Stay Ahead of Threats with the Latest Vulnerability Updates for January
Stay up to date on critical cyber risks, Microsoft’s January Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats.
Quick Highlights
- Microsoft Patch Tuesday:
– 112 vulnerabilities disclosed
– 8 rated Critical, 3 are Zero-Day (1 actively exploited)
- High-Severity Advisories from Major Vendors:
– Adobe: 17 critical vulnerabilities patched across 11 products
– Fortinet: 1 high-severity flaws in FortiOS and FortiSwitchManager
– SAP: 4 critical vulnerabilities in SAP Landscape Transformation, SAP S/4HANA, and SAP Wily Introscope Enterprise Manager
– n8n: Fixed critical vulnerability affecting versions 1.65–1.120.4
– React Server: Disclosed critical RCE vulnerability in React Server Components
– Veeam: Disclosed multiple critical vulnerabilities affecting Veeam Backup & Replication v 13.0.1.180 and earlier
- Top Threats to Watch:
– AI‑Powered Social Engineering & Identity Attacks – Attackers are abusing OAuth device-code authorization flows, QR‑code “Quishing,” and LinkedIn comment‑reply impersonation to bypass MFA and steal credentials at scale.
– Supply‑Chain & Developer Ecosystem Compromises – Major compromises include the Office Assistant supply‑chain attack, malicious VS Code/OpenVSX extensions (GlassWorm), and breach of Target developer systems—highlighting continued targeting of dev environments and CI/CD ecosystems.
– AI‑Driven Malware & Botnet Expansion – GoBruteforcer campaigns leverage AI‑generated default credentials and weak configurations to compromise 50,000+ servers, especially crypto and blockchain environments.
– Malicious Browser Extensions Harvesting AI Chats & Corporate Data – Two Chrome extensions with 900k+ installs stole ChatGPT/DeepSeek conversations and corporate browsing data, demonstrating large‑scale exfiltration from trusted browser ecosystems.
– Critical RCE Vulnerabilities Actively Exploited in the Wild – Active exploitation of WatchGuard Firebox (CVE‑2025‑14733), Fortinet FG‑IR‑19‑283, React Server Components (CVSS 10.0), Veeam Backup & Replication, and n8n workflow vulnerabilities poses severe risk for remote code execution, config theft, and full system compromise.
Windows 10 Reaches End of Support
As of October 14, 2025, Microsoft has officially ended support for Windows 10. This month’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program.
- What This Means for Your Organization:
– No more security patches or bug fixes for Windows 10 devices
– Increased exposure to vulnerabilities and compliance risks
- Continued support requires either:
– Enrolling in Microsoft’s paid ESU program, or
– Upgrading to Windows 11
Need help planning your transition?
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.
Patch Tuesday Summary
Microsoft January 2026 Patch Tuesday
112 vulnerabilities disclosed, including 8 critical and 3 zero-days. By category:
- 57 Elevation of Privilege
- 22 Remote Code Execution
- 22 Information Disclosure
- 5 Spoofing
- 3 Tampering
- 3 Security Feature Bypass
- 2 Denial of Service
Critical Common Vulnerabilities and Exposures (CVEs)
Windows Zero-Days
| CVE-ID | Details | Severity | Exploited? |
| CVE-2025-62221 | Elevation of Privilege Flaw in Windows Cloud Files Mini Filter Driver which can be used to gain SYSTEM privileges | Important | Yes |
| CVE-2025-64671 | Remote Code Execution Vulnerability in GitHub Copilot for Jetbrains which can allow an attack to execute commands locally | Important | No |
| CVE-2025-54100 | Remote Code Execution Vulnerability in PowerShell which could allow embedded scripts to be executed if the webpage is fetched using Invoke-WebRequest | Important | No |
Other Critical CVE’s Worth Mentioning
| CVE-ID | Details | Severity | Exploited? |
| CVE-2026-20957 | Microsoft Excel Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-20952 | Microsoft Office Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-20854 | Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-20955 | Microsoft Excel Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-20944 | Microsoft Word Remote Code Execution Vulnerability | Critical | No |
| CVE-2026-20876 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability | Critical | No |
| CVE-2026-20822 | Windows Graphics Component Elevation of Privilege Vulnerability | Critical | No |
Microsoft January 2026 Security Update Release
3rd Party Critical CVE’s Worth Mentioning
Adobe Products *
| Affected Product | CVE-ID(s) | Critical Issues | Key Risks |
| Adobe Dreamweaver | CVE-2026-21267 CVE-2026-21268 CVE-2026-21274 CVE-2026-21271 CVE-2026-21272 | 5 Critical | Arbitrary code execution Arbitrary file system write |
| Adobe InDesign | CVE-2026-21275 CVE-2026-21276 CVE-2026-21277 CVE-2026-21304 | 4 Critical | Arbitrary code execution |
| Adobe Substance 3D Modeler | CVE-2026-21298 CVE-2026-21299 | 2 Critical | Arbitrary code execution |
| Adobe Illustrator | CVE-2026-21280 | 1 Critical | Arbitrary code execution |
| Adobe InCopy | CVE-2026-21281 | 1 Critical | Arbitrary code execution |
| Adobe Bridge | CVE-2026-21283 | 1 Critical | Arbitrary code execution |
| Adobe Substance 3D Stager | CVE-2026-21287 | 1 Critical | Arbitrary code execution |
| Adobe Substance 3D Painter | CVE-2026-21305 | 1Critical | Arbitrary code execution |
| Adobe Substance 3D Sampler | CVE-2026-21306 | 1 Critical | Arbitrary code execution |
| Adobe ColdFusion | CVE-2025-66516 | 0 Critical, 1 Important | Arbitrary code execution |
| Adobe Substance 3D Designer | CVE-2026-21308 | 0 Critical, 1 Important | Memory leak |
Fortinet *
| Affected Product | CVE-ID | Description | Severity | Exploited? |
| FortiOS FortiSwitchManager | CVE-2025-25249 | A heap-based buffer overflow vulnerability in cw_acd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests | High | No |
SAP *
| Affected Component | CVE-ID | Description | Severity | Exploited? |
| SAP S/4HANA (Private Cloud and On-Premise) | CVE-2026-0501 CVE-2026-0498 | CVE-2026-0501 – Due to insufficient input validation, an authenticated user could execute crafted SQL queries to read, modify, and deletebackend database data. CVE-2026-0498 – allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. | Critical | No |
| SAP Landscape Transformation | CVE-2026-0491 | Allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. | Critical | No |
| SAP Wily Introscope Enterprise Manager | CVE-2026-0500 | Due to the usage of vulnerable third party component, an unauthenticated attacker could create a malicious JNLP file accessible by a public facing URL. | Critical | No |
SAP January 2026 Security Notes
Google Chrome
- Version: 144.0.7559.59/60 (Windows and Mac), 144.0.7559.59 (Linux)
- Release Date: Tuesday, January 13, 2026
- Key Fixes: High CVE-2026-0899, High CVE-2026-0900 and High CVE-2026-0901
Mozilla Firefox
- Version: Firefox 147
- Release Date: Tuesday, January 13, 2026
- Key Fixes: High CVE-2026-0877/78/79/80/81/82
* Not handled by Fortress SRM.
Threat Intelligence Trends – January 2026
The following resources are grouped by threat type / category.
Emerging Threats
SOCRadar Annual Dark Web Report 2025
SOCRadar’s 2025 Annual Dark Web Report highlights a data‑driven overview of underground cybercrime, showing that data leaks dominate dark web activity, with database‑related threats making up 64.06% of observed incidents and selling posts 59.32%. The United States remains the top target, responsible for 19.91% of dark‑web mentions and over 41% of ransomware attacks, while Public Administration emerges as the most exposed sector at 12.85%.
Read more →
Silent Push Uncovers Long‑Running Magecart Skimming Campaign
Security researchers discovered a sophisticated Magecart web‑skimming network that has been active since at least 2022, targeting major payment cards including American Express, Discover, Mastercard, JCB, UnionPay, and others.
Read more →
Target’s Dev Server Taken Offline After Hackers Claim Theft of Internal Source Code
Hackers published samples of what they claim is stolen internal Target source code on a public Gitea instance, advertising a much larger 860GB dataset for sale and referencing internal systems, developer metadata, and private repositories.
Read more →
Trust Wallet Confirms Extension Hack Led to $7 Million Crypto Theft
Trust Wallet confirmed that a malicious Chrome extension update (version 2.68) published on December 24 allowed attackers to exfiltrate sensitive wallet data, resulting in approximately $7 million in stolen cryptocurrency.
Read more →
Senior U.S. Officials Impersonated in Malicious Smishing & Vishing Campaign
An IC3 Public Service Announcement warns that since at least 2023, threat actors have been impersonating senior U.S. government officials through smishing (SMS phishing) and AI‑generated vishing calls to build rapport with victims before moving conversations to encrypted apps.
Read more →
Ransomware & Malware Deployment
Office Assistant Supply Chain Attack Delivers Malicious Plugin
Security researchers uncovered a long‑running supply‑chain attack in which the popular Chinese AI‑powered Office Assistant application (version 3.1.10.1) secretly loaded a malicious downloader component that contacted C2 domains, retrieved multi‑stage payloads, and ultimately deployed the Mltab malicious browser plugin.
Read more →
GlassWorm Goes Mac: Fresh Infrastructure, New Tricks
A new GlassWorm wave marks a major pivot from Windows to macOS, distributing malicious VS Code/OpenVSX extensions that use AES‑256‑CBC–encrypted JavaScript payloads instead of earlier invisible Unicode or Rust‑based techniques.
Read more →
MacSync Stealer Evolves into Code‑Signed Swift Malware
Security researchers discovered a new MacSync Stealer variant delivered as a code‑signed and notarized Swift application inside a disk image, allowing it to bypass Gatekeeper and avoid traditional execution‑chain indicators.
Read more →
GachiLoader: Obfuscated Node.js Loader Spread via YouTube Ghost Network
Check Point Research identified GachiLoader, a heavily obfuscated Node.js‑based loader distributed through compromised YouTube accounts promoting fake game cheats and cracked software.
Read more →
Social Engineering Exploits
Convincing LinkedIn Comment‑Reply Tactic Used in New Phishing Campaign
A new phishing campaign is flooding LinkedIn posts with fake “reply” comments impersonating LinkedIn, falsely claiming policy violations and urging users to click external links masked with lnkd.in shorteners for added credibility.
Read more →
GRU‑Linked BlueDelta Evolves Credential‑Harvesting Tactics
Russia‑linked BlueDelta (APT28) expanded its credential‑harvesting campaigns throughout February–September 2025, targeting Turkish energy and nuclear researchers, a European think tank, and organizations in North Macedonia and Uzbekistan. The group used highly tailored lures, spoofed Microsoft OWA, Google, and Sophos VPN login pages.
Read more →
North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing (Quishing) Campaigns
A new FBI Cybersecurity Advisory warns that North Korean Kimsuky actors are increasingly using malicious QR codes (“Quishing”) in highly targeted spearphishing campaigns against U.S. think tanks, NGOs, academia, and government‑linked entities.
Read more →
DocuSign Impersonation Wave Leveraging Real‑Time LogoKit Customization
Security researchers identified a growing wave of DocuSign impersonation attacks in which phishing emails mimic authentic DocuSign notifications, spoof sender domains, and address recipients by their login name to increase credibility.
Read more →
Access Granted: Phishing With Device Code Authorization Enables Stealthy M365 Account Takeovers
Proofpoint researchers warn that multiple threat clusters—both financially motivated and state‑aligned—are now abusing Microsoft’s OAuth 2.0 device code authorization flow to trick users into granting attackers access to their Microsoft 365 accounts.
Read more →
AI-Driven Threats
Inside GoBruteforcer: AI‑Generated Server Defaults, Weak Passwords, and Crypto‑Focused Campaigns
Check Point Research analyzed an evolved GoBruteforcer botnet variant that exploits AI‑generated server deployment examples and legacy stacks like XAMPP, which frequently include predictable default usernames and weak passwords, leaving over 50,000 internet‑facing servers vulnerable.
Read more →
LLMs & Ransomware: An Operational Accelerator, Not a Revolution
SentinelOne researchers conclude that large language models (LLMs) are accelerating ransomware operations—improving speed, scalability, multilingual phishing, tooling generation, data triage, and negotiation—without fundamentally transforming attacker tactics.
Read more →
Chrome Extensions Impersonate AI Tools to Steal ChatGPT & DeepSeek Chats
Security researchers report that two malicious Chrome extensions—Chat GPT for Chrome with GPT‑5, Claude Sonnet & DeepSeek AI and AI Sidebar with Deepseek, ChatGPT, Claude and more—accumulated over 900,000 installs while secretly exfiltrating full ChatGPT and DeepSeek conversation data and users’ browsing activity.
Read more →
Vulnerabilities Actively Exploited
Security Advisory: Vulnerability in n8n Versions 1.65–1.120.4
n8n disclosed a critical security vulnerability affecting versions 1.65–1.120.4, specifically in workflows using a Form Submission trigger with file upload and a Form Ending node returning binary data.
Read more →
Vulnerabilities Resolved in Veeam Backup & Replication 13.0.1.1071 (KB4792)
Veeam’s KB4792 advisory discloses multiple vulnerabilities affecting Veeam Backup & Replication 13.0.1.180 and all earlier v13 builds, all of which were fixed in version 13.0.1.1071.
Read more →
Critical Security Vulnerability in React Server Components (RSC)
React disclosed CVE‑2025‑55182, a critical unauthenticated remote code execution (RCE) vulnerability (CVSS 10.0) affecting React Server Components, caused by unsafe deserialization of payloads sent to React Server Function endpoints.
Read more →
WatchGuard Firebox iked Out‑of‑Bounds Write Vulnerability (WGSA‑2025‑00027)
WatchGuard disclosed WGSA‑2025‑00027, a critical Out‑of‑Bounds Write vulnerability (CVE‑2025‑14733) in the Fireware OS ikedprocess, allowing remote unauthenticated RCE on Firebox appliances.
Read more →
Product Security Advisory & Analysis: Observed Abuse of FG‑IR‑19‑283 (CVE‑2020‑12812)
Fortinet has confirmed active, in‑the‑wild exploitation of the long‑patched FortiGate authentication bypass vulnerability FG‑IR‑19‑283 / CVE‑2020‑12812, originally disclosed in July 2020.
Read more →
Recommended Actions
Mitigations
- Patch all affected systems immediately, prioritizing critical vulnerabilities in Microsoft Patch Tuesday (8 Critical, 3 Zero‑Days), Adobe products, SAP, Fortinet, and WatchGuard Fireware OS (CVE‑2025‑14733) to prevent remote code execution and active exploitation attempts.
- Upgrade or retire Windows 10 endpoints (end‑of‑support October 14, 2025) or enroll devices in Microsoft’s ESU program to maintain patch coverage.
- Harden identity infrastructure by enforcing MFA everywhere, disabling vulnerable LDAP/2FA configurations in FortiGate devices, and reviewing OAuth app permissions to defend against device‑code phishing abuses (per Proofpoint research).
- Remove malicious or suspicious browser extensions, especially AI‑related Chrome add-ons impersonating legitimate tools, and enforce extension allowlisting enterprise‑wide to prevent “prompt‑poaching” attacks.
- Apply security updates for n8n workflows, upgrading to version 1.121.0+ to fix the file‑access vulnerability in Form Submission workflows.
- Update React applications and frameworks (Next.js, Parcel/Vite RSC plugins) to patched versions addressing the CVE‑2025‑55182 RCE deserialization flaw.
- Ensure Veeam Backup & Replication is updated to version 13.0.1.1071 to close RCE paths exploitable by Backup/Tape Operators or Backup Admins.
- Harden exposed servers and databases by eliminating default/AI‑generated weak credentials to reduce susceptibility to GoBruteforcer botnet campaigns.
Monitoring
- Monitor identity platforms (Azure AD/M365) for unusual OAuth device‑code authorizations, unexpected app consents, anomalous MFA‑less logins, and session‑token reuse attempts.
- Watch for VPN and firewall anomalies, including FortiGate login attempts using case‑variant usernames (e.g., Jsmith vs jsmith) and WatchGuard Firebox connections to any published Indicators of Attack (IOAs).
- Enable alerting for Chrome/Edge extension installations, especially AI sidebar/chat extensions, and track outbound connections to known attacker C2 domains associated with data‑exfiltrating browser extensions.
- Monitor for signs of n8n exploitation, such as unexpected file reads, unauthorized workflow executions, or abnormal file‑handling behavior in Form Submission workflows.
- Continuously monitor internet‑facing services (FTP/MySQL/PostgreSQL/phpMyAdmin) for brute‑force attempts, high‑volume authentication failures, and scanning activity consistent with GoBruteforcer botnet behavior.
Detection Tips
- Look for RCE exploitation attempts targeting WatchGuard Firebox (CVE‑2025‑14733), including unexpected outbound connections to attacker IPs, exfiltration of config files, or rapid creation of gzip archives containing credentials.
- Detect device‑code phishing chains by flagging user activity involving login.microsoft.com/devicelogin with suspicious timing, unexpected device codes, or unknown applications requesting access tokens.
- Identify malicious browser extensions by scanning for extensions communicating with domains such as deepaichats[.]com, chatsaigpt[.]com, or suspicious Lovable‑hosted infrastructure used in AI‑chat exfiltration campaigns.
- Check for indicators of GoBruteforcer infection, including newly dropped web shells, outbound IRC beaconing, high‑frequency scanning of public IP space, or processes using default/AI‑generated usernames (e.g., myuser, appuser).
- Hunt for React Server Component exploitation by reviewing server logs for malformed RSC payloads, unexpected POST requests to RSC/Server Function endpoints, or errors related to deserialization.
- Inspect n8n logs for anomalous access patterns, especially unauthorized POST requests to Form Submission endpoints that include unexpected file‑handling fields.
About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering
Why Patching Matters
Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities.
Vigilant Managed Cyber Hygiene
Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management.
- Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications
- Critical patches, OS upgrades, and configuration updates for all devices, on/off network
- 24/7/365 U.S.-based monitoring and real-time reporting for full visibility
Stay Protected. Stay Proactive.
Learn how Fortress SRM can enhance your cybersecurity strategy →