Cisco Zero-Day Under Active Attack as Oracle Drops Massive 337-Flaw Patch Update and Everest Ransomware Hits Major Brands

Cisco Warns of Actively Exploited Zero-Day RCE Flaw (CVE-2026-20045) in Unified Communications and Webex Products

Cisco has issued an urgent warning and emergency patches for a critical remote code execution (RCE) vulnerability, CVE-2026-20045, affecting a wide range of its Unified Communications and Webex Calling products. This zero-day flaw is being actively exploited in the wild, allowing unauthenticated attackers to send crafted HTTP requests to the web management interface and execute arbitrary code, potentially leading to full root access on the underlying server. In response to the active threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by February 11, 2026. Cisco has confirmed there are no workarounds and is urging all customers to apply the updates immediately.

Zero-DayRCEActive ExploitationKEVUnified Communications +1 more

6 min read

Cisco Scrambles to Patch Actively Exploited RCE Zero-Day in Comms Products

Threat Intelligence

Everest Ransomware Leaks Data of 72 Million Under Armour Customers After Failed Talks

Everest Ransomware Group Claims Under Armour Breach, Publishes Data of 72 Million Customers on Dark Web

The Everest ransomware group has claimed a massive data breach against athletic apparel giant Under Armour. After negotiations allegedly failed, the group announced on its dark web leak site that it has published the full dataset, which it claims contains 191 million records, including 72.7 million unique email addresses. The compromised data reportedly includes sensitive customer information such as full names, phone numbers, physical locations, and purchase histories. This breach places a huge number of individuals at significant risk for targeted phishing campaigns, identity theft, and other fraudulent activities.

EverestRansomwareData BreachUnder ArmourDark Web +1 more

Ransomware

Data Breach

Threat Actor

Exposed Security Training Apps Like OWASP Juice Shop Create Backdoors into Corporate Clouds

Threat Actors Exploit Publicly Exposed Security Training Apps to Breach Cloud Infrastructure of Major Firms

A new report reveals a dangerous trend where intentionally vulnerable security training applications, such as OWASP Juice Shop and DVWA, are being deployed on live, production cloud infrastructure and left exposed to the internet. Threat actors are actively scanning for and exploiting these misconfigured applications to compromise the cloud environments of numerous organizations, including Fortune 500 companies and security vendors. The exploits have been used to achieve remote code execution, deploy webshells, install cryptominers, and steal sensitive cloud credentials, turning these training tools into unmonitored backdoors.

Cloud SecurityMisconfigurationAWSAzureOWASP Juice Shop +2 more

Exposed Security Training Apps Like OWASP Juice Shop Create Backdoors into Corporate Clouds

Cloud Security

Cyberattack

'Skeleton Key' Attacks Bypass Defenses by Weaponizing Legitimate RMM Tools

New 'Skeleton Key' Campaign Abuses Legitimate RMM Software for Stealthy Backdoor Access

A sophisticated attack campaign dubbed "Skeleton Key" is bypassing traditional, malware-focused security defenses by weaponizing legitimate remote monitoring and management (RMM) software. A report from KnowBe4 Threat Labs details how attackers first compromise user credentials and then abuse trusted IT tools to create persistent, stealthy backdoors inside enterprise networks. This 'living-off-the-land' (LotL) technique allows attackers to blend in with normal administrative activity, making their presence extremely difficult to detect and highlighting the need for security teams to shift focus from signature-based detection to behavioral analysis and identity security.

Living off the LandLOTLRMMThreat ActorDefense Evasion +1 more

'Skeleton Key' Attacks Bypass Defenses by Weaponizing Legitimate RMM Tools

Threat Intelligence

Security Operations

Cyberattack

Zoom & GitLab Race to Patch Critical Flaws, Including a 9.9 CVSS RCE Bug

Zoom and GitLab Release Patches for Critical Vulnerabilities, Including Near-Perfect 9.9 CVSS RCE Flaw in Zoom Node

Both Zoom and GitLab have released critical security updates to address several high-severity vulnerabilities. The most severe flaw, CVE-2026-22844, is a remote code execution vulnerability in Zoom Node Multimedia Routers (MMRs) with a near-perfect CVSS score of 9.9. This flaw could allow an unauthenticated attacker with network access to compromise the devices. GitLab's updates address multiple vulnerabilities, including two high-severity flaws (CVE-2025-13927 and CVE-2025-13928) that could allow an unauthenticated user to cause denial-of-service conditions. Users of all affected products are urged to apply the patches immediately.

ZoomGitLabRCEDoSVulnerability +2 more

Zoom & GitLab Race to Patch Critical Flaws, Including a 9.9 CVSS RCE Bug

Spotlight on Supply Chain Risk: Reports Warn of Escalating SaaS-to-SaaS Attacks

INFORMATIONAL

Growing Threat of SaaS and Digital Supply Chain Attacks Highlighted by New Reports and Security Solutions

The digital supply chain has become a primary focus of cyber risk, as highlighted by multiple events on January 22, 2026. A new report from security firm Black Kite warns that the retail and wholesale sectors are highly exposed to attacks that exploit interconnected IT systems and shared vendors. Concurrently, SaaS security leader Obsidian Security launched the industry's first end-to-end SaaS supply chain security solution to combat the growing threat of SaaS-to-SaaS attacks, where a compromise in one application (like Salesloft) can cascade to affect hundreds of integrated partner applications (like Drift). These developments underscore the urgent need for organizations to gain visibility and control over their sprawling, interconnected digital ecosystems.

Supply Chain AttackSaaSCloud SecurityThird-Party RiskAPI Security

Spotlight on Supply Chain Risk: Reports Warn of Escalating SaaS-to-SaaS Attacks

Supply Chain Attack

Cloud Security

Threat Intelligence

osTicket Flaw Lets Attackers Read Server Files via Malicious PDF Export

osTicket Vulnerability (CVE-2026-22200) Allows Arbitrary File Reading via PDF Export Feature

A high-severity vulnerability, CVE-2026-22200, has been disclosed in osTicket, a popular open-source helpdesk system. The flaw allows an unauthenticated, anonymous attacker to read arbitrary files from the server by injecting a malicious PHP filter chain into a support ticket. When a privileged user exports the ticket to PDF, the vulnerability is triggered, embedding the contents of sensitive server files (like configuration files) into the generated PDF as a bitmap image. Researchers warn this flaw can be chained with other vulnerabilities for full remote code execution (RCE). Patches are available in versions 1.18.3 and 1.17.4.

osTicketVulnerabilityPHPArbitrary File ReadCVE-2026-22200

osTicket Flaw Lets Attackers Read Server Files via Malicious PDF Export

Critical Flaw in Popular Node.js Library 'binary-parser' Allows Code Execution

Node.js Supply Chain Risk: 'binary-parser' Library Vulnerable to RCE (CVE-2026-1245)

The CERT Coordination Center (CERT/CC) has issued a warning about a critical vulnerability, CVE-2026-1245, in the popular 'binary-parser' npm library for Node.js. The flaw, which has a CVSS score of 6.5, allows for arbitrary JavaScript execution. The vulnerability exists because the library dynamically generates parser code from user-supplied input without proper sanitization, creating a code injection sink. This poses a significant software supply chain risk, as any application using the library to parse untrusted data could be compromised. Developers are urged to update to the patched version 2.3.0 immediately.

Node.jsnpmSupply Chain AttackVulnerabilityRCE +1 more

Critical Flaw in Popular Node.js Library 'binary-parser' Allows Code Execution

Supply Chain Attack

New Android Malware Uses AI to Mimic Human Behavior and Evade Detection

MEDIUM

AI-Powered Android Malware Leverages TensorFlow to Commit Sophisticated Ad Fraud

A new and sophisticated family of Android malware is leveraging artificial intelligence to commit ad fraud while evading detection. The malware uses TensorFlow, Google's open-source machine learning framework, to mimic human-like behavior, such as realistic clicks and swipes on hidden advertisements. This advanced technique allows it to bypass traditional ad fraud detection systems that rely on identifying the predictable, scripted patterns of bots. The malware can also stream video of its operations back to attackers, likely for model refinement, representing a significant evolution in mobile threat capabilities.

AndroidMalwareAITensorFlowAd Fraud +1 more

Malware

Mobile Security

Critical GNU Inetutils Flaw Allows Root Access via Telnet Authentication Bypass

GNU Inetutils Telnet Daemon Vulnerable to Remote Authentication Bypass (CVE-2026-24061)

A critical authentication bypass vulnerability, CVE-2026-24061, has been disclosed in the telnet daemon (telnetd) of GNU Inetutils, a common package of networking utilities for many Unix-like operating systems. The flaw allows a remote attacker to bypass authentication and gain root access to the system simply by providing a specially crafted username. Successful exploitation, achieved by passing '-f root' as the USER environment variable, leads to a complete compromise of the machine. All versions of GNU Inetutils up to and including 2.7 are affected. Administrators are urged to disable the telnetd service immediately.

GNUTelnetVulnerabilityAuthentication BypassRoot +1 more

Critical GNU Inetutils Flaw Allows Root Access via Telnet Authentication Bypass

Updated Articles (2)

Everest Ransomware Claims 861GB Data Breach at McDonald's India

Updated: January 22, 2026

Everest Ransomware Group Alleges Major Breach of McDonald's India, Threatens to Leak Customer and Corporate Data

Update:

The Everest ransomware group has released screenshots as proof of their alleged data breach at McDonald's India. These images purportedly display internal financial reports, audit trails, and a 'Contact Database' containing investor and partner information from multiple regions including the US, UK, Singapore, and India. This new evidence strongly suggests a deeper compromise, potentially involving core accounting or Enterprise Resource Planning (ERP) systems, escalating the potential impact beyond initial reports of general sensitive data. The group also issued a two-day deadline for McDonald's India to respond to their ransom demands.

January 21, 2026

EverestRansomwareData BreachMcDonald'sIndia +2 more

Ransomware

Data Breach

Oracle Issues Critical Patch for CVSS 10.0 Auth Bypass in WebLogic Server

Updated: January 22, 2026

Oracle's January 2026 Critical Patch Update Addresses 337 Vulnerabilities, Including a Perfect 10.0 Flaw

Update:

The January 2026 Critical Patch Update from Oracle is more extensive than initially detailed, addressing approximately 230 unique CVEs, with over 235 vulnerabilities remotely exploitable without authentication. Beyond the critical WebLogic flaw (CVE-2026-21962), another CVSS 10.0 vulnerability, CVE-2025-66516, has been identified in the Apache Tika library used by Oracle products. This broad update impacts over 30 product families, including JD Edwards, MySQL, E-Business Suite, and Fusion Middleware, underscoring the widespread risk and the urgent need for comprehensive patching across all affected Oracle environments.

January 21, 2026

OracleCritical Patch UpdateCPUVulnerabilityCVE-2026-21962 +3 more

Oracle Issues Critical Patch for CVSS 10.0 Auth Bypass in WebLogic Server