1 Initial Access Through Trusted Web Content Step Description Victims are directed to a malicious or attacker-injected page hosted on a legitimate, high-reputation website, often discovered via search results. This avoids email-based phishing detection and leverages normal browsing behavior. Legitimate Website High-Reputation Attacker-Injected Page Search Results Avoids Email Security Normal
SmarterMail
CVE-2026-20045 Critical Cisco Unified Communications COMMAND INJECTION UNAUTHENTICATED Critical vulnerability affects multiple Cisco Unified Communications platforms and allows an unauthenticated remote attacker to execute arbitrary commands via crafted HTTP requests sent to the web-based management interface, enabling complete system compromise. Urgent Action: Immediately apply Cisco's security updates, restrict
CVE-2025-59718
TRENDING TOPICS JAN 22, 2026 Active Exploitation of FortiGate Firewalls via FortiCloud SSO Patch Bypass (CVE-2025-59718) Arctic Wolf has observed a new cluster of automated malicious activity targeting FortiGate firewalls, involving unauthorized FortiCloud SSO logins, followed by rapid configuration changes and data exfiltration. Attackers leveraged SSO authentication bypass behavior consistent
Azure
TRENDING TOPICS JAN 21, 2026 Azure Private Endpoints Can Create Hidden Denial-of-Service Risk Palo Alto researchers have identified a design weakness in Azure Private Endpoint deployments that can unintentionally expose cloud resources to denial-of-service conditions. The issue stems from how Azure prioritizes Private DNS zones when a Private Endpoint is
Evely Stealer
TRENDING TOPICS JAN 20, 2026 Evelyn Stealer: Developer-Focused Supply Chain Malware Leveraging Weaponized VS Code Extensions Evelyn Stealer is a multi-stage information-stealing malware campaign targeting software developers through the abuse of the Visual Studio Code extension ecosystem. First publicly documented in late 2025 and expanded upon in January 2026, the
AWS CodeBuild
CVE-2026-20805 Medium Windows Desktop Window Manager INFORMATION DISCLOSURE LOCAL ACCESS Medium-severity local information disclosure vulnerability in the Windows Desktop Window Manager that allows an authenticated attacker with low privileges to access sensitive information from memory. While it does not enable code execution, the exposure of high-value data could support follow-on
Microsoft
TRENDING TOPICS JAN 15, 2026 Microsoft Disrupts RedVDS Cybercrime Subscription Service Fueling Global Fraud Operations Microsoft has announced a coordinated legal and law enforcement action to dismantle RedVDS, a global cybercrime-as-a-service platform that enabled large-scale fraud, phishing, and business email compromise operations. Operating since at least 2019, RedVDS sold low-cost,
1 Initial Access via Exposed Edge Devices Phase Description The actor identifies internet-facing routers, VPN concentrators, and network management appliances with exposed administrative interfaces or weak access controls. These devices are frequently customer-managed instances hosted in cloud environments, where misconfigurations provide entry without the need to exploit vulnerabilities. Internet-Facing Devices
Reprompt
CVE-2026-20822 Critical Windows Graphics Component PRIVILEGE ESCALATION Windows Graphics Component Elevation of Privilege Vulnerability enabling local attackers to gain SYSTEM-level privileges. CVE-2026-20854 Critical Windows LSASS REMOTE CODE EXECUTION Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability allowing network-based exploitation. CVE-2026-20876 Critical Windows VBS Enclave PRIVILEGE ESCALATION Windows
Telegram
TRENDING TOPICS JAN 13, 2026 Hidden Telegram Proxy Links Enable One-Click IP Address Exposure Researchers have disclosed a Telegram client behavior that allows attackers to expose a user’s real IP address with a single click by abusing how MTProto proxy links are handled on mobile platforms. Specially crafted t[
EDRStartupHinder
TRENDING TOPICS JAN 12, 2026 EDRStartupHinder Introduces a New Way to Stop Security Tools From Starting on Windows A new proof-of-concept called EDRStartupHinder demonstrates how an attacker can prevent antivirus and EDR products from launching during Windows startup, including Microsoft Defender on Windows 11 25H2. Instead of trying to tamper
UAT-7290
CVE-2026-0625 Critical D-Link DSL/DIR/DNS Devices AUTHENTICATION BYPASS UNAUTHENTICATED END-OF-LIFE Affects multiple end-of-life D-Link DSL, DIR, and DNS devices and allows an unauthenticated attacker to bypass authentication and modify DNS settings via the exposed dnscfg.cgi endpoint, enabling DNS hijacking and traffic redirection attacks. Critical Action: Immediately decommission and