12/31/2026-01/07/2026 ISE Security Vulnerability, Ni8mare Flaw Gives Unauthenticated Control Of n8n Instances, New Veeam Vulnerabilities And More

1. Cisco Patches ISE Security Vulnerability After Public PoC Exploit Release

Cisco has issued patches for a medium-severity flaw, CVE-2026-20029 (CVSS: 4.9), in its Identity Services Engine (ISE) and ISE Passive Identity Connector. This vulnerability, present in the licensing feature, allows an authenticated administrator to read arbitrary files via malicious XML uploads. A public proof-of-concept exploit is available. Affected versions include releases earlier than 3.2 and specific 3.2 to 3.4 releases; version 3.5 is not vulnerable. No workarounds exist. Concurrently, Cisco fixed two other medium-severity Snort 3 bugs—CVE-2026-20026 (denial-of-service) and CVE-2026-20027 (information disclosure)—affecting multiple products. Given frequent targeting of Cisco vulnerabilities, users must apply updates promptly for protection.

2. Ni8mare Flaw Gives Unauthenticated Control Of n8n Instances

A critical vulnerability in the n8n workflow automation platform, tracked as CVE-2026-21858 (CVSS 10.0) and dubbed Ni8mare, allows unauthenticated attackers to fully compromise affected instances. Discovered by Cyera researchers, the flaw enables arbitrary file read by abusing how n8n Webhooks handle uploaded data in certain form-based workflows.

The issue arises when workflows process files without validating the request’s Content-Type. Attackers can craft non-multipart requests and manually define file paths, tricking n8n into copying and exposing sensitive system files such as /etc/passwd. With access to configuration files and the local SQLite database, attackers can extract authentication secrets, forge an admin session cookie, and bypass login protections.

Once authenticated as an admin, attackers can achieve full remote code execution using built-in workflow nodes. The vulnerability affects all n8n versions up to 1.65.0 and was fixed in version 1.121.0 (November 2025). A compromised n8n instance can expose credentials, tokens, and connected systems, making the impact severe.

3. New Veeam Vulnerabilities Expose Backup Servers to RCE Attacks

Veeam has released security updates to fix multiple flaws in its Backup & Replication (VBR) software, including a high-severity remote code execution vulnerability tracked as CVE-2025-59470. The flaw affects Veeam Backup & Replication version 13.0.1.180 and all earlier v13 builds.

The vulnerability allows attackers with Backup or Tape Operator roles to achieve remote code execution as the postgres user by sending malicious parameters. While initially rated critical, Veeam downgraded the issue to high severity because exploitation requires highly privileged access. Two additional flaws were also fixed: CVE-2025-55125 (high) and CVE-2025-59468 (medium), both enabling RCE under specific conditions.

The issues were patched in Veeam Backup & Replication 13.0.1.1071, released on January 6. VBR is widely used by enterprises and managed service providers and is frequently targeted by ransomware groups, as compromising backup servers can enable data theft and prevent recovery.

4. Critical AdonisJS Bodyparser Flaw (CVSS 9.2) Enables Arbitrary File Write on Servers

Users of the @adonisjs/bodyparser npm package are urged to update after disclosure of a critical path traversal vulnerability that could allow arbitrary file writes on servers. Tracked as CVE-2026-21440 (CVSS 9.2), the flaw affects AdonisJS multipart file uploads when developers use MultipartFile.move() without sanitizing filenames or providing the options parameter.

In such cases, attackers can supply crafted filenames containing traversal sequences, enabling them to write files outside the intended upload directory and potentially overwrite sensitive files. If application code or configuration files are overwritten and later executed, remote code execution may be possible, depending on deployment and permissions. The issue affects versions ≤10.1.1 and ≤11.0.0-next.5, and is fixed in 10.1.2 and 11.0.0-next.6.

The disclosure coincides with another high-severity path traversal flaw in jsPDF (CVE-2025-68428, CVSS 9.2), patched in version 4.0.0, which could expose arbitrary local files in Node.js environments.

5. RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers

Researchers have uncovered a nine-month-long campaign targeting IoT devices and web applications to build the RondoDox botnet. As of December 2025, attackers are exploiting React2Shell (CVE-2025-55182, CVSS 10.0), a critical flaw in React Server Components and Next.js that enables unauthenticated remote code execution, according to CloudSEK.

Shadowserver estimates 90,000+ instances remain vulnerable worldwide, with the majority in the U.S. RondoDox, active since early 2025, has expanded by abusing multiple N-day flaws, including CVE-2023-1389 and CVE-2025-24893. The campaign evolved from manual scanning to large-scale automated exploitation.

Recent attacks scan for vulnerable Next.js servers and deploy crypto miners, botnet loaders, and a Mirai variant. One tool aggressively removes competing malware and establishes persistence via cron jobs. Mitigations include patching Next.js, isolating IoT devices, deploying WAFs, monitoring suspicious processes, and blocking known C2 infrastructure.