01/14/2026-01/21/2026 Critical Flaw in Modular DS WordPress Plugin, Binary-parser Bug Allows Node.js Privilege-Level Code Execution, Hackers Target Developers via Malicious VS Code Projects And More.

1. Actively Exploited Critical Flaw in Modular DS WordPress Plugin Enables Admin Takeover

A critical vulnerability in the Modular DS WordPress plugin (CVE-2026-23550, CVSS 10.0) is being actively exploited, allowing unauthenticated attackers to escalate privileges. Modular DS, installed on over 40,000 sites, enables centralized monitoring, updates, and remote administration of WordPress installations. In versions 2.5.1 and earlier, the flaw allows attackers to bypass authentication by abusing exposed API routes under /api/modular-connector/. A flawed isDirectRequest() check treats requests containing simple parameters (origin=mo&type=xxx) as trusted “direct” requests, without validating signatures, secrets, IPs, or User-Agent headers. If a site is already connected to Modular, attackers can access sensitive routes such as /login, /system, and /backup, leading to admin takeover and data theft. Exploitation began on January 13, 2026, with attackers targeting the login API to create new admin users. The issue was fixed in version 2.5.2 by tightening route handling and validation. Users should update immediately to mitigate risk.

2. CERT/CC Warns Binary-parser Bug Allows Node.js Privilege-Level Code Execution

A security vulnerability has been disclosed in the popular binary-parser npm library that could allow attackers to execute arbitrary JavaScript. Tracked as CVE-2026-1245, the flaw affects all versions prior to 2.3.0, which was released on November 26, 2025 to address the issue. Binary-parser is a widely used JavaScript parser builder for binary data, supporting multiple data types and receiving roughly 13,000 weekly downloads. According to CERT/CC, the vulnerability stems from insufficient sanitization of user-supplied values—such as parser field names and encoding parameters—when generating parser code dynamically at runtime using the Function constructor. Because the library builds JavaScript source code as a string and compiles it for execution, attacker-controlled input can be injected into the generated code, leading to arbitrary code execution within the Node.js process. Applications using only static, hard-coded parser definitions are not affected. Users are strongly advised to upgrade to version 2.3.0 and avoid passing untrusted input into parser definitions.

3. Hackers Exploiting Critical Fortinet FortiSIEM Flaw in Attacks

A critical Fortinet FortiSIEM vulnerability (CVE-2025-64155) with publicly available proof-of-concept exploit code is now being actively exploited in the wild. Reported by Horizon3.ai researcher Zach Hanley, the flaw combines multiple issues that allow unauthenticated attackers to perform arbitrary file writes, escalate privileges, and ultimately gain root-level code execution. Fortinet described the issue as an OS command injection vulnerability that can be triggered via crafted TCP requests. Horizon3.ai’s analysis revealed that dozens of command handlers exposed through the phMonitor service can be accessed remotely without authentication. By abusing argument injection, attackers can overwrite system files such as /opt/charting/redishb.sh to execute code as root. The vulnerability affects FortiSIEM versions 6.7 through 7.5. Patches are available in newer releases, while administrators unable to update immediately are advised to restrict access to the phMonitor port (7900). Threat intelligence firm Defused has confirmed active exploitation, urging defenders to check phMonitor logs for signs of compromise.

4. North Korea-Linked Hackers Target Developers via Malicious VS Code Projects

North Korean threat actors behind the long-running Contagious Interview campaign are using malicious Visual Studio Code (VS Code) projects to distribute backdoors. The tactic targets software developers through fake job assessments that instruct victims to clone GitHub, GitLab, or Bitbucket repositories and open them in VS Code. When a victim trusts the repository, malicious tasks.json files are automatically executed, abusing the runOn: folderOpen option to fetch and run obfuscated JavaScript payloads hosted on Vercel. On macOS, the attack uses background shell commands to pipe remote JavaScript directly into Node.js, enabling persistent execution even after VS Code closes. The payload deploys backdoors such as BeaverTail and InvisibleFerret, enabling remote code execution, system profiling, and continuous command-and-control communication. Later stages may introduce fallback infection methods, malicious npm packages, credential theft, crypto mining, and remote access tools. Developers are urged to carefully vet repositories, review task configurations, and avoid untrusted coding tests.

5. AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks

A critical misconfiguration in AWS CodeBuild, dubbed CodeBreach by Wiz, could have enabled attackers to take over several AWS-managed GitHub repositories, including the AWS JavaScript SDK, creating a severe supply chain risk. The issue was responsibly disclosed on August 25, 2025, and fixed by AWS in September. The flaw stemmed from improperly configured CI webhook filters intended to restrict which GitHub users could trigger builds. Four AWS repositories used regex-based actor ID filters that lacked start (^) and end ($) anchors, allowing attackers to bypass restrictions by registering GitHub accounts with numeric IDs containing a trusted maintainer’s ID as a substring. Because GitHub user IDs are sequential, these IDs could be predicted and generated using automated bot accounts. By triggering a build, an attacker could access privileged GitHub tokens with admin rights, enabling direct code pushes, pull request approvals, and secret exfiltration. AWS confirmed the issue was limited to specific projects, implemented mitigations, rotated credentials, and found no evidence of exploitation in the wild.

01/07/2026-01/14/2026 Gogs Vulnerability, Microsoft Fixes 114 Windows Flaws, Critical Node.js Vulnerability And More

1. CISA Flags Actively Exploited Gogs Vulnerability With No Patch

A high-severity vulnerability in the self-hosted Git service Gogs is being actively exploited, prompting an alert from CISA. The flaw is tracked as CVE-2025-8110 and carries a CVSS v4.0 score of 8.7. The issue stems from improper handling of symbolic links in Gogs’ PutContents API, allowing authenticated attackers to overwrite files outside a repository and achieve remote code execution. Wiz researchers uncovered the flaw while investigating malware infections and found it was exploited as a zero-day, bypassing earlier protections. More than 700 Gogs instances have already been compromised, and about 1,600 servers remain internet-exposed. No official patch is available yet, though fixes are pending. Until updates are released, organizations are urged to restrict access, disable open registration, and closely monitor for suspicious activity.

2. Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited

Microsoft has released its first Patch Tuesday update of 2026, fixing 114 security vulnerabilities, including one actively exploited in the wild. Eight flaws are rated Critical and 106 Important, with privilege escalation issues making up the largest category. The update ranks as the third-largest January Patch Tuesday on record.

The actively exploited flaw, CVE-2026-20805 (CVSS 5.5), is an information disclosure vulnerability in the Desktop Window Manager (DWM) that could help attackers undermine protections like ASLR. While exploitation details remain limited, CISA has added it to its KEV catalog, requiring U.S. federal agencies to patch by February 3, 2026.

Microsoft also addressed Edge browser flaws, removed vulnerable legacy Agere modem drivers, and fixed a Secure Boot certificate expiration bypass that could weaken firmware trust. Another high-priority issue is a privilege escalation flaw in Windows Virtualization-Based Security Enclave that could allow attackers to compromise core system protections.

3. Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

Node.js has released security updates to fix a critical denial-of-service (DoS) issue that could impact “virtually every production Node.js app.” Tracked as CVE-2025-59466 (CVSS 7.5), the flaw occurs when stack space is exhausted in user code while async_hooks is enabled. Instead of throwing a catchable error, Node.js may abruptly exit with code 7, allowing attackers to crash applications using unsanitized, recursion-based input. The issue affects many popular frameworks and monitoring tools that rely on AsyncLocalStorage, including React Server Components, Next.js, and major APM platforms such as Datadog and New Relic. All Node.js versions from 8.x through 18.x are impacted, though only supported releases have been patched.

Fixes are available in Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0. Node.js also addressed three additional high-severity vulnerabilities involving data leakage, file access via symlinks, and remote DoS. Users are strongly urged to update promptly.

4. Trend Micro Fixed a Remote Code Execution in Apex Central

Trend Micro has patched three security vulnerabilities in its Apex Central on-premise management console that could enable remote code execution (RCE) or denial-of-service (DoS) attacks. The flaws, discovered by Tenable in August 2025 and tracked as CVE-2025-69258, CVE-2025-69259, and CVE-2025-69260, affect Windows installations running Apex Central versions prior to Build 7190.

The most critical issue, CVE-2025-69258 (CVSS 9.8), is a LoadLibraryEx RCE vulnerability that allows an unauthenticated attacker to load a malicious DLL and execute code with SYSTEM privileges. Tenable released proof-of-concept exploit code demonstrating the attack. The other two flaws, both rated 7.5, are DoS vulnerabilities caused by an unchecked NULL return value and an out-of-bounds read, respectively.
Trend Micro addressed all three issues in Critical Patch Build 7190 and urges customers to apply updates promptly and restrict remote access.

12/31/2026-01/07/2026 ISE Security Vulnerability, Ni8mare Flaw Gives Unauthenticated Control Of n8n Instances, New Veeam Vulnerabilities And More

1. Cisco Patches ISE Security Vulnerability After Public PoC Exploit Release

Cisco has issued patches for a medium-severity flaw, CVE-2026-20029 (CVSS: 4.9), in its Identity Services Engine (ISE) and ISE Passive Identity Connector. This vulnerability, present in the licensing feature, allows an authenticated administrator to read arbitrary files via malicious XML uploads. A public proof-of-concept exploit is available. Affected versions include releases earlier than 3.2 and specific 3.2 to 3.4 releases; version 3.5 is not vulnerable. No workarounds exist. Concurrently, Cisco fixed two other medium-severity Snort 3 bugs—CVE-2026-20026 (denial-of-service) and CVE-2026-20027 (information disclosure)—affecting multiple products. Given frequent targeting of Cisco vulnerabilities, users must apply updates promptly for protection.

2. Ni8mare Flaw Gives Unauthenticated Control Of n8n Instances

A critical vulnerability in the n8n workflow automation platform, tracked as CVE-2026-21858 (CVSS 10.0) and dubbed Ni8mare, allows unauthenticated attackers to fully compromise affected instances. Discovered by Cyera researchers, the flaw enables arbitrary file read by abusing how n8n Webhooks handle uploaded data in certain form-based workflows.

The issue arises when workflows process files without validating the request’s Content-Type. Attackers can craft non-multipart requests and manually define file paths, tricking n8n into copying and exposing sensitive system files such as /etc/passwd. With access to configuration files and the local SQLite database, attackers can extract authentication secrets, forge an admin session cookie, and bypass login protections.

Once authenticated as an admin, attackers can achieve full remote code execution using built-in workflow nodes. The vulnerability affects all n8n versions up to 1.65.0 and was fixed in version 1.121.0 (November 2025). A compromised n8n instance can expose credentials, tokens, and connected systems, making the impact severe.

3. New Veeam Vulnerabilities Expose Backup Servers to RCE Attacks

Veeam has released security updates to fix multiple flaws in its Backup & Replication (VBR) software, including a high-severity remote code execution vulnerability tracked as CVE-2025-59470. The flaw affects Veeam Backup & Replication version 13.0.1.180 and all earlier v13 builds.

The vulnerability allows attackers with Backup or Tape Operator roles to achieve remote code execution as the postgres user by sending malicious parameters. While initially rated critical, Veeam downgraded the issue to high severity because exploitation requires highly privileged access. Two additional flaws were also fixed: CVE-2025-55125 (high) and CVE-2025-59468 (medium), both enabling RCE under specific conditions.

The issues were patched in Veeam Backup & Replication 13.0.1.1071, released on January 6. VBR is widely used by enterprises and managed service providers and is frequently targeted by ransomware groups, as compromising backup servers can enable data theft and prevent recovery.

4. Critical AdonisJS Bodyparser Flaw (CVSS 9.2) Enables Arbitrary File Write on Servers

Users of the @adonisjs/bodyparser npm package are urged to update after disclosure of a critical path traversal vulnerability that could allow arbitrary file writes on servers. Tracked as CVE-2026-21440 (CVSS 9.2), the flaw affects AdonisJS multipart file uploads when developers use MultipartFile.move() without sanitizing filenames or providing the options parameter.

In such cases, attackers can supply crafted filenames containing traversal sequences, enabling them to write files outside the intended upload directory and potentially overwrite sensitive files. If application code or configuration files are overwritten and later executed, remote code execution may be possible, depending on deployment and permissions. The issue affects versions ≤10.1.1 and ≤11.0.0-next.5, and is fixed in 10.1.2 and 11.0.0-next.6.

The disclosure coincides with another high-severity path traversal flaw in jsPDF (CVE-2025-68428, CVSS 9.2), patched in version 4.0.0, which could expose arbitrary local files in Node.js environments.

5. RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers

Researchers have uncovered a nine-month-long campaign targeting IoT devices and web applications to build the RondoDox botnet. As of December 2025, attackers are exploiting React2Shell (CVE-2025-55182, CVSS 10.0), a critical flaw in React Server Components and Next.js that enables unauthenticated remote code execution, according to CloudSEK.

Shadowserver estimates 90,000+ instances remain vulnerable worldwide, with the majority in the U.S. RondoDox, active since early 2025, has expanded by abusing multiple N-day flaws, including CVE-2023-1389 and CVE-2025-24893. The campaign evolved from manual scanning to large-scale automated exploitation.

Recent attacks scan for vulnerable Next.js servers and deploy crypto miners, botnet loaders, and a Mirai variant. One tool aggressively removes competing malware and establishes persistence via cron jobs. Mitigations include patching Next.js, isolating IoT devices, deploying WAFs, monitoring suspicious processes, and blocking known C2 infrastructure.