports of active exploitation, CISA and Hitachi Energy are urging customers to apply mitigations and follow security best practices, such as ensuring control systems are not exposed to the internet.

January 8, 2026
4 min read
CISAICSOTVulnerabilityRCE +3 more
CISA Warns of RCE Flaw in Hitachi Energy ICS Product
Industrial Control Systems
Vulnerability
Patch Management

Updated Articles (1)

TridentLocker Ransomware Strikes Claims Giant Sedgwick in Breach-then-Encrypt Attack

HIGH

Sedgwick Becomes Latest Victim of TridentLocker Ransomware, Highlighting Modern Data Exfiltration and Extortion Tactics

Update:

Sedgwick has officially confirmed the cybersecurity incident, stating that the TridentLocker ransomware attack specifically targeted its Sedgwick Government Solutions subsidiary. The breach was reportedly contained to an isolated file transfer system used for government client services. This confirmation solidifies earlier reports of data exfiltration from systems supporting government operations, emphasizing the risk to sensitive public sector data handled by third-party contractors. Sedgwick is investigating the scope and has notified law enforcement.

January 7, 2026
Updated: January 8, 2026
4 min read
RansomwareTridentLockerSedgwickData BreachDouble Extortion +2 more
TridentLocker Ransomware Strikes Claims Giant Sedgwick in Breach-then-Encrypt Attack
Ransomware
Data Breach
Cyberattack

📢 Share This Publication

Help others stay informed about cybersecurity threats